System and method for near-real time network attack detection, and system and method for unified detection via detection routing

US 8,677,486 B2
Filed: 04/14/2011
Issued: 03/18/2014
Est. Priority Date: 04/16/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A system, comprising:

a storage device configured to store unique identifiers for data blocks and indications associated with the stored unique identifiers whether each of the data blocks is good or bad;

a processor device configured to;

receive network traffic that includes a data block;

generate a unique identifier for the data block as the data block is received in network traffic, the unique identifier including a hash value corresponding to the data block contents;

determine during a packet scan operation on the network traffic of the packet that includes the data block whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device;

call a file-type specific detection nugget corresponding to a file-type of the data block to perform a full file inspection of the data block so as to detect whether the data block is malicious, and store a result of the full file inspection indicating whether the data block is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device;

not call the file-type specific detection nugget when the data block is determined to be indicated as good in the unique identifier in the storage device; and

not call the file-type specific detection nugget when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issue an alert indicating that the data block that was received is bad,the file-type specific detection nugget is called bysending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the file-type is desired,receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget,generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, andproviding the data block to the detection nugget, in response to receipt of the token,wherein there are a plurality of file-type specific detection nuggets each for file inspection of file contents of respective different file-types.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file'"'"'s file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file'"'"'s indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file'"'"'s indicator is “bad”.

Citations

24 Claims

1. A system, comprising:
- a storage device configured to store unique identifiers for data blocks and indications associated with the stored unique identifiers whether each of the data blocks is good or bad;
  
  a processor device configured to;
  
  receive network traffic that includes a data block;
  
  generate a unique identifier for the data block as the data block is received in network traffic, the unique identifier including a hash value corresponding to the data block contents;
  
  determine during a packet scan operation on the network traffic of the packet that includes the data block whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device;
  
  call a file-type specific detection nugget corresponding to a file-type of the data block to perform a full file inspection of the data block so as to detect whether the data block is malicious, and store a result of the full file inspection indicating whether the data block is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device;
  
  not call the file-type specific detection nugget when the data block is determined to be indicated as good in the unique identifier in the storage device; and
  
  not call the file-type specific detection nugget when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issue an alert indicating that the data block that was received is bad,the file-type specific detection nugget is called bysending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the file-type is desired,receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget,generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, andproviding the data block to the detection nugget, in response to receipt of the token,wherein there are a plurality of file-type specific detection nuggets each for file inspection of file contents of respective different file-types.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, further comprising a nugget storage that stores the plurality of file-type specific detection nuggets, each of the file-type specific detection nuggets is configuredto determine whether the token authorizing inspection is received and is valid,to provide the file inspection of the data block in accordance with its respective different file type when the token authorizing inspection specific to the file-type specific detection nugget is received and when the token that is received is determined to be valid,to not provide a file inspection of the data block when the token that is received is not determined to be valid, andto not provide the file inspection of the data block when a file inspection is requested but the token is not received.
  - 3. The system of claim 1, wherein the file-type specific detection nuggetcreates a unique identifier for a subcomponent of the data block when the subcomponent is found with a different file-type or obfuscation scheme than handled by the file-type specific detection nugget,calls a different file-type specific detection nugget corresponding to the different file-type of the subcomponent to inspect contents of the subcomponent or to look for the unique identifier of the subcomponent in the storage device so as to detect whether the subcomponent is bad or good, andstores a result of the subcomponent inspection indicating that the subcomponent is bad and that the data block is bad together with the unique identifier of both the subcomponent and the data block in the storage device, instead of storing the indicator that the data block is good with the unique identifier of the data block in the storage device, when the inspection result of the subcomponent that is found is returned as bad or malicious.
  - 4. The system of claim 1, whereinthe processor device marks the unique identifier for the data block stored in the storage device with a good indicator as “
    - tainted”
      
      , when a new detection capability is added to the file-type specific detection nugget; and
      
      the processor device treats the data block as not being indicated in the computer storage device instead of being indicated as “
      
      good”
      
      so that the good status of the data block is verified and the “
      
      tainted”
      
      indicated is replaced after the new detection capability is added, when the data block is indicated as “
      
      tainted”
      
