Virtual machine with dynamic data flow analysis

US 8,584,239 B2
Filed: 06/19/2006
Issued: 11/12/2013
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. An unauthorized activity capture system comprising:

a tap configured to copy network data from a communication network, the network data being associated with an original destination; and

a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if at least a portion of the copy of the network data has one or more characteristics of a computer worm, flag the at least a portion of the copy of the network data as suspicious based on the heuristic determination, and concurrently replay transmission of the flagged, suspicious copy of the network data to a plurality of destination devices, wherein the plurality of destination devices are configured based on the original destination.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, and concurrently simulate transmission of the network data to a plurality of destination devices.

478 Citations

27 Claims

1. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network, the network data being associated with an original destination; and
  
  a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if at least a portion of the copy of the network data has one or more characteristics of a computer worm, flag the at least a portion of the copy of the network data as suspicious based on the heuristic determination, and concurrently replay transmission of the flagged, suspicious copy of the network data to a plurality of destination devices, wherein the plurality of destination devices are configured based on the original destination.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 wherein the heuristic is configured to detect a plurality of instances of the network data being sent to an invalid internet protocol address.
  - 3. The system of claim 1 wherein the tap is further configured to copy other network data from the communication network.
  - 4. The system of claim 3 wherein the controller is further configured to receive the copy of the other network data from the tap, analyze the copy of the other network data with a heuristic to determine if at least a portion of the copied other network data is suspicious, flag the at least a portion of the copied other network data as suspicious based on the heuristic determination, concurrently simulate transmission of the other network data to an other plurality of destination devices, and concurrently analyze a first response from the plurality of destination devices and a second response from the other plurality of destination devices.

5. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network; and
  
  a controller configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine which part of the copied network data is suspicious network data, where the suspicious network data has one or more characteristics of a computer worm, retrieve a plurality of virtual machines, configure a first replayer to concurrently replicate transmission of the suspicious network data to the plurality of virtual machines, and analyze a first response to the transmitted suspicious network data by any of the plurality of virtual machines to identify unauthorized activity by dynamic taint analysis.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5 wherein the controller is configured to concurrently analyze a first response by any of the plurality of virtual machines and a second response by at least one other of the plurality of virtual machines to identify unauthorized activity.
  - 7. The system of claim 5 wherein the heuristic is configured to detect a plurality of instances of the network data being sent to an invalid internet protocol address.
  - 8. The system of claim 5 wherein the unauthorized activity is the result of malware associated with the network data.
  - 9. The system of claim 5 wherein the unauthorized activity is the result of a hacker associated with the network data.
  - 10. The system of claim 5 wherein the network data is replicated between the replayer and the plurality of virtual machines over a virtual switch.
  - 11. The system of claim 5 wherein the tap is further configured to copy other network data from the communication network.
  - 12. The system of claim 11 wherein the controller is further configured to receive the copy of the other network data from the tap, analyze the copy of the other network data with a heuristic, retrieve an other plurality of virtual machines, configure a second replayer to concurrently replicate the other network data to the other plurality of virtual machines, and concurrently analyze a first response by any of the plurality of virtual machines and a second response by any of the other plurality of virtual machines to identify unauthorized activity.
  - 13. The system of claim 12 wherein the controller further comprises a virtual machine pool configured to store the plurality of virtual machines and the other plurality of virtual machines.

14. An unauthorized activity capture method comprising:
- copying network data from a communication network, the network data being associated with an original source;
  
  analyzing the copied network data with a heuristic to determine if at least a portion of the copied network data has one or more characteristics of a computer worm;
  
  classifying the original source as a suspicious source based on association with the suspicious copied network data; and
  
  concurrently replaying the transmission of the network data from the suspicious source to a plurality of destination devices to identify unauthorized activity by tracking how the network data from the suspicious source is used by the plurality of destination devices.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The method of claim 14 wherein concurrently replaying the transmission of the network data from the suspicious source to a plurality of destination devices comprises:
    - retrieving a plurality of virtual machines configured to receive the suspicious at least a portion of the network data;
      
      configuring a first replayer to concurrently transmit the suspicious at least a portion of the network data to the plurality of virtual machines; and
      
