Providing a Malware Analysis Using a Secure Malware Detection Process

US 20130139260A1
Filed: 11/29/2011
Published: 05/30/2013
Est. Priority Date: 11/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented system, comprising:

a boundary controller operable to;

implement a security boundary between a first computer network environment and a second computer network environment, the second computer network environment having a security classification level that is more restrictive than a security classification level of the first computer network environment; and

receive via the first computer network environment a file; and

a malware analysis system positioned in the second computer network environment and operable to;

receive via the boundary controller the file; and

apply a first malware detection process on the file, the first malware detection process subject to the security classification level of the second computer network environment.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In certain embodiments, a computer-implemented system comprises a boundary controller and a first malware detection agent. The boundary controller is operable to implement a security boundary between a first computer network environment and a second computer network environment. The second computer network environment has a security classification level that is more restrictive than a security classification level of the first computer network environment. The boundary controller is operable to receive from the first computer network environment a file. The first malware detection agent is positioned in the second computer network environment and is operable to receive via the boundary controller the file and apply a first malware detection process on the file. The first malware detection process is subject to the security classification level of the second computer network environment.

Citations

28 Claims

1. A computer-implemented system, comprising:
- a boundary controller operable to;
  
  implement a security boundary between a first computer network environment and a second computer network environment, the second computer network environment having a security classification level that is more restrictive than a security classification level of the first computer network environment; and
  
  receive via the first computer network environment a file; and
  
  a malware analysis system positioned in the second computer network environment and operable to;
  
  receive via the boundary controller the file; and
  
  apply a first malware detection process on the file, the first malware detection process subject to the security classification level of the second computer network environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 27)
- - 2. The system of claim 1, wherein the malware analysis system is operable to:
    - apply the first malware detection process on the file by performing operations comprising invoking a first malware detection agent operable to analyze the file using the first malware detection process; and
      
      access an output of the first malware detection agent.
  - 3. The system of claim 2, wherein the malware analysis system is operable to:
    - apply a second malware detection process on the file by performing operations comprising invoking a second malware detection agent operable to analyze the file using the second malware detection process, the second malware detection process not subject to the security classification level of the second computer network environment; and
      
      access an output of the second malware detection agent.
  - 4. The system of claim 1, wherein the boundary controller permits certain communications from the first computer network environment to the second computer network environment and prohibits communications from the second computer network environment to the first computer network environment.
  - 5. The system of claim 1, wherein:
    - a processing system positioned in the first computer network environment is operable to store the file in a storage module positioned in the first computer network environment; and
      
      the boundary controller is operable to receive the file by proactively pulling the file from the storage module.
  - 6. The system of claim 1, wherein the boundary controller receives the file from a processing system positioned in the first computer network environment, the processing system operable to:
    - determine that the file should be analyzed for malware; and
      
      make the file available to the boundary controller for a malware analysis to be performed on the file.
  - 7. The system of claim 1, wherein the malware analysis system is further operable, in response to performing the malware analysis of the file by applying the detection process on the file, communicate a malware analysis result from the second computer network environment to the first computer network environment via the boundary controller.
  - 8. The system of claim 1, wherein the file comprises an email communication including an attachment.
  - 27. The system of claim 1, wherein the malware analysis system is further operable, in response to performing the malware analysis of the file by applying the detection process on the file, communicate a malware analysis result from the second computer network environment to the first computer network environment via the boundary controller.

9. A computer-implemented system, comprising:
- a boundary controller operable to;
  
  implement a security boundary between a first computer network environment and a second computer network environment, the second computer network environment having a security classification level that is more restrictive than a security classification level of the first computer network environment;
  
  receive from the first computer network environment a file; and
  
  a first malware detection agent positioned in the second computer network environment and operable to;
  
  receive via the boundary controller the file; and
  
  apply a first malware detection process on the file, the first malware detection process subject to the security classification level of the second computer network environment.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The system of claim 9, wherein:
    - the first malware detection agent is part of a malware analysis system, the malware analysis system being positioned in the second computer network environment; and
      
      the malware analysis system is operable to invoke a second malware detection agent positioned in the second computer network environment to perform a malware analysis of the file even though the security classification level of the first computer network environment is sufficient for the second malware detection agent.
  - 11. The system of claim 9, wherein:
    - the first malware detection agent is part of a malware analysis system that is operable to invoke a plurality of malware detection agents for analyzing the file, each malware detection agent operable to perform a corresponding malware analysis process on the file, the first malware detection agent being one of the plurality malware detection agents; and
      
