Malware containment on connection

US 8,566,946 B1
Filed: 03/12/2007
Issued: 10/22/2013
Est. Priority Date: 04/20/2006
Status: Active Grant

First Claim

Patent Images

1. A malware containment method comprising:

detecting a digital device upon connection with a communication network;

temporarily redirecting network data from the digital device until a predetermined period of time expires by configuring a network switch of the communication network to direct the network data from the digital device to a controller coupled to the communication network;

analyzing the temporarily redirected network data during the predetermined period of time to detect malware within the digital device, including configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to the network data within the virtual machine to identify a malware attack; and

transmitting the network data to an intended recipient if no malware attack has been identified within the predetermined period of time.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for malware containment on connection are provided. Digital devices are quarantined for a predetermined period of time upon connection to the communication network. When a digital device is quarantined, all network data transmitted by the digital device is temporarily directed to a controller which then analyzes the network data to identify unauthorized activity and/or malware within the newly connected digital device. An exemplary method to contain malware comprises detecting a digital device upon connection with a communication network, temporarily redirecting network data from the digital device for a predetermined period of time, and analyzing the network data to identify malware within the digital device.

Citations

25 Claims

1. A malware containment method comprising:
- detecting a digital device upon connection with a communication network;
  
  temporarily redirecting network data from the digital device until a predetermined period of time expires by configuring a network switch of the communication network to direct the network data from the digital device to a controller coupled to the communication network;
  
  analyzing the temporarily redirected network data during the predetermined period of time to detect malware within the digital device, including configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to the network data within the virtual machine to identify a malware attack; and
  
  transmitting the network data to an intended recipient if no malware attack has been identified within the predetermined period of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23, 25)
- - 2. The method of claim 1, wherein temporarily redirecting network data comprises Address Resolution Protocol (ARP) manipulation to temporarily direct the network data from the digital device to the controller.
  - 3. The method of claim 1, wherein temporarily redirecting network data comprises configuring Dynamic Host Configuration Protocol (DHCP) services to temporarily direct the network data from the digital device to the controller.
  - 4. The method of claim 1, wherein analyzing the temporarily redirected network data comprises determining if the digital device is associated with a white list, and halting the redirecting if the digital device is determined to be associated with the white list.
  - 5. The method of claim 1, wherein analyzing the temporarily redirected network data comprises comparing the temporarily redirected network data with an unauthorized activity signature to detect a malware attack.
  - 6. The method of claim 1, further comprising generating an unauthorized activity signature based on the detection.
  - 7. The method of claim 6, further comprising:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to another digital device.
  - 8. The method of claim 1, further comprising applying an access control rule to the temporarily redirected network data.
  - 9. The method of claim 1, wherein analyzing the temporarily redirected network data comprises:
    - analyzing the temporarily redirected network data with a heuristic to identify network data containing suspicious activity.
  - 10. The method of claim 1, wherein analyzing the temporarily redirected network data comprises:
    - configuring a replayer to transmit the temporarily redirected network data to the virtual machine.
  - 23. The method of claim 1, wherein the controller is configured to continue the redirecting if malware is not detected until after the predetermined period of time expires, and continue the redirecting if malware is detected beyond the predetermined period of time.
  - 25. The method of claim 9, wherein the redirecting continues if the heuristic identifies network data containing suspicious activity until the later of expiration of the predetermined time period or the analyzing of the response of the virtual machine to the identified network data detects no malware attack.

11. A malware containment system comprising:
- memory to store instructions; and
  
  a controller for containing malware comprising;
  
  a quarantine module configured to execute instructions stored in memory to detect a digital device upon connection with a communication network and temporarily redirect network data from the digital device until a predetermined period of time expires, including configuring a network switch of the communication network to direct the network data from the digital device to the controller; and
  
  a policy engine configured to analyze the temporarily redirected network data during the predetermined period of time to detect malware within the digital device, including configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to the network data within the virtual machine to identify a malware attack,wherein the controller is to transmit the network data to an intended recipient if no malware attack has been identified within the predetermined period of time.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 24)
- - 12. The system of claim 11, wherein the quarantine module configured to temporarily redirect the network data comprises the quarantine module configured to manipulate ARP to temporarily direct the network data from the digital device to the controller.
  - 13. The system of claim 11, wherein the quarantine module configured to temporarily redirect the network data comprises the quarantine module configured to configure DHCP services to temporarily direct the network data from the digital device to a controller.
  - 14. The system of claim 11, wherein the policy engine configured to analyze the temporarily redirected network data comprises the policy engine configured to determine if the digital device is associated with a white list.
  - 15. The system of claim 11, wherein the policy engine configured to analyze the temporarily redirected network data comprises the policy engine configured to compare the temporarily redirected network data with an unauthorized activity signature to detect malware.
  - 16. The system of claim 11, further comprising:
    - a heuristic module configured to analyze the temporarily redirected network data with a heuristic to identify the temporarily redirected network data containing suspicious activity; and
      
      a scheduler configured to retrieve the virtual machine.
  - 17. The system of claim 11, wherein the analysis environment is further configured to configure a replayer to transmit the temporarily redirected network data to the virtual machine.
  - 18. The system of claim 11, further comprising a signature module configured to generate an unauthorized activity signature based on the detection.
  - 19. The system of claim 18, wherein the signature module is further configured to:
    - store the unauthorized activity signature; and
      
      send the unauthorized activity signature to another digital device.
  - 24. The system of claim 11, wherein the quarantine module is further configured to continue redirecting network data if malware is detected, and to discontinue redirecting if malware is not detected by the policy engine.

20. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor for performing a malware containment method, the method comprising:
- detecting a digital device upon connection with a communication network;
  
  temporarily redirecting network data from the digital device until a predetermined period of time expires by configuring a network switch of the communication network to direct the network data from the digital device to a controller coupled to the communication network;
  
  analyzing the temporarily redirected network data during the predetermined period of time to detect malware within the digital device, including configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to the network data within the virtual machine to identify a malware attack; and
  
  transmitting the network data to an intended recipient if no malware attack has been identified within the predetermined period of time.
- View Dependent Claims (21, 22)
- - 21. The non-transitory machine readable medium of claim 20, wherein temporarily redirecting network data comprises ARP manipulation to temporarily direct the network data from the digital device to a controller.
  - 22. The non-transitory machine readable medium of claim 20, wherein temporarily redirecting network data comprises configuring DHCP services to temporarily direct the network data from the digital device to a controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Lai, Wei-Lung, Manni, Jayaraman
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
SHOLEMAN, ABU S

Application Number

US11/717,475
Time in Patent Office

2,416 Days
Field of Search

726/25, 726/15, 726/23, 726/24, 726/26
US Class Current

726/25
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Malware containment on connection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Malware containment on connection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links