SYSTEMS AND METHODS FOR COMPUTER WORM DEFENSE

US 20160301703A1
Filed: 04/04/2016
Published: 10/13/2016
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1-30. -30. (canceled)

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

144 Citations

50 Claims

1-30. -30. (canceled)

31. An unauthorized activity defense system comprising:
- one or more traffic analysis devices that are configured to perform an analysis of network traffic propagating over a communication network, the analysis includes identifying and filtering network communications characteristics associated with potential malware; and
  
  a malicious traffic sensor implemented in a computing device and communicatively coupled to the one or more traffic analysis devices, the malicious traffic sensor to receive a portion of the analyzed network traffic, the malicious traffic sensor comprisesone or more virtual machines that perform network activities in response to a processing of the received portion of the analyzed network traffic, anda controller configured communicatively coupled to the one or more virtual machines, the controller to orchestrate operations of the one or more virtual machine and determine whether the received portion of the analyzed network traffic comprises malware by at least (i) monitoring behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (ii) determining whether the behaviors are anomalous that denote a communication anomaly or an execution anomaly, and (iii) determining that a probability of the portion of the analyzed network traffic including malware exceeds a predetermined threshold, and (iv) responsive to the probability of the portion of the analyzed network traffic including malware exceeds a predetermined threshold, generating an identifier for the malicious traffic based on the anomalous behaviors caused during the processing of the portion of the analyzed network traffic.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 32. The unauthorized activity defense system of claim 31, wherein the malicious traffic sensor is configured to copy at least the portion of the analyzed network traffic and provide the portion of the analyzed network traffic to the one or more virtual.
  - 33. The unauthorized activity defense system of claim 32, wherein the one or more virtual machines are part of a virtual computer network that is transparent to and separate from the communication network.
  - 34. The unauthorized activity defense system of claim 31 further comprising:
    - a malicious traffic blocking system in communication with the malicious traffic sensor over the communication network and configured to receive the identifier from the malicious traffic sensor to block the propagation of the malicious traffic within the communication network.
  - 35. The unauthorized activity defense system of claim 31, further comprising:
    - a management system in communication with the malicious traffic sensor of a first unauthorized activity detection system of one or more unauthorized activity detection systems and distribute the identifier to a malicious traffic blocking system of a second unauthorized activity detection system of the one or more unauthorized activity detection systems.
  - 36. The unauthorized activity defense system of claim 35, wherein the management system automatically distributes the identifier to the malicious traffic blocking system of the second unauthorized activity detection system.
  - 37. The unauthorized activity defense system of claim 36, wherein the management system charges a fee to a subscriber associated with the second unauthorized activity detection system for distributing the identifier to the malicious traffic blocking system of the second unauthorized activity detection system.
  - 38. The unauthorized activity defense system of claim 34, wherein the identifier comprises a signature.
  - 39. The unauthorized activity defense system of claim 38, wherein the signature comprises a universal resource locator (URL) and the malicious traffic blocking system is capable of filtering by one or more URLs.
  - 40. The unauthorized activity defense system of claim 38, wherein the signature is for use by an inline signature based intrusion detection system, the signature being shared with the inline signature based intrusion detection system.
  - 41. The unauthorized activity defense system of claim 31, wherein the malicious traffic is a passive computer worm propagating within the communication network.

42. A method comprising:
- monitoring communications traffic from a communication network;
  
  filtering the communications traffic from the communication network, the filtered communications traffic comprises one or more suspicious characteristics associated with malicious traffic, wherein the one or more suspicious characteristics indicating that the filtered communication traffic should be analyzed to determine whether or not the filtered communications traffic comprises malicious traffic;
  
  determining whether the filtered communications traffic comprises malicious traffic by analyzing the filtered communications traffic, the analyzing of the filtered communications traffic comprises monitoring a processing of the filtered communications traffic within an analysis environment of a first unauthorized activity detection system; and
  
  responsive to the filtered communications traffic being determined to comprise malicious traffic, generating an identifier for the malicious traffic based on anomalous behavior caused within the analysis environment during the processing of the filtered communications traffic.
- View Dependent Claims (43, 44, 45, 46, 47, 48)
- - 43. The method of claim 42, wherein the analysis environment comprises a virtual machine that corresponds to virtual computer system using machine virtualization technologies to analyze the processing of the filtered communications traffic in an alternate computer network.
  - 44. The method of claim 43, further comprising:
    - copying at least a portion of filtered communications traffic from the communication network; and
      
      analyzing processing of the portion of filtered communications traffic to a virtual destination device in the alternate computer network.
  - 45. The method of claim 42, wherein the analyzing of the filtered communications traffic further comprises:
    - executing a virtual machine;
      
      identifying one or more anomalous behaviors performed by the virtual machine during processing of the portion of filtered communications traffic.
  - 46. The method of claim 42 further comprising distributing the identifier to a second unauthorized activity detection system different from the first unauthorized activity detection system.
  - 47. The method of claim 46 further comprising blocking the malicious traffic from further propagating over the communication network.
  - 48. The method of claim 42, wherein the generating of the identifier further comprises:
    - generating a sequence of network activities based on a pattern of network activities; and
      
      determining the identifier by comparing observed behaviors with behaviors expected from the pattern of network activities.

49. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform an unauthorized activity defense method comprising:
- monitoring communications traffic from a communication network;
  
  filtering the communications traffic from the communication network, the filtered communications traffic comprises one or more suspicious characteristics of malicious traffic, wherein the one or more suspicious characteristics identifying whether the filtered communication traffic should be analyzed to determine whether or not the filtered communications traffic comprises malicious traffic;
  
  determining whether the filtered communications traffic comprises malicious traffic by analyzing the filtered communications traffic, the analyzing comprising monitoring a processing of the filtered communications traffic within an analysis environment of an unauthorized activity detection system; and
  
  responsive to the filtered communications traffic being determined to comprise malicious traffic, generating an identifier for the malicious traffic based on anomalous behavior caused within the analysis environment during the processing of the filtered communications traffic.
- View Dependent Claims (50)
- - 50. The non-transitory machine readable medium of claim 49, wherein the analysis environment comprises one or more virtual machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar

Granted Patent

US 9,516,057 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06Q 20/10   specially adapted for elect...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491 : using deception as counterm...

H04L 63/20 : for managing network securi...

View All

SYSTEMS AND METHODS FOR COMPUTER WORM DEFENSE

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

144 Citations

50 Claims

Specification

Use Cases

Quick Links

Others

SYSTEMS AND METHODS FOR COMPUTER WORM DEFENSE

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

50 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others