HERD BASED SCAN AVOIDANCE SYSTEM IN A NETWORK ENVIRONMENT

US 20140189859A1
Filed: 12/27/2012
Published: 07/03/2014
Est. Priority Date: 12/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a signature for an object in a compute node in a network;

searching a memory element for the signature;

responsive to determining the memory element does not contain the signature, scanning the object;

updating the memory element with a scan result; and

synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example embodiment includes generating a signature for an object in a compute node in a network, searching a memory element for the signature, and responsive to determining the memory element does not contain the signature, scanning the object. The method also includes updating the memory element with a scan result, and synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network. In specific embodiments, the scan result includes the signature of the object and a threat level of the object. In further embodiments, the synchronizing includes sending the scan result to one or more other compute nodes in the network. In more specific embodiments, the scan result is sent with one or more other scan results after a predetermined interval of time from a previous synchronization.

Citations

29 Claims

1. A method comprising:
- generating a signature for an object in a compute node in a network;
  
  searching a memory element for the signature;
  
  responsive to determining the memory element does not contain the signature, scanning the object;
  
  updating the memory element with a scan result; and
  
  synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the scan result includes the signature of the object and a threat level of the object.
  - 3. The method of claim 1, wherein the synchronizing includes sending the scan result to the one or more other compute nodes in the network.
  - 4. The method of claim 3, wherein the scan result is sent with one or more other scan results after a predetermined interval of time from a previous synchronization.
  - 5. The method of claim 1, wherein the synchronizing includes pulling one or more scan results from at least one other compute node in the network.
  - 6. The method of claim 1, wherein the compute node and the one or more other compute nodes form a herd of compute nodes in the network, and wherein the network includes two or more herds of compute nodes.
  - 7. The method of claim 1, wherein the memory element comprises a whitelist and a blacklist.

8. At least one machine readable storage medium having instructions stored thereon, the instructions when executed by a processor cause the processor to:
- generate a signature for an object in a compute node in a network;
  
  search a memory element for the signature;
  
  responsive to determining the memory element does not contain the signature, scan the object;
  
  update the memory element with a scan result; and
  
  synchronize the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The at least one machine readable storage medium of claim 8, wherein the scan result includes the signature of the object and a threat level of the object.
  - 10. The at least one machine readable storage medium of claim 8, comprising further instructions that when executed by the processor cause the processor to:
    - send the scan result to the one or more other compute nodes in the network.
  - 11. The at least one machine readable storage medium of claim 10, comprising further instructions that when executed by the processor cause the processor to:
    - send the scan result with one or more other scan results after a predetermined interval of time from a previous synchronization.
  - 12. The at least one machine readable storage medium of claim 8, comprising further instructions that when executed by the processor cause the processor to:
    - pull one or more scan results from at least one other compute node in the network.
  - 13. The at least one machine readable storage medium of claim 8, wherein the compute node and the one or more other compute nodes form a herd of compute nodes in the network, and wherein the network includes two or more herds of compute nodes.
  - 14. The at least one machine readable storage medium of claim 8, wherein the memory element comprises a first local cache and a second local cache, the first local cache including a whitelist and the second local cache including a blacklist.

15. An apparatus, comprising:
- a processor;
  
  a scan module executing on the processor, the scan module configured to;
  
  generate a signature for an object in a compute node in a network;
  
  search a memory element for the signature;
  
  responsive to determining the memory element does not contain the signature, scan the object; and
  
  update the memory element with a scan result; and
  
  a synchronization module executing on the processor, the synchronization module configured to synchronize the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, wherein the scan result includes the signature of the object and a threat level of the object.
  - 17. The apparatus of claim 15, wherein the synchronization module is further configured to:
    - send the scan result to the one or more other compute nodes in the network.
  - 18. The apparatus of claim 17, wherein the synchronization module is configured to:
    - send the scan result with one or more other scan results after a predetermined interval of time from a previous synchronization.
  - 19. The apparatus of claim 15, wherein the synchronization module is further configured to:
    - pull one or more scan results from at least one other compute node in the network.
  - 20. The apparatus of claim 19, wherein the one or more scan results are pulled with after a predetermined interval of time from a previous synchronization.
  - 21. The apparatus of claim 15, wherein the compute node and the one or more other compute nodes form a herd of compute nodes in the network, and wherein the network includes two or more herds of compute nodes.

22. At least one machine readable storage medium having instructions stored thereon, the instructions when executed by a processor cause the processor to:
- generate a signature for an object in a compute node in a network;
  
  search a local memory element for the signature;
  
  responsive to determining the local memory element does not contain the signature, send a request to a central server for a threat level associated with the signature;
  
  responsive to receiving a response indicating that the signature is not found, scan the object;
  
  update the local memory element with a scan result; and
  
  send information associated with the scan result to the central server.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The at least one machine readable storage medium of claim 22, wherein the scan result includes the signature of the object and a threat level of the object.
  - 24. The at least one machine readable storage medium of claim 22, comprising further instructions that when executed by the processor cause the processor to:
    - responsive to the request being redirected to a second compute node in the network, retrieve a threat level associated with the signature from the second compute node.
  - 25. The at least one machine readable storage medium of claim 22, wherein the information includes a message indicating that the local memory element of the compute node includes the scan result of the object, wherein the central server updates a signature mapping database based on the information.
  - 26. The at least one machine readable storage medium of claim 22, comprising further instructions that when executed by the processor cause the processor to:
    - send the information to the central server with other information associated with other scans after a predetermined number of scans have been performed.
  - 27. The at least one machine readable storage medium of claim 22, wherein the information includes the scan result, and wherein the central server updates a central cache based on the information.
  - 28. The at least one machine readable storage medium of claim 26, wherein the central cache includes two or more scan results from two or more compute nodes in the network, wherein the compute node is one of the two or more compute nodes.
  - 29. The at least one machine readable storage medium of claim 28, wherein the two or more compute nodes form a herd of compute nodes in the network, and wherein the network includes two or more herds of compute nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Hunt, Simon, Ramanan, Venkata

Granted Patent

US 8,973,146 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

G06F 2221/2115   Third party

H04L 63/145   the attack involving the pr...

H04L 67/1095   Replication or mirroring of...

H04L 67/568   Storing data temporarily at...

HERD BASED SCAN AVOIDANCE SYSTEM IN A NETWORK ENVIRONMENT

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

HERD BASED SCAN AVOIDANCE SYSTEM IN A NETWORK ENVIRONMENT

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links