SYSTEMS FOR BI-DIRECTIONAL NETWORK TRAFFIC MALWARE DETECTION AND REMOVAL

US 20130007870A1
Filed: 09/29/2011
Published: 01/03/2013
Est. Priority Date: 06/28/2011
Status: Abandoned Application

First Claim

Patent Images

1. A system, comprising:

A) one or more server computer communicatively coupled to a network configured to receive, from a client having a first network resource address, a request for a content from a website hosted on a hosting server computer having a second network resource address and resolving from a domain name, wherein said domain name is pointed in a DNS to a third network resource address for said one or more server computer;

B) a scrubbing center running on said one or more server computer, said scrubbing center comprising;

i) an intrusion prevention and detection module configured to;

a) determine whether an event associated with said first network resource address matches one or more of a plurality of event signatures in one or more network security device communicatively coupled to said network;

b) responsive to a determination that an event associated with said first network resource address matches one or more of said plurality of event signatures;

I) block said request for said content from reaching said hosting server;

orII) transmit said request for said content to a content sanitizer module running on said one or more of said one or more server computerii) a reputation service module configured to;

a) generate a second malicious network resource address database;

b) determine whether said second network resource address is stored in said second malicious network resource address database; and

c) responsive to a determination that said second network resource address is stored in said second malicious network resource address database;

I) transmit a response to said client indicating that said second network resource address is stored in said second malicious network resource address database;

orII) transmit said content to said content sanitizer module; and

iii) said content sanitizer module configured to;

a) receive a determination whether said request for said content comprises a server-directed malware and, responsive to receiving a determination that said request for said content comprises a server-directed malware;

I) block said request for content from reaching said hosting server;

orII) remove said server-directed malware from said request for said content; and

transmit a scrubbed request for said content to said hosting server computer, said scrubbed request for said content comprising said request for said content having said server-directed malware removed; and

b) receive a determination whether said content comprises a client-directed malware and, responsive to receiving a determination that said content comprises a client-directed malware;

I) block said content from reaching said client;

orII) remove said client-directed malware from said content; and

transmit a scrubbed content to said client, said scrubbed content comprising said content having said client-directed malware removed.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An exemplary bi-directional network traffic malware detection and removal system may comprise a scrubbing center running one or more server computer communicatively coupled to a network configured to receive a request for website content, remove any server-directed malware from the content request, transmit the scrubbed content request to the website'"'"'s hosting server, receive the responsive website content, remove and client-directed malware from the content, and transmit the scrubbed content to the requesting client.

47 Citations

View as Search Results

23 Claims

1. A system, comprising:
- A) one or more server computer communicatively coupled to a network configured to receive, from a client having a first network resource address, a request for a content from a website hosted on a hosting server computer having a second network resource address and resolving from a domain name, wherein said domain name is pointed in a DNS to a third network resource address for said one or more server computer;
  
  B) a scrubbing center running on said one or more server computer, said scrubbing center comprising;
  
  i) an intrusion prevention and detection module configured to;
  
  a) determine whether an event associated with said first network resource address matches one or more of a plurality of event signatures in one or more network security device communicatively coupled to said network;
  
  b) responsive to a determination that an event associated with said first network resource address matches one or more of said plurality of event signatures;
  
  I) block said request for said content from reaching said hosting server;
  
  orII) transmit said request for said content to a content sanitizer module running on said one or more of said one or more server computerii) a reputation service module configured to;
  
  a) generate a second malicious network resource address database;
  
  b) determine whether said second network resource address is stored in said second malicious network resource address database; and
  
  c) responsive to a determination that said second network resource address is stored in said second malicious network resource address database;
  
  I) transmit a response to said client indicating that said second network resource address is stored in said second malicious network resource address database;
  
  orII) transmit said content to said content sanitizer module; and
  
  iii) said content sanitizer module configured to;
  
  a) receive a determination whether said request for said content comprises a server-directed malware and, responsive to receiving a determination that said request for said content comprises a server-directed malware;
  
  I) block said request for content from reaching said hosting server;
  
  orII) remove said server-directed malware from said request for said content; and
  
  transmit a scrubbed request for said content to said hosting server computer, said scrubbed request for said content comprising said request for said content having said server-directed malware removed; and
  
  b) receive a determination whether said content comprises a client-directed malware and, responsive to receiving a determination that said content comprises a client-directed malware;
  
