Malware defense system and method
First Claim
1. A method for detecting malicious code comprising:
- copying network traffic traveling over a communication network;
determining whether the copy of the network traffic contains malicious code by (i) retrieving a virtual machine, configured to receive the copy of the network traffic, from among a plurality of virtual machines, (ii) configuring a transmitter to simulate transmission of the copy of the network traffic to a destination device by transmitting the copy of the network traffic to the virtual machine, (iii) simulating transmission of the copy of the network traffic to the destination device by transmitting the copy of the network traffic to the virtual machine, (iv) receiving the copy of the network traffic by the virtual machine, and (v) observing an anomalous behavior of the virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed;
generating a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, the signature being generated by a network defense system implemented within at least one computing device; and
sharing the signature with another network defense system for use in detecting malicious code in network traffic traveling over the communication network or a different communication network.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.
266 Citations
80 Claims
-
1. A method for detecting malicious code comprising:
-
copying network traffic traveling over a communication network; determining whether the copy of the network traffic contains malicious code by (i) retrieving a virtual machine, configured to receive the copy of the network traffic, from among a plurality of virtual machines, (ii) configuring a transmitter to simulate transmission of the copy of the network traffic to a destination device by transmitting the copy of the network traffic to the virtual machine, (iii) simulating transmission of the copy of the network traffic to the destination device by transmitting the copy of the network traffic to the virtual machine, (iv) receiving the copy of the network traffic by the virtual machine, and (v) observing an anomalous behavior of the virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed; generating a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, the signature being generated by a network defense system implemented within at least one computing device; and sharing the signature with another network defense system for use in detecting malicious code in network traffic traveling over the communication network or a different communication network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 26, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
-
13. A system for detection of malicious code, comprising:
-
a traffic analysis device configured to copy network traffic traveling over a communication network; a network defense system implemented in at least one computing device, the network defense system comprising; a controller configured to (i) determine whether the copy of the network traffic contains malicious code by observing an anomalous behavior of a virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed, and (ii) automatically generate a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, a scheduler configured to cause the virtual machine to be retrieved from among a plurality of virtual machines, wherein the virtual machine is configured to receive the copy of the network traffic, and a transmitter configured to simulate transmission of the copy of the network traffic to a destination device by transmission of the copy of the network traffic to the virtual machine; a management system configured to obtain the signature generated by the network defense system and distribute the signature to a detection system for use in detecting malicious code in network traffic traveling over the communication network or a different communication network; and a network interface configured to communicate over a communication system with the detection system configured to detect network communications of the malicious code, based on the signature. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 27, 28, 29, 45, 46, 47, 48, 49, 50, 51, 52)
-
-
21. A system for detection of malicious code, comprising:
-
a traffic analysis device configured to copy network traffic traveling over a communication network; a network defense system implemented in at least one computing device and comprising; a controller configured to (i) determine whether the copy of the network traffic contains malicious code by observing an anomalous behavior of a virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed, and (ii) automatically generate a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, a scheduler configured to cause the virtual machine to be retrieved from among a plurality of virtual machines, wherein the virtual machine is configured to receive the copy of the network traffic, and a transmitter configured to simulate transmission of the copy of network traffic to a destination device by transmission of the copy of the network traffic to the virtual machine; means for sharing the signature with a detection system for use in detecting malicious code in network traffic traveling over the communication network or a different communication network; and means for detecting network communications of the malicious code, based on the signature. - View Dependent Claims (22, 23, 24, 34, 53, 54, 55, 56, 57, 58, 59, 60)
-
-
25. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform a method for detecting malicious code comprising:
-
copying network traffic traveling over a communication network; determining whether the copy of the network traffic contains malicious code by (i) retrieving a virtual machine, configured to receive the copy of the network traffic, from among a plurality of virtual machines, (ii) configuring a transmitter to simulate transmission of the copy of the network traffic to a destination device by transmitting the copy of the network traffic to the virtual machine, (iii) simulating transmission of the copy of the network traffic to the destination device by transmitting the copy of the network traffic to the virtual machine, (iv) receiving the copy of the network traffic by the virtual machine, and (v) observing an anomalous behavior of the virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed; generating a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, the signature being generated by a network defense system implemented within at least one computing device; and sharing the signature with another network defense system for use in detecting malicious code in network traffic traveling over the communication network or a different communications network. - View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68)
-
-
30. A system for detection of malicious code, comprising:
-
a traffic analysis device configured to copy network traffic traveling over a communication network; a network defense system implemented in at least one computing device and comprising a controller configured to (i) determine whether the copy of the network traffic contains malicious code by observing an anomalous behavior of a virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed and (ii) automatically generate a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, and share the signature for use in detecting malicious code in network traffic traveling over a different communication network; a scheduler configured to cause the virtual machine to be retrieved from among a plurality of virtual machines, wherein the virtual machine is configured to receive the copy of the network traffic; and a transmitter configured to simulate transmission of the copy of the network traffic to a destination device by transmission of the copy of the network traffic to the virtual machine. - View Dependent Claims (31, 32, 33, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80)
-
Specification