      .
  - 5. The system of claim 1, wherein the file-type specific detection nugget is configured to perform full file parsing that targets specific pre-determined attack triggering conditions.
  - 6. The system of claim 1, wherein the processor is further configured to provide retroactive alerting based on full file and subcomponent processing.
  - 7. The system of claim 1, wherein the unique identifiers stored in the storage device are obtained by a cryptographic hash calculation from full file contents for the different data blocks as each of the data blocks is received in the network traffic.
  - 8. The system of claim 1, wherein the alert is issued to an anti-virus system attached to a mail-gateway for handling the network traffic received over the mail-gateway that contains the data block that is bad.
  - 9. The system of claim 1, wherein the unique identifiers stored in the storage device are further indicated as “
    - global”
      
      when they are unique to all system users, and not marked as “
      
      global”
      
      when they are unique to an individual and not unique to all system users.
  - 10. The system of claim 1, wherein the processor device is further configured toreceive a declaration of interest in one or more file-types including the file-type from one or more file-type specific detection nuggets, andcall all of the one or more file-type specific detection nuggets that declared interest in the file-type of the data block so that each of the one or more file-type specific detection nuggets that declared interest in the file-type of the data block can inspect the data block and return a result of its own file inspection, when the data block is determined to be not indicated in the unique identifier in the storage device.

11. A system, comprising:
- a storage device configured to store unique identifiers for data blocks and indications associated with the stored unique identifiers whether each of the data blocks is good or bad;
  
  a processor device configured to;
  
  capture data that includes a data block;
  
  generate a unique identifier for the data block, the unique identifier including a hash value corresponding to the data block;
  
  receive a declaration of interest in one or more file-types including a file-type of the data block from one or more file-type specific detection components;
  
  determine whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device;
  
  call all of the one-or more file-type specific detection components that declared interest in the file-type of the data block so that each of the one or more file-type specific detection components that declared interest in the file-type of the data block will inspect the data block so as to detect whether the file is malicious and each return a result of its own file inspection, and store the result of the full file inspection indicating whether the file is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device;
  
  not call any of the one or more file-type specific detection components when the data block is determined to be indicated as good in the unique identifier in the storage device; and
  
  not call any of the one or more file-type specific detection components when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issue an alert indicating that the data block that was received is bad,the file-type specific detection nugget is called bysending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the file-type is desired,receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget,generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, andproviding the data block to the detection nugget, in response to receipt of the token,wherein there are a plurality of file-type specific detection nuggets each for providing full file inspection of file contents of respective different file-types.

12. A method, comprising:
- in a processor device, receiving network traffic that includes a data block;
  
  generating a unique identifier for the data block as the data block is received in network traffic, the unique identifier including a hash value corresponding to the data block contents;
  
  determining during a packet scan operation on the network traffic of the packet that includes the data block whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device;
  
  calling a file-type specific detection nugget corresponding to a file-type of the data block to perform a full file inspection of the data block so as to detect whether the file is malicious, and store a result of the full file inspection indicating whether the file is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device;
  
  not calling the file-type specific detection nugget when the data block is determined to be indicated as good in the unique identifier in the storage device; and
  
  not calling the file-type specific detection nugget when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issue an alert indicating that the data block that was received is bad,the file-type specific detection nugget is called bysending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the file-type is desired,receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget,generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, andproviding the data block to the detection nugget, in response to receipt of the token,wherein there are a plurality of file-type specific detection nuggets each for providing full file inspection of file contents of respective different file-types.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, further comprising storing, in a nugget storage, the plurality of file-type specific detection nuggets, each of the file-type specific detection nuggets is configuredto determine whether the token authorizing inspection is received and is valid,to provide the file inspection of the data block in accordance with its respective different file type when the token authorizing inspection specific to the file-type specific detection nugget is received and when the token that is received is determined to be valid,to not provide a file inspection of the data block when the token that is received is determined to not be valid, andto not provide the file inspection of the data block when a file inspection is requested but the token is not received.
  - 14. The method of claim 12, wherein the file-type specific detection nuggetcreates a unique identifier for a subcomponent of the data block when the subcomponent is found with a different file-type or obfuscation scheme than handled by the file-type specific detection nugget,calls a different file-type specific detection nugget corresponding to the different file-type of the subcomponent to inspect contents of the subcomponent or to look for the unique identifier of the subcomponent in the storage device so as to detect whether the subcomponent is bad or good, andstores a result of the subcomponent inspection indicating that the subcomponent is bad and that the data block is bad together with the unique identifier of both the subcomponent and the data block in the storage device, instead of storing the indicator that the data block is good with the unique identifier of the data block in the storage device, when the inspection result of the subcomponent that is found is returned as bad or malicious.
  - 15. The method of claim 12, further comprisingmarking, by the processor device, the unique identifier for the data block stored in the storage device with a good indicator as “
    - tainted”
      