      the malware analysis system is positioned in the second computer network environment.
  - 12. The system of claim 9, wherein the connection across the boundary controller is a one-way connection such that the boundary controller permits communication only in the direction from the first side of the boundary controller to the second side of the boundary controller.
  - 13. The system of claim 9, wherein:
    - a processing system positioned in the first computer network environment is operable to store the file in a storage module positioned in the first computer network environment; and
      
      the boundary controller is operable to proactively pull the file from the storage module.
  - 14. The system of claim 9, wherein:
    - the first malware detection agent is part of a malware analysis system at least a portion of which is positioned in the first computer network environment; and
      
      the malware analysis system is operable to communicate the file for the malware analysis to be performed on the file.
  - 15. The system of claim 14, wherein:
    - the malware analysis system is operable to invoke a second malware detection agent positioned in the first computer network environment to perform a malware analysis of the file using a second malware detection process; and
      
      the second malware detection process is subject to the security classification level of the first computer network environment and not the security classification level of the second computer network environment.
  - 16. The system of claim 9, wherein:
    - the first malware detection agent is part of a malware analysis system that is operable to invoke a plurality of malware detection agents for analyzing the file, each malware detection agent operable to perform a corresponding malware analysis process on the file, the first malware detection agent being one of the plurality of malware detection agents; and
      
      at least one of the multiple malware detection agents is positioned in the first computer network environment.
  - 17. The system of claim 9, wherein the boundary controller is operable to receive the file from a processing system positioned in the first computer network environment, the processing system operable to:
    - determine that the file should be analyzed for malware; and
      
      make the file available to the boundary controller for a malware analysis to be performed on the file.
  - 18. The system of claim 17, wherein the boundary controller receiving the file from the processing system comprises the boundary controller receiving the file from a malware analysis system, the malware analysis system having received the file from the processing system.
  - 19. The system of claim 9, wherein the malware analysis system is further operable, in response to performing the malware analysis of the file by applying the detection process on the file, communicate a malware analysis result from the second computer network environment to the first computer network environment via the boundary controller.
  - 20. The system of claim 9, wherein the file comprises an email communication including an attachment.

21. A computer-implemented system, comprising:
- a boundary controller operable to;
  
  implement a security boundary between a first computer network environment and a second computer network environment, the second computer network environment having a security classification level that is more restrictive than a security classification level of the first computer network environment;
  
  receive from a malware analysis system, at least a portion of which is positioned in the first computer network environment, a file;
  
  a first malware detection agent positioned in the second computer network environment and operable to;
  
  receive via the boundary controller the file; and
  
  apply a first malware detection process on the file, the first malware detection process subject to the security classification level of the second computer network environment.
- View Dependent Claims (22, 23, 24, 25, 26, 28)
- - 22. The system of claim 21, wherein the first malware detection agent is operable to communicate a result of applying the first malware detection process on the file to the boundary controller, the boundary controller operable to communicate the result to the portion of the malware analysis system positioned in the first computer network environment.
  - 23. The system of claim 21, wherein:
    - the malware analysis system is operable to invoke a second malware detection agent positioned in the first computer network environment, the second malware detection agent operable to apply a second malware detection process on the file; and
      
      the second malware detection process is subject to the security classification level of the first computer network environment and not the security classification level of the second computer network environment.
  - 24. The system of claim 21, wherein:
    - the malware analysis system is operable to invoke a plurality of malware detection agents for analyzing the file, each malware detection agent operable to perform a corresponding malware analysis process on the file, the first malware detection agent being one of the plurality of malware detection agents; and
      
      at least one of the multiple malware detection agents is positioned in the first computer network environment.
  - 25. The system of claim 21, wherein the portion of the malware analysis system positioned in the first computer network environment is operable to:
    - receive the file from a processing system positioned in the first computer network environment, the processing system operable to;
      
      determine that the file should be analyzed for malware; and
      
      communicate the file for a malware analysis to be performed on the file; and
      
      invoke the first malware detection agent by communicating the file to the boundary controller.
  - 26. The system of claim 22, wherein:
    - the portion of the malware analysis system positioned in the first computer network environment is operable to store the file in a storage module positioned in the first computer network environment; and
      
      the boundary controller is operable to proactively pull the file from the storage module.
  - 28. The system of claim 22, wherein the file comprises an email communication including an attachment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Francisco Partners Management LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
McDougal, Monty D.

Granted Patent

US 8,776,242 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Providing a Malware Analysis Using a Secure Malware Detection Process

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Providing a Malware Analysis Using a Secure Malware Detection Process

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links