System and method of detecting time-delayed malicious traffic
First Claim
1. A system comprising:
- a traffic device configured to receive network traffic over a communication network; and
a network device in communication with the traffic device, the network device comprises a controller in communication with one or more virtual machines that is configured to (i) receive the network traffic from the traffic device, (ii) monitor a behavior of a first virtual machine of the one or more virtual machines in response to processing of the network traffic within the first virtual machine, (iii) identify at least one anomalous behavior as an unexpected occurrence in the monitored behavior by accelerating activities caused by the network traffic to reduce time for detecting time-delayed malicious traffic, and (iv) determine, based on the identified anomalous behavior, the presence of the time-delayed malicious traffic in the network traffic,wherein the controller accelerating the activities by at least intercepting one or more time-sensitive system calls and modifying one or more responses to the one or more of the system calls so as to accelerate the activities in the first virtual machine caused by the network traffic.
4 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting a computer worm comprises a traffic analysis device in communication with a network device. The traffic analysis device can analyze network traffic received over a communication network and duplicate at least select network communications within the network traffic having characteristics associated with one or more computer worms. The network device comprises a controller in communication with one or more virtual machines that are configured to receive the duplicated network communications from the traffic analysis device. The network device may (i) monitor a behavior of a first virtual machine of the one or more virtual machines in response to processing of the duplicated network communications within the first virtual machine, (ii) identify an anomalous behavior as an unexpected occurrence in the monitored behavior, and (iii) determine, based on the identified anomalous behavior, the presence of the one or more computer worms in the duplicated network communications.
469 Citations
42 Claims
-
1. A system comprising:
-
a traffic device configured to receive network traffic over a communication network; and a network device in communication with the traffic device, the network device comprises a controller in communication with one or more virtual machines that is configured to (i) receive the network traffic from the traffic device, (ii) monitor a behavior of a first virtual machine of the one or more virtual machines in response to processing of the network traffic within the first virtual machine, (iii) identify at least one anomalous behavior as an unexpected occurrence in the monitored behavior by accelerating activities caused by the network traffic to reduce time for detecting time-delayed malicious traffic, and (iv) determine, based on the identified anomalous behavior, the presence of the time-delayed malicious traffic in the network traffic, wherein the controller accelerating the activities by at least intercepting one or more time-sensitive system calls and modifying one or more responses to the one or more of the system calls so as to accelerate the activities in the first virtual machine caused by the network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer implemented method comprising:
-
monitoring, by a network device, operatively coupled with a controller, a behavior of network traffic within a first virtual machine of one or more virtual machines, wherein the first virtual machine is configured to accelerate activities caused by the network traffic during processing thereof to reduce time for detecting time-delayed malicious traffic; identifying at least one anomalous behavior as an unexpected occurrence in the monitored behavior; and determining the presence of the time-delayed malicious traffic based on the anomalous behavior, wherein accelerating of the activities by the first virtual machine includes intercepting one or more time-sensitive system calls generated by a software program in response to the network traffic, the software program being executed by the first virtual machine, and modifying the one or more responses to the one or more of the system calls so as to accelerate the activities in the first virtual machine caused by the network traffic. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer implemented method comprising:
-
monitoring, by a network device, operatively coupled with a controller, a behavior of network traffic within a first virtual machine of one or more virtual machines, wherein the first virtual machine is configured to accelerate activities caused by the network traffic during processing thereof to reduce time for detecting time-delayed malicious traffic; identifying at least one anomalous behavior as an unexpected occurrence in the monitored behavior; and determining the presence of the time-delayed malicious traffic based on the anomalous behavior, wherein accelerating of the activities by the first virtual machine includes (i) intercepting one or more time-sensitive system calls generated by a software program in response to network traffic, the software program being executed by the first virtual machine, and (ii) modifying the one or more of the system calls so to accelerate the activities in the first virtual machine caused by the network traffic. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A computer implemented method comprising:
-
monitoring, by a network device, operatively coupled with a controller, a behavior of network traffic within a first virtual machine of one or more virtual machines, wherein the first virtual machine is configured to accelerate activities caused by the network traffic during processing thereof to reduce time for detecting time-delayed malicious traffic; identifying at least one anomalous behavior as an unexpected occurrence in the monitored behavior; and determining the presence of the time-delayed malicious traffic based on the anomalous behavior, wherein accelerating of the activities by the first virtual machine comprises (i) identifying a time consuming program loop executing in the first virtual machine, and (ii) accelerating execution of the time consuming program loop in the first virtual machine. - View Dependent Claims (35)
-
-
36. A computer implemented method comprising:
-
analyzing, by a traffic device, network traffic received over a communication network; submitting, by the traffic device, at least select network traffic within the communication network having one or more characteristics associated with a time-delayed malicious traffic for a subsequent analysis; and performing the subsequent analysis in a network device includes, accelerating activities caused by the network traffic so as to reduce time for detecting time-delayed malicious traffic in at least one of a plurality of virtual machines, identifying one or more anomalous behaviors as an unexpected occurrence, and determining, based on the identified anomalous behavior, the presence of the time-delayed malicious traffic in the network traffic, wherein the accelerating of the activities in the at least one of the plurality of virtual machines includes at least one of (A) intercepting one or more time-sensitive system calls generated by a software program in response to the network traffic, the software program being executed by the at least one of the plurality of virtual machines, and either (i) modifying the one or more responses to the one or more of the system calls so as to accelerate the activities in the at least one of the plurality of virtual machines or (ii) modifying the one or more of the system calls so to accelerate the activities in the at least one of the plurality of virtual machines, and (B) identifying a time consuming program loop executing in the at least one of the plurality of virtual machines, and (ii) accelerating execution of the time consuming program loop in the at least one of the plurality of virtual machines. - View Dependent Claims (37)
-
-
38. A system comprising:
-
a traffic device configured to receive network traffic over a communication network; and a network device in communication with the traffic device, the network device comprises a controller in communication with one or more virtual machines that is configured to (i) receive the network traffic from the traffic device, (ii) monitor a behavior of a first virtual machine of the one or more virtual machines in response to processing of the network traffic within the first virtual machine, (iii) identify at least one anomalous behavior as an unexpected occurrence in the monitored behavior by accelerating activities caused by the network traffic to reduce time for detecting time-delayed malicious traffic, and (iv) determine, based on the identified anomalous behavior, the presence of the time-delayed malicious traffic in the network traffic, wherein the controller to accelerate the activities by at least intercepting one or more time-sensitive system calls and modifying the intercepted one or more time-sensitive system calls so as to accelerate the activities in the first virtual machine caused by the network traffic. - View Dependent Claims (39, 40)
-
-
41. A system comprising:
-
a traffic device configured to receive network traffic over a communication network; and a network device in communication with the traffic device, the network device comprises a controller in communication with one or more virtual machines that is configured to (i) receive the network traffic from the traffic device, (ii) monitor a behavior of a first virtual machine of the one or more virtual machines in response to processing of the network traffic within the first virtual machine, (iii) identify at least one anomalous behavior as an unexpected occurrence in the monitored behavior by at least (a) identifying a time consuming program loop executing in the first virtual machine, and (b) accelerating execution of the time consuming program loop in the first virtual machine in order to reduce time for detecting time-delayed malicious traffic, and (iv) determine, based on the identified anomalous behavior, the presence of the time-delayed malicious traffic in the network traffic. - View Dependent Claims (42)
-
Specification