ATTRIBUTE-CONTROLLED MALWARE DETECTION

US 20180288077A1
Filed: 03/29/2018
Published: 10/04/2018
Est. Priority Date: 03/30/2017
Status: Active Grant

First Claim

Patent Images

1. A computerized method for authenticating access to a subscription-based service that detects an attempted cyber-attack, the method comprising:

receiving, by a cloud broker, service policy level information that includes at least an identifier of a sensor being used to access stored information;

receiving, by the cloud broker, information based on operational metadata, the operational metadata includes metadata that pertains to an operating state of one or more clusters of a plurality of clusters of the subscription-based service; and

using, by a cloud broker, both the service policy level information and the information based on the operational metadata in (i) selecting a cluster of the plurality of clusters to analyze the one or more objects submitted by the sensor and (ii) establishing a communication session between the sensor and the cluster via the cloud broker.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for authenticating access to a subscription-based service to detect an attempted cyber-attack. The method features operations by the cloud broker that include receiving service policy level information and information based on operational metadata. The service policy level information includes at least subscription attributes to identify one or more performance criterion in analyses conducted on one or more objects submitted by a sensor for malware representing an attempted cyber-attack. The operational metadata includes metadata that pertains to an operating state of one or more clusters of a plurality of clusters of the subscription-based service. The cloud broker, using both the service policy level information and the information based on the operational metadata, selecting a cluster of the plurality of clusters to analyze the one or more objects submitted by the sensor and establishes a communication session between the sensor and the cluster via the cloud broker.

Citations

35 Claims

1. A computerized method for authenticating access to a subscription-based service that detects an attempted cyber-attack, the method comprising:
- receiving, by a cloud broker, service policy level information that includes at least an identifier of a sensor being used to access stored information;
  
  receiving, by the cloud broker, information based on operational metadata, the operational metadata includes metadata that pertains to an operating state of one or more clusters of a plurality of clusters of the subscription-based service; and
  
  using, by a cloud broker, both the service policy level information and the information based on the operational metadata in (i) selecting a cluster of the plurality of clusters to analyze the one or more objects submitted by the sensor and (ii) establishing a communication session between the sensor and the cluster via the cloud broker.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computerized method of claim 1, wherein the service policy level information includes the identifier of the sensor and the cloud broker using the identifier of the sensor in retrieval of the stored information being the service policy level information from one or more databases separate from the sensor and the cloud broker.
  - 3. The computerized method of claim 1, wherein the service policy level information includes the identifier of the sensor and the cloud broker using at least the identifier of the sensor in selecting the cluster based on a geographical location of the sensor determined by the identifier of the sensor.
  - 4. The computerized method of claim 3, wherein the cloud broker using the identifier of the sensor in selecting the cluster based on both the geographical location of the sensor and one or more customer-configurable attributes within the service policy level information that includes geographic restrictions in selecting one of the plurality of clusters as the cluster.
  - 5. The computerized method of claim 1, wherein the selecting of the cluster by the cloud broker includes conducting an analysis by the cloud broker that the information based on the operational metadata meets or exceeds one or more performance-based attributes of the service policy level information.
  - 6. The computerized method of claim 1, wherein the operational metadata includes a current rate of analysis supported by the cluster and the service policy level information includes a quality of service (QoS) attribute that identifies a minimum rate of analysis offered by a subscription level assigned to a customer associated with the sensor.
  - 7. The computerized method of claim 1, wherein the operational metadata includes a guest image, including an operating system and one or more applications, supported by the cluster and the service policy level information includes an attribute that identifies a type of guest image supported by the cluster.
  - 8. The computerized method of claim 1, wherein the cloud broker being configured to use an identifier assigned to a customer associated with the sensor to access performance-based attributes being part of the service policy level information within one or more databases separate from the cloud broker.
  - 9. The computerized method of claim 8, wherein the selecting the cluster of the plurality of clusters in response to the information based on the operational metadata associated with the cluster satisfying a performance threshold set by the one or more performance criterion associated with the performance-based attributes.
  - 10. The computerized method of claim 9 further comprising:
    - monitoring, by the cloud broker, whether an analysis of an object, submitted by the sensor to the cluster subsequent to the one or more objects and during the communication session, continues to satisfy the performance threshold.
  - 11. The computerized method of claim 10 further comprising:
    - terminating the communication session upon determining that the analysis of the object fails to satisfy the performance threshold.
  - 12. The computerized method of claim 1, wherein the cloud broker is positioned on a separate subsystem as the subscription review service and communicatively coupled to the subscription review service over a network.