      analyzing a first response by any of the plurality of virtual machines to identify unauthorized activity.
  - 16. The method of claim 14 further comprising:
    - copying other network data from the communication network;
      
      analyzing the copied other network data with a heuristic to determine if at least a portion of the other network data is suspicious;
      
      concurrently replaying the transmission of the suspicious at least a portion of the other network data to an other plurality of destination devices; and
      
      concurrently analyzing a first response to the suspicious at least a portion of the network data and a second response to the other suspicious at least a portion of the network data to identify unauthorized activity.
  - 17. The method of claim 16 further comprising:
    - retrieving an other plurality of virtual machines configured to receive the other copied network data;
      
      configuring a second replayer to concurrently transmit the other copied network data to the other plurality of virtual machines; and
      
      concurrently analyzing the first response by any of the plurality of virtual machines and a second response by any of the other plurality of virtual machines to identify unauthorized activity.
  - 18. The method of claim 15 further comprising concurrently analyzing the first response by any of the plurality of virtual machines and a second response by any other of the plurality of virtual machines.
  - 19. The method of claim 14 wherein the heuristic is configured to detect a plurality of instances of the at least a portion of network data being sent to an invalid internet protocol address.
  - 20. The method of claim 14 wherein identifying the unauthorized activity includes identifying malware associated with the network data from the suspicious source.
  - 21. The method of claim 14 wherein identifying the unauthorized activity includes identifying of a hacker associated with the network data from the suspicious source.
  - 22. The method of claim 15 wherein the network data from the suspicious source is transmitted between the replayer and the virtual machine over a virtual switch.
  - 23. The method of claim 15 wherein retrieving the virtual machine includes accessing a virtual machine pool.

24. A non-transitory computer readable medium for storing computer readable code, the computer readable code configured to be executed by a processor to perform a method for analyzing data, the method comprising:
- directing a processor to copy network data from a communication network, the network data being associated with an original destination;
  
  analyzing the copied network data with a heuristic to determine if at least a portion of the network data has one or more characteristics of a computer worm; and
  
  concurrently replaying transmission of the suspicious at least a portion of network data to a plurality of destination device to identify unauthorized activity.
- View Dependent Claims (25, 26, 27)
- - 25. The non-transitory computer readable medium of claim 24 wherein concurrently replaying transmission of the suspicious at least a portion of network data comprises directing the processor to retrieve a plurality of virtual machines configured to receive the suspicious at least a portion of network data, configure a replayer to concurrently transmit the suspicious at least a portion of network data to the plurality of virtual machines, and concurrently simulate the transmission of the suspicious at least a portion of network data to the plurality of virtual machines.
  - 26. The non-transitory computer readable medium of claim 25 wherein the computer readable code is further configured to direct a processor to copy other network data from a communication network, analyze the copied other network data with a heuristic to determine if at least a portion of the other network data is suspicious, concurrently replay transmission of the suspicious at least a portion of the other network data to an other plurality of destination device to identify unauthorized activity, and concurrently analyze a first response to the suspicious at least a portion of network data and a second response to the suspicious at least a portion of the other network data.
  - 27. The non-transitory computer readable medium of claim 26 wherein concurrently analyzing a first response to the suspicious at least a portion of the network data and a second response to the suspicious at least a portion of the other network data comprises directing the processor to retrieve an other plurality of virtual machines configured to receive the suspicious at least a portion of the other network data, configure a replayer to concurrently transmit the suspicious at least a portion of the other network data to the other plurality of virtual machines, simulate the transmission of the suspicious at least a portion of the other network data to the other plurality of virtual machines, and concurrently analyze a first response of any of the plurality of virtual machines and a second response of any of the other plurality of virtual machines to identify unauthorized activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Radhakrishnan, Ramesh, Ismael, Osman
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US11/471,072
Publication Number

US 20070250930A1
Time in Patent Office

2,703 Days
Field of Search

726 22- 24, 714/43, 713/201, 711/53
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Virtual machine with dynamic data flow analysis

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

478 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual machine with dynamic data flow analysis

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

478 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links