Virtual machine with dynamic data flow analysis
First Claim
Patent Images
1. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network, the network data being associated with an original destination; and
a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if at least a portion of the copy of the network data has one or more characteristics of a computer worm, flag the at least a portion of the copy of the network data as suspicious based on the heuristic determination, and concurrently replay transmission of the flagged, suspicious copy of the network data to a plurality of destination devices, wherein the plurality of destination devices are configured based on the original destination.
5 Assignments
0 Petitions
Accused Products
Abstract
A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, and concurrently simulate transmission of the network data to a plurality of destination devices.
478 Citations
27 Claims
-
1. An unauthorized activity capture system comprising:
-
a tap configured to copy network data from a communication network, the network data being associated with an original destination; and a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if at least a portion of the copy of the network data has one or more characteristics of a computer worm, flag the at least a portion of the copy of the network data as suspicious based on the heuristic determination, and concurrently replay transmission of the flagged, suspicious copy of the network data to a plurality of destination devices, wherein the plurality of destination devices are configured based on the original destination. - View Dependent Claims (2, 3, 4)
-
-
5. An unauthorized activity capture system comprising:
-
a tap configured to copy network data from a communication network; and a controller configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine which part of the copied network data is suspicious network data, where the suspicious network data has one or more characteristics of a computer worm, retrieve a plurality of virtual machines, configure a first replayer to concurrently replicate transmission of the suspicious network data to the plurality of virtual machines, and analyze a first response to the transmitted suspicious network data by any of the plurality of virtual machines to identify unauthorized activity by dynamic taint analysis. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An unauthorized activity capture method comprising:
-
copying network data from a communication network, the network data being associated with an original source; analyzing the copied network data with a heuristic to determine if at least a portion of the copied network data has one or more characteristics of a computer worm; classifying the original source as a suspicious source based on association with the suspicious copied network data; and concurrently replaying the transmission of the network data from the suspicious source to a plurality of destination devices to identify unauthorized activity by tracking how the network data from the suspicious source is used by the plurality of destination devices. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A non-transitory computer readable medium for storing computer readable code, the computer readable code configured to be executed by a processor to perform a method for analyzing data, the method comprising:
-
directing a processor to copy network data from a communication network, the network data being associated with an original destination; analyzing the copied network data with a heuristic to determine if at least a portion of the network data has one or more characteristics of a computer worm; and concurrently replaying transmission of the suspicious at least a portion of network data to a plurality of destination device to identify unauthorized activity. - View Dependent Claims (25, 26, 27)
-
Specification