13. A computerized method comprising:
- receiving metadata from a source node;
  
  selecting a first cluster of a plurality of clusters by a cloud broker to analyze one or more objects received from the source node, the first cluster includes one or more compute nodes providing services in analyzing the one or more objects for malware; and
  
  wherein the selection of the first cluster of the plurality of clusters by the cloud broker is based, at least in part, on operational metadata received by the cloud broker from a management system monitoring operability of each cluster of the plurality of clusters.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computerized method of claim 13, wherein after the selecting of the first cluster of the plurality of clusters to analyze the one or more objects from the source node for malware, continuing by the first cluster to analyze all objects from the source node until a communication session between the source node and at least a broker computer node of the first cluster via the cloud broker is terminated.
  - 15. The computerized method of claim 13, wherein prior to selecting the first cluster, the method further comprising:
    - collecting operational metadata from the management system; and
      
      based on the operational metadata, generating data indicating a level of availability of each cluster of the plurality of clusters to analyze the one or more objects for malware received from the source node.
  - 16. The computerized method of claim 15, wherein the collecting of the operational metadata is conducted by system monitoring logic and the operational metadata includes (i) metadata that identifies workload of each of the plurality of clusters and (ii) metadata that identifies a remaining queue length for a queue utilized to store metadata for use in retrieval of the one or more objects from the source node.
  - 17. The computerized method of claim 15, wherein the collecting of the operational metadata includes collecting metadata that identifies a workload for each compute node of the first cluster of the plurality of clusters.
  - 18. The computerized method of claim 15, wherein the collecting of the operational metadata includes collecting either (i) metadata that identifies a geographic location for the one or more compute nodes, or (ii) metadata that identifies a software profile for each of the one or more compute nodes, or (iii) metadata that identifies a rate of submission of objects by the source node to the cloud broker.

19. A system for detecting a cyber-attack, comprising:
- a sensor associated with a first customer enrolled in a subscription service for a malware detection service, the sensor to capture a first object and perform a first malware analysis on the first object to determine whether the first object corresponds to a suspicious object potentially associated with a cyber-attack; and
  
  a cloud broker communicatively coupled to the sensor, the cloud broker to (i) receive metadata associated with the suspicious object, (ii) select a cluster of the plurality of clusters to analyze the first object submitted by the sensor based, at least in part, on the metadata associated with the suspicious object, and (iii) establish a communication session between the sensor and the cluster that conducts a second malware analysis on the first object to determine whether the first object is associated with a cyber-attack.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 20. The system of claim 19, wherein the cloud broker to receive the metadata including an identifier of the sensor and the cloud broker using the identifier of the sensor in retrieval of subscription information from one or more databases separate from the sensor and use of the subscription information in selecting the cluster of the plurality of clusters to analyze the first object.
  - 21. The system of claim 20, wherein the cloud broker comprises a rules engine operating in accordance with a plurality of policy and routing rules to select the cluster of the plurality of clusters to analyze the first object.
  - 22. The system of claim 19, wherein the plurality of policy and routing rules utilized by the rule engine are dynamic and reprogrammable.
  - 23. The system of claim 21, wherein the cloud broker to receive the metadata including the identifier of the sensor being used to determine a geographical location of the sensor and the rules engine of the cloud broker relying, at least in part, on the geographical location of the sensor, being a parameter of the plurality of policy and routing rules, in selecting the cluster.
  - 24. The system of claim 21, wherein the cloud broker to receive the metadata including the identifier of the sensor that is used by the cloud broker to access one or more databases of the malware detection service to collect subscription information being a parameter of the policy and routing rules that controls the rules engine in selecting the cluster of the plurality of clusters to operate with the sensor in analyzing at least the first object.
  - 25. The system of claim 24, wherein the subscription information includes a subscription tier value that restricts or expands a number of clusters of the plurality of clusters capable of support object analysis for the sensor.
  - 26. The system of claim 25, wherein the subscription information further includes a quality of service (QoS) threshold to be met by the selected cluster of the plurality of clusters, the QoS threshold being based on the subscription tier value.
  - 27. The system of claim 24, wherein the subscription information includes a remediation setting representing a particular type of remediation selected by the first customer that restricts or expands a number of clusters of the plurality of clusters capable of support object analysis for the sensor.
  - 28. The system of claim 24, wherein the subscription information further includes a customer notification scheme preference representing a particular notification scheme selected by the first customer that is considered in the selection of the cluster of the plurality of clusters.
  - 29. The system of claim 20, wherein the cloud broker to further receive a second metadata from a source other than the sensor, the second metadata includes metadata that pertains to an operating state of the plurality of clusters.
  - 30. The system of claim 29, wherein the cloud broker to select the cluster of the plurality of clusters to analyze the first object submitted by the sensor based, at least in part, on whether the operating state of the cluster as provided by the second metadata meets or exceeds one or more performance-based attributes assigned to the first customer associated with the sensor.
  - 31. The system of claim 30, wherein the cloud broker being configured to use the identifier of the sensor to access the performance-based attributes stored within the one or more databases.
  - 32. The system of claim 29, wherein the cloud broker to select the cluster of the plurality of clusters to analyze the first object submitted by the sensor based, at least in part, on whether the second metadata identifying the cluster supports a type of guest image to process the first object during the second malware analysis.
  - 33. The system of claim 19, wherein the cloud broker to monitor, during the communication session, that the selected cluster of the plurality of clusters continues to satisfy one or more performance thresholds set by the subscription service.
  - 34. The system of claim 19, wherein the cloud broker to terminate the communication session upon determining that the selected cluster of the plurality of clusters fails to satisfy the one or more performance thresholds set by the subscription service.
  - 35. The system of claim 19, wherein the cloud broker is positioned on a separate subsystem as the plurality of clusters and is communicatively coupled to the plurality of clusters over a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Siddiqui, Mumtaz, Radhakrishnan, Manju, Agarwal, Deepak

Granted Patent

US 10,798,112 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2115   Third party

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

ATTRIBUTE-CONTROLLED MALWARE DETECTION

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

ATTRIBUTE-CONTROLLED MALWARE DETECTION

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links