Malware containment and security analysis on connection

US 8,539,582 B1
Filed: 03/12/2007
Issued: 09/17/2013
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A malware containment method comprising:

detecting a digital device upon connection with a communication network;

quarantining network data from the digital device for a predetermined period of time by configuring a switch to direct the network data from the digital device to a controller;

transmitting a command to the digital device to activate a security program to identify security risks;

analyzing the quarantined network data to identify malware within the digital device, the analyzing of the quarantined network data comprises (i) configuring a virtual machine to receive the network data and (ii) analyzing a response of the virtual machine to the network data to identify a malware attack; and

storing a result of the quarantined network data analysis in memory.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for malware containment and security analysis on connection are provided. Digital devices are quarantined for a predetermined period of time upon connection to the communication network. When a digital device is quarantined, all network data transmitted by the digital device is directed to a controller which then analyzes the network data to identify unauthorized activity and/or malware within the newly connected digital device. An exemplary method to contain malware includes detecting a digital device upon connection with a communication network, quarantining network data from the digital device for a predetermined period of time, transmitting a command to the digital device to activate a security program to identify security risks, and analyzing the network data to identify malware within the digital device.

552 Citations

42 Claims

1. A malware containment method comprising:
- detecting a digital device upon connection with a communication network;
  
  quarantining network data from the digital device for a predetermined period of time by configuring a switch to direct the network data from the digital device to a controller;
  
  transmitting a command to the digital device to activate a security program to identify security risks;
  
  analyzing the quarantined network data to identify malware within the digital device, the analyzing of the quarantined network data comprises (i) configuring a virtual machine to receive the network data and (ii) analyzing a response of the virtual machine to the network data to identify a malware attack; and
  
  storing a result of the quarantined network data analysis in memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 2. The method of claim 1, further comprising receiving a security profile of the digital device from the security program.
  - 3. The method of claim 1, further comprising transmitting a command to the digital device to update security files on the digital device.
  - 4. The method of claim 1, further comprising transmitting a command to the digital device to configure security settings associated with the digital device.
  - 5. The method of claim 1, wherein quarantining network data comprises Address Resolution Protocol (ARP) manipulation to direct the network data from the digital device to a controller.
  - 6. The method of claim 1, wherein quarantining network data comprises configuring Dynamic Host Configuration Protocol (DHCP) services to direct the network data from the digital device to a controller.
  - 7. The method of claim 1, further comprising generating an unauthorized activity signature based on the identification of the malware attack.
  - 8. The method of claim 7, further comprising:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to another digital device.
  - 9. The method of claim 1, wherein analyzing the quarantined network data further comprises:
    - conducting a heuristic analysis on the network data to identify network data containing suspicious data.
  - 25. The method of claim 1, wherein the quarantining of the network data continues until the predetermined period of time expires without evidence of suspicious activity being detected during the predetermined period of time.
  - 26. The method of claim 1 further comprising:
    - after the predetermined time has expired without suspicious activity, stopping quarantining of the network data from the digital device so that the network data is transmitted from the digital device to an intended recipient device.
  - 27. The method of claim 9, wherein if the heuristic analysis determines that the network data is associated with suspicious activity within the predetermined period of time, continuing to quarantine the network data beyond the predetermined period of time.
  - 28. The method of claim 9, wherein if the heuristic analysis fails to determine, within the predetermined period of time, that suspicious activity associated with the network data is present, the controller causing the network data to be re-transmitted to an intended recipient device.
  - 29. The method of claim 1, wherein the command to activate the security program is a command to activate an antivirus program configured to identify virus.
  - 30. The method of claim 1, wherein the detecting of the digital device comprises detecting a request from the digital device for network services.
  - 31. The method of claim 1, wherein:
    - the detecting of the digital device comprises assigning an Internet Protocol (IP) address to the digital device based on a request from the digital device for the IP address; and
      
      quarantining of the network data from the digital device comprises quarantining the network data sent over the communication network from the IP address assigned to the digital device.
  - 32. The method of claim 1, wherein the predetermined period of time is set by a user using a user interface.
  - 33. The method of claim 9, wherein the heuristic analysis comprises performing at least one of a dark Internet Protocol (IP) heuristic analysis and a dark port heuristic analysis.
  - 34. The method of claim 9, wherein the heuristic analysis comprises detecting suspicious activity based on an unauthorized activity signature.
  - 35. The method of claim 9, wherein the heuristic analysis comprises detecting suspicious activity based on scanning at least one of a header and contents of a packet included in the network data.
  - 36. The method of claim 1 further comprising:
    - preventing transmission to an intended recipient device of each packet of the network data that is associated with detected suspicious activity beyond the predetermined period of time.
  - 37. The method of claim 1, wherein the network data received by the virtual machine includes a plurality of data packets comprising at least one data flow, and, where any of the data packets of the at least one data flow is associated with a detected suspicious activity, preventing transmission of the data flow to an intended recipient device beyond the predetermined period of time.