  I) block said content from reaching said client;
  
  orII) remove said client-directed malware from said content; and
  
  transmit a scrubbed content to said client, said scrubbed content comprising said content having said client-directed malware removed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The system of claim 1, wherein said one or more network security device comprise a distributed denial of service mitigation device, an intrusion detection system, an intrusion prevention system, or a web application firewall.
  - 3. The system of claim 2, wherein said plurality of event signatures comprise a plurality of attack signatures.
  - 4. The system of claim 3, wherein said plurality of attack signatures comprise one or more signatures identifying a botnet attack, a shell code attack, a cross site scripting attack, a SQL injection attack, a directory reversal attack, a remote code execution attack, a distributed denial of service attack, a brute force attack, a remote file inclusion attack, a script injection attack, or an iFrame injection attack.
  - 5. The system of claim 4, wherein said server-directed malware comprises a botnet, a shell code, a cross site scripting, a SQL injection, a directory reversal, a remote code execution attack, a distributed denial of service attack, or a brute force attack.
  - 6. The system of claim 5, wherein said client-directed malware comprises a virus, a worm, a trojan horse, a rootkit, a backdoor, a spyware, a keystroke logger, a phishing application, a script injection, or an iFrame injection.
  - 7. The system of claim 1, wherein said first network resource address comprises an IP address.
  - 8. The system of claim 7, wherein said IP address comprises an IPv4 address.
  - 9. The system of claim 7, wherein said IP address comprises an IPv6 address.
  - 10. The system of claim 1, wherein said second network resource address comprises an IP address.
  - 11. The system of claim 10, wherein said IP address comprises an IPv4 address.
  - 12. The system of claim 10, wherein said IP address comprises an IPv6 address.
  - 13. The system of claim 1, wherein said third network resource address comprises an IP address.
  - 14. The system of claim 13, wherein said IP address comprises an IPv4 address.
  - 15. The system of claim 14, wherein said IP address comprises an IPv6 address.
  - 16. The system of claim 1, wherein said client further comprises a SmartProxy configured to route said request for content to said scrubbing center.
  - 17. The system of claim 16, wherein said SmartProxy is configured to route said request for content to said scrubbing center by:
    - i) storing said second network address in association with said third network resource address; and
      
      ii) routing one or more content requests directed to said second network resource address to said third network resource address.
  - 18. The system of claim 16, wherein said SmartProxy is further configured to:
    - i) receive said content from said website; and
      
      ii) route said content to said scrubbing center.
  - 19. The system of claim 18, wherein said SmartProxy is further configured to receive said content or said scrubbed content from said scrubbing center.
  - 20. The system of claim 1, further comprises a SmartProxy configured to route said request for content to said scrubbing center, wherein said SmartProxy runs on an edge server communicatively coupled to said network.
  - 21. The system of claim 20, wherein said SmartProxy is configured to route said request for content to said scrubbing center by:
    - i) storing said second network address in association with said third network resource address;
      
      ii) receiving said request for content from said client; and
      
      ii) routing one or more content requests directed to said second network resource address to said third network resource address.
  - 22. The system of claim 21, wherein said SmartProxy is further configured to:
    - i) receive said content from said website; and
      
      ii) route said content to said scrubbing center.
  - 23. The system of claim 22, wherein said SmartProxy is further configured to receive said content or said scrubbed content from said scrubbing center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Go Daddy Operating Company LLC (GoDaddy, Inc.)
Original Assignee
Go Daddy Group Incorporated (GoDaddy, Inc.)
Inventors
Devarajan, Ganesh, Herbelin, Russell, LeBert, Don, Redfoot, Todd, Warner, Neil

Application Number

US13/249,036
Publication Number

US 20130007870A1
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

SYSTEMS FOR BI-DIRECTIONAL NETWORK TRAFFIC MALWARE DETECTION AND REMOVAL

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

SYSTEMS FOR BI-DIRECTIONAL NETWORK TRAFFIC MALWARE DETECTION AND REMOVAL

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others