System and method for near-real time network attack detection, and system and method for unified detection via detection routing
First Claim
1. A system, comprising:
- a storage device configured to store unique identifiers for data blocks and indications associated with the stored unique identifiers whether each of the data blocks is good or bad;
a processor device configured to;
receive network traffic that includes a data block;
generate a unique identifier for the data block as the data block is received in network traffic, the unique identifier including a hash value corresponding to the data block contents;
determine during a packet scan operation on the network traffic of the packet that includes the data block whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device;
call a file-type specific detection nugget corresponding to a file-type of the data block to perform a full file inspection of the data block so as to detect whether the data block is malicious, and store a result of the full file inspection indicating whether the data block is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device;
not call the file-type specific detection nugget when the data block is determined to be indicated as good in the unique identifier in the storage device; and
not call the file-type specific detection nugget when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issue an alert indicating that the data block that was received is bad,the file-type specific detection nugget is called bysending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the file-type is desired,receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget,generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, andproviding the data block to the detection nugget, in response to receipt of the token,wherein there are a plurality of file-type specific detection nuggets each for file inspection of file contents of respective different file-types.
3 Assignments
0 Petitions
Accused Products
Abstract
A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file'"'"'s file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file'"'"'s indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file'"'"'s indicator is “bad”.
-
Citations
24 Claims
-
1. A system, comprising:
-
a storage device configured to store unique identifiers for data blocks and indications associated with the stored unique identifiers whether each of the data blocks is good or bad; a processor device configured to; receive network traffic that includes a data block; generate a unique identifier for the data block as the data block is received in network traffic, the unique identifier including a hash value corresponding to the data block contents; determine during a packet scan operation on the network traffic of the packet that includes the data block whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device; call a file-type specific detection nugget corresponding to a file-type of the data block to perform a full file inspection of the data block so as to detect whether the data block is malicious, and store a result of the full file inspection indicating whether the data block is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device; not call the file-type specific detection nugget when the data block is determined to be indicated as good in the unique identifier in the storage device; and not call the file-type specific detection nugget when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issue an alert indicating that the data block that was received is bad, the file-type specific detection nugget is called by sending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the file-type is desired, receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget, generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, and providing the data block to the detection nugget, in response to receipt of the token, wherein there are a plurality of file-type specific detection nuggets each for file inspection of file contents of respective different file-types. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system, comprising:
-
a storage device configured to store unique identifiers for data blocks and indications associated with the stored unique identifiers whether each of the data blocks is good or bad; a processor device configured to; capture data that includes a data block; generate a unique identifier for the data block, the unique identifier including a hash value corresponding to the data block; receive a declaration of interest in one or more file-types including a file-type of the data block from one or more file-type specific detection components; determine whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device; call all of the one-or more file-type specific detection components that declared interest in the file-type of the data block so that each of the one or more file-type specific detection components that declared interest in the file-type of the data block will inspect the data block so as to detect whether the file is malicious and each return a result of its own file inspection, and store the result of the full file inspection indicating whether the file is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device; not call any of the one or more file-type specific detection components when the data block is determined to be indicated as good in the unique identifier in the storage device; and not call any of the one or more file-type specific detection components when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issue an alert indicating that the data block that was received is bad, the file-type specific detection nugget is called by sending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the file-type is desired, receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget, generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, and providing the data block to the detection nugget, in response to receipt of the token, wherein there are a plurality of file-type specific detection nuggets each for providing full file inspection of file contents of respective different file-types.
-
-
12. A method, comprising:
-
in a processor device, receiving network traffic that includes a data block; generating a unique identifier for the data block as the data block is received in network traffic, the unique identifier including a hash value corresponding to the data block contents; determining during a packet scan operation on the network traffic of the packet that includes the data block whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device; calling a file-type specific detection nugget corresponding to a file-type of the data block to perform a full file inspection of the data block so as to detect whether the file is malicious, and store a result of the full file inspection indicating whether the file is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device; not calling the file-type specific detection nugget when the data block is determined to be indicated as good in the unique identifier in the storage device; and not calling the file-type specific detection nugget when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issue an alert indicating that the data block that was received is bad, the file-type specific detection nugget is called by sending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the file-type is desired, receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget, generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, and providing the data block to the detection nugget, in response to receipt of the token, wherein there are a plurality of file-type specific detection nuggets each for providing full file inspection of file contents of respective different file-types. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method, comprising:
-
in a storage device, storing unique identifiers for data blocks and indications associated with the stored unique identifiers whether each of the data blocks is good or bad; in a processor device, capturing data that includes a data block; generating a unique identifier for the data block, the unique identifier including a hash value corresponding to the data block; receiving a declaration of interest in one or more file-types including a file-type of the data block from one or more file-type specific detection components; determining whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device; calling all of the one-or more file-type specific detection component that declared interest in the file-type of the data block so that each of the one or more file-type specific detection components that declared interest in the file-type of the data block will inspect the data block so as to detect whether the file is malicious and each return a result of its own file inspection, and store the result of the full file inspection indicating whether the file is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device; not calling any of the one or more file-type specific detection components when the data block is determined to be indicated as good in the unique identifier in the storage device; and not calling any of the one or more file-type specific detection components when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issuing an alert indicating that the data block that was received is bad, the file-type specific detection nugget is called by sending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the tile-type is desired, receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget, generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, and providing the data block to the detection nugget, in response to receipt of the token, wherein there are a plurality of file-type specific detection nuggets each for providing full file inspection of file contents of respective different file-types. - View Dependent Claims (24)
-
Specification