10. A malware containment system comprising:
- a controller for containing malware;
  
  a memory;
  
  a quarantine module stored in the memory, and executed by the controller to detect a digital device upon connection with a communication network and quarantine network data from the digital device for a predetermined period of time by configuring a switch to direct the network data to the controller;
  
  a security module stored in the memory, and executed by the controller to transmit a command to the digital device to activate a security program to identify security risks; and
  
  an analysis module stored in the memory, and executed by the controller to;
  
  analyze the quarantined network data to identify malware within the digital device by (i) configuring a virtual machine to receive the quarantined network data and (ii) analyzing a response of the virtual machine to the quarantined network data to identify a malware attack, andstore a result of the quarantined network data analysis in memory.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 38, 39, 40, 41)
- - 11. The system of claim 10, wherein the security module is further executed to receive a security profile of the digital device from the security program.
  - 12. The system of claim 10, wherein the security module is further executed to transmit a command to the digital device to update security files on the digital device.
  - 13. The system of claim 10, wherein the security module is further executed to transmit a command to the digital device to configure security settings associated with the digital device.
  - 14. The system of claim 10, wherein the quarantine module is further executed to manipulate Address Resolution Protocol (ARP) to direct the network data from the digital device to the controller.
  - 15. The system of claim 10, wherein the quarantine module is further executed to configure Dynamic Host Configuration Protocol (DHCP) services to direct the network data from the digital device to the controller.
  - 16. The system of claim 10, further comprising a signature module stored in the memory, and executed by the controller to generate an unauthorized activity signature based on the identification of the malware attack.
  - 17. The system of claim 16, wherein the signature module is further executed to:
    - store the unauthorized activity signature; and
      
      send the unauthorized activity signature to another digital device.
  - 18. The system of claim 10, further comprising:
    - a heuristic module stored in the memory, and executed by the controller to analyze the quarantined network data by conducting a heuristic analysis on the network data to identify quarantined network data containing suspicious data; and
      
      a scheduler stored in the memory, and executed by the controller to retrieve the virtual machine.
  - 38. The malware containment system of claim 18, wherein if the heuristic analysis performed by the heuristic module determines that the network data is associated with suspicious activity within the predetermined period of time, continuing to quarantine the network data beyond the predetermined period of time.
  - 39. The malware containment system of claim 10, wherein the predetermined period of time is set by a user using a user interface.
  - 40. The malware containment system of claim 18, wherein the heuristic analysis performed by the heuristic module comprises performing at least one of a dark Internet Protocol (IP) heuristic analysis and a dark port heuristic analysis.
  - 41. The malware containment system of claim 10, wherein the network data received by the virtual machine includes a plurality of data packets comprising at least one data flow, and, where any of the data packets of the at least one data flow is associated with a detected suspicious activity, preventing transmission of the data flow to the intended recipient device beyond the predetermined period of time.

19. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executed by a processor for performing a method for malware containment, the method comprising:
- detecting a digital device upon connection with a communication network;
  
  quarantining network data from the digital device for a predetermined period of time by configuring a switch to direct the network data from the digital device to a controller;
  
  transmitting a command to the digital device to activate a security program to identify security risks;
  
  analyzing the quarantined network data to identify malware within the digital device, the analyzing of the quarantined network data comprises (i) configuring a virtual machine to receive the network data and (ii) analyzing a response of the virtual machine to the network data to identify a malware attack; and
  
  storing a result of the quarantined network data analysis in memory.
- View Dependent Claims (20, 21, 22, 23, 24, 42)
- - 20. The non-transitory machine readable medium of claim 19, wherein the method further comprises receiving a security profile of the digital device from the security program.
  - 21. The non-transitory machine readable medium of claim 19, wherein the method further comprises transmitting a command to the digital device to update security files on the digital device.
  - 22. The non-transitory machine readable medium of claim 19, wherein the method further comprises transmitting a command to the digital device to configure security settings associated with the digital device.
  - 23. The non-transitory machine readable medium of claim 19, wherein quarantining network data comprises Address Resolution Protocol (ARP) manipulation to direct the network data from the digital device to a controller.
  - 24. The machine readable code of claim 19, wherein quarantining network data comprises configuring Dynamic Host Configuration Protocol (DHCP) services to direct the network data from the digital device to a controller.
  - 42. The non-transitory machine readable medium of claim 19, wherein the analyzing of the quarantined network data further comprises conducting a heuristic analysis on the network data to determine if the network data is associated with suspicious activity within the predetermined period of time, and if so, continuing to quarantine the network data beyond the predetermined period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Manni, Jayaraman, Lai, Wei-Lung
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
SHOLEMAN, ABU S

Application Number

US11/717,408
Time in Patent Office

2,381 Days
Field of Search

726 22- 25, 726/26, 726/12.13, 726/15, 726/16, 713/200, 713/201
US Class Current

726/24
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/14   for detecting or protecting...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Malware containment and security analysis on connection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

552 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Malware containment and security analysis on connection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

552 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links