Heuristic based capture with replay to virtual machine
First Claim
Patent Images
1. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network; and
a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the copy of the network data has one or more characteristics of a computer worm, flag at least a portion of the copy of the network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the heuristic determination that the at least a portion of the analyzed copy of the network data has one or more characteristics of a computer worm, and replay transmission of the suspicious, flagged network data copied from the communication network to a destination device.
7 Assignments
1 Petition
Accused Products
Abstract
A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to flag the network data as suspicious, and simulate transmission of the network data to a destination device.
-
Citations
30 Claims
-
1. An unauthorized activity capture system comprising:
-
a tap configured to copy network data from a communication network; and a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the copy of the network data has one or more characteristics of a computer worm, flag at least a portion of the copy of the network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the heuristic determination that the at least a portion of the analyzed copy of the network data has one or more characteristics of a computer worm, and replay transmission of the suspicious, flagged network data copied from the communication network to a destination device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An unauthorized activity capture system comprising:
-
a tap configured to copy network data from a communication network; and a controller configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data has one or more characteristics of a computer worm, flag at least a portion of the copy of the network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the heuristic determination that the at least a portion of the analyzed copy of the network data has one or more characteristics of a computer worm, retrieve a virtual machine, configure a replayer to replicate the at least a portion of the analyzed copy of the network data which contains suspicious activity to the virtual machine, and identify unauthorized activity by analyzing a behavior of the virtual machine in response to the replication of the at least a portion of the analyzed copy of the network data. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An unauthorized activity capture method comprising:
-
copying network data from a communication network; analyzing the copied network data with a heuristic to determine if the copied network data has one or more characteristics of a computer worm; flagging at least a portion of the analyzed copied network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the heuristic determination that the at least a portion of the analyzed copied network data has one or more characteristics of a computer worm; and replaying transmission of the flagged at least a portion of the analyzed copied network data which was copied from the communication network to a destination device to identify unauthorized activity based on playback of the flagged suspicious at least a portion of the analyzed copy of the network data. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A non-transitory computer readable medium comprising:
computer readable code configured to direct a processor to copy network data from a communication network, analyze the copied network data with a heuristic to determine if the copied network data has one or more characteristics of a computer worm, flag at least a portion of the analyzed copied network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the heuristic determination that the at least a portion of the analyzed copied network data has one or more characteristics of a computer worm, and replay transmission of the flagged suspicious at least a portion of the analyzed copied network data copied from the network to a destination device to identify unauthorized activity based on playback of the flagged suspicious at least a portion of the analyzed copied network data. - View Dependent Claims (29, 30)
Specification