      , when a new detection capability is added to the file-type specific detection nugget; and
      
      treating the data block as not being indicated in the computer storage device instead of being indicated as “
      
      good”
      
      so that the good status of the data block is verified and the “
      
      tainted”
      
      indicated is replaced after the new detection capability is added, when the data block is indicated as “
      
      tainted”
      
      .
  - 16. The method of claim 12, further comprising performing, in the file-type specific detection nugget, full file parsing that targets specific pre-determined attack triggering conditions.
  - 17. The method of claim 12, further comprising providing retroactive alerting based on full file and subcomponent processing.
  - 18. The method of claim 12, further comprising obtaining the unique identifiers stored in the storage device by a cryptographic hash calculation from full file contents for the different data blocks as each of the data blocks is received in the network traffic.
  - 19. The method of claim 12, further comprising issuing the alert to an anti-virus system attached to a mail-gateway for handling the network traffic received over the mail-gateway that contains the data block that is bad.
  - 20. The method of claim 12, further comprising indicating the unique identifiers stored in the storage device as “
    - global”
      
      when they are unique to all system users, and not marking the unique identifiers stored in the storage device as “
      
      global”
      
      when they are unique to an individual and not unique to all system users.
  - 21. The method of claim 12, further comprisingreceiving, in the processor device, a declaration of interest in one or more file-types including the file-type from one or more file-type specific detection nuggets, andcalling, in the processor device, all of the one or more file-type specific detection nuggets that declared interest in the file-type of the data block so that each of the one or more file-type specific detection nuggets that declared interest in the file-type of the data block can inspect the data block and return a result of its own file inspection, when the data block is determined to be not indicated in the unique identifier in the storage device.
  - 22. A non-transitory computer readable medium comprising executable instructions for performing the method of claim 12.

23. A method, comprising:
- in a storage device, storing unique identifiers for data blocks and indications associated with the stored unique identifiers whether each of the data blocks is good or bad;
  
  in a processor device, capturing data that includes a data block;
  
  generating a unique identifier for the data block, the unique identifier including a hash value corresponding to the data block;
  
  receiving a declaration of interest in one or more file-types including a file-type of the data block from one or more file-type specific detection components;
  
  determining whether the data block is indicated as good or bad in the indications associated with the unique identifier in the storage device;
  
  calling all of the one-or more file-type specific detection component that declared interest in the file-type of the data block so that each of the one or more file-type specific detection components that declared interest in the file-type of the data block will inspect the data block so as to detect whether the file is malicious and each return a result of its own file inspection, and store the result of the full file inspection indicating whether the file is good or bad together with the unique identifier of the data block in the storage device, when the data block is determined to be not indicated in the unique identifier in the storage device;
  
  not calling any of the one or more file-type specific detection components when the data block is determined to be indicated as good in the unique identifier in the storage device; and
  
  not calling any of the one or more file-type specific detection components when the data block is determined to be indicated as bad in the unique identifier in the storage device, and issuing an alert indicating that the data block that was received is bad,the file-type specific detection nugget is called bysending a notification to a dispatcher program which indicates both the file-type and that evaluation of the data block as the tile-type is desired,receiving a token from the dispatcher program, in response to the notification, authorizing inspection by the file-type specific detection nugget,generating an indication of the data block and the token authorizing inspection to the file-type specific detection nugget to commence full file inspection of the data block, in response to receipt of the token, andproviding the data block to the detection nugget, in response to receipt of the token,wherein there are a plurality of file-type specific detection nuggets each for providing full file inspection of file contents of respective different file-types.
- View Dependent Claims (24)
- - 24. A non-transitory computer readable medium comprising executable instructions for performing the method of claim 23.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Olney, Matthew, Mullen, Patrick, Grenier, Lurene, Houghton, Nigel, Pentney, Ryan
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
DE JESUS LASSAIA, CARLOS MANUEL

Application Number

US13/086,819
Publication Number

US 20110258702A1
Time in Patent Office

1,069 Days
Field of Search

726 22- 25, 726/9
US Class Current

726/23
CPC Class Codes

G06F 21/564   by virus signature recognition

H04L 63/0218   Distributed architectures, ...

H04L 63/1408   by monitoring network traff...

System and method for near-real time network attack detection, and system and method for unified detection via detection routing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for near-real time network attack detection, and system and method for unified detection via detection routing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links