Malware defense system and method

US 8,689,333 B2
Filed: 09/27/2012
Issued: 04/01/2014
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious code comprising:

copying network traffic traveling over a communication network;

determining whether the copy of the network traffic contains malicious code by (i) retrieving a virtual machine, configured to receive the copy of the network traffic, from among a plurality of virtual machines, (ii) configuring a transmitter to simulate transmission of the copy of the network traffic to a destination device by transmitting the copy of the network traffic to the virtual machine, (iii) simulating transmission of the copy of the network traffic to the destination device by transmitting the copy of the network traffic to the virtual machine, (iv) receiving the copy of the network traffic by the virtual machine, and (v) observing an anomalous behavior of the virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed;

generating a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, the signature being generated by a network defense system implemented within at least one computing device; and

sharing the signature with another network defense system for use in detecting malicious code in network traffic traveling over the communication network or a different communication network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

266 Citations

80 Claims

1. A method for detecting malicious code comprising:
- copying network traffic traveling over a communication network;
  
  determining whether the copy of the network traffic contains malicious code by (i) retrieving a virtual machine, configured to receive the copy of the network traffic, from among a plurality of virtual machines, (ii) configuring a transmitter to simulate transmission of the copy of the network traffic to a destination device by transmitting the copy of the network traffic to the virtual machine, (iii) simulating transmission of the copy of the network traffic to the destination device by transmitting the copy of the network traffic to the virtual machine, (iv) receiving the copy of the network traffic by the virtual machine, and (v) observing an anomalous behavior of the virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed;
  
  generating a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, the signature being generated by a network defense system implemented within at least one computing device; and
  
  sharing the signature with another network defense system for use in detecting malicious code in network traffic traveling over the communication network or a different communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 26, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 2. The method of claim 1 further comprising detecting network communications of the malicious code, based on the signature.
  - 3. The method of claim 2 wherein detecting network communications comprises:
    - receiving the signature; and
      
      blocking the propagation of the malicious code within the communication network or the different communication network.
  - 4. The method of claim 1 wherein sharing the signature comprises obtaining the signature from the network defense system and distributing the signature to the other network defense system.
  - 5. The method of claim 1 further comprising:
    - identifying at least a portion of the network traffic as suspicious network traffic; and
      
      transmitting the identified portion of the network traffic to the virtual machine for observation of behavior of the virtual machine processing the portion of the copied network traffic, wherein the copy of the network traffic comprises the identified portion of the network traffic.
  - 6. The method of claim 3 wherein the signature comprises a Uniform Resource Locator (URL) and the method further comprises utilizing the signature to filter out network traffic based on the URL.
  - 7. The method of claim 3 wherein the signature is for use by an inline signature based intrusion detection system and the method further comprises sharing the signature with the inline signature based intrusion detection system.
  - 8. The method of claim 3 wherein the signature comprises an ACL entry for a network device capable of filtering network traffic and the method further comprises sharing the signature with the network device capable of filtering network traffic.
  - 9. The method of claim 1 wherein the signature comprises a destination port and a sequence of tokens.
  - 10. The method of claim 1 wherein the signature comprises a vector.
  - 11. The method of claim 1 further comprising generating a recovery script.
  - 12. The method of claim 1 wherein the sharing is performed automatically.
  - 26. The method of claim 1, further comprising:
    - filtering the network traffic based at least in part on a heuristic that identifies suspicious network traffic; and
      
      copying the network traffic after the network traffic has been filtered.
  - 35. The method of claim 1, wherein the unexpected behavior comprises one or more of an execution anomaly or a network anomaly associated with the virtual machine when the virtual machine processes the copy of the network traffic.
  - 36. The method of claim 1, wherein retrieving the virtual machine from among the plurality of virtual machines comprises retrieving a first virtual machine and one of a plurality of different virtual machine configurations, and configuring the first virtual machine with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device to receive the network traffic.
  - 37. The method of claim 1, wherein retrieving the virtual machine from among a plurality of virtual machines comprises creating a virtual machine configured with a selected software profile.
  - 38. The method of claim 37, wherein creating the virtual machine comprises establishing a software environment within the created virtual machine with the selected software profile, wherein the software environment includes one or more operating systems and application software components associated with the destination device.
  - 39. The method of claim 1, wherein the transmitter is a replayer.
  - 40. The method of claim 1, wherein retrieving the virtual machine comprises creating the virtual machine with a selected software environment.
  - 41. The method of claim 1, wherein retrieving the virtual machine comprises configuring the virtual machine with a selected software environment.
  - 42. The method of claim 5, wherein the portion of the network traffic is identified as suspicious network traffic based on a comparison of the network traffic to one or more policies.
  - 43. The method of claim 1, wherein (i)-(v) performed for determining whether the copy of the network traffic contains malicious code are order independent.
  - 44. The method of claim 1, wherein the virtual machine, configured to receive the copy of the network traffic comprises the virtual machine configured to simulate one or more characteristics of the destination device targeted to receive the network traffic.

13. A system for detection of malicious code, comprising:
- a traffic analysis device configured to copy network traffic traveling over a communication network;
  
  a network defense system implemented in at least one computing device, the network defense system comprising;
  
  a controller configured to (i) determine whether the copy of the network traffic contains malicious code by observing an anomalous behavior of a virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed, and (ii) automatically generate a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code,a scheduler configured to cause the virtual machine to be retrieved from among a plurality of virtual machines, wherein the virtual machine is configured to receive the copy of the network traffic, anda transmitter configured to simulate transmission of the copy of the network traffic to a destination device by transmission of the copy of the network traffic to the virtual machine;
  
  a management system configured to obtain the signature generated by the network defense system and distribute the signature to a detection system for use in detecting malicious code in network traffic traveling over the communication network or a different communication network; and
  
  a network interface configured to communicate over a communication system with the detection system configured to detect network communications of the malicious code, based on the signature.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 27, 28, 29, 45, 46, 47, 48, 49, 50, 51, 52)
- - 14. The system of claim 13 wherein the traffic analysis device is configured toidentify at least a portion of the network traffic as potentially containing malicious content, andtransmit the identified portion of the network traffic to the virtual machine for observation of behavior of the virtual machine processing the portion of the network traffic, wherein the copy of the network traffic comprises the identified portion of the network traffic.
  - 15. The system of claim 13 wherein the signature comprises a Uniform Resource Locator (URL) and the detection system comprises a URL filtering device.
  - 16. The system of claim 13 wherein the signature comprises a destination port and a sequence of tokens.
  - 17. The system of claim 13 wherein the signature comprises a vector.
  - 18. The system of claim 13 wherein the network defense system is further configured to generate a recovery script.
  - 19. The system of claim 13 wherein the detection system comprises a blocking system configured to receive the signature and to block the propagation of the malicious code within the communication network, or the different communication network.
  - 20. The system of claim 19 wherein the network defense system automatically distributes the signature to the blocking system.
  - 27. The system of claim 13, wherein the traffic analysis device is further configured to filter the network traffic based at least in part on a heuristic that identifies suspicious network traffic.
  - 28. The system of claim 27, wherein the traffic analysis device is further configured to copy the network traffic after the network traffic has been filtered.
  - 29. The system of claim 13, wherein the controller is further configured to generate the signature based at least in part on a URL.
  - 45. The system of claim 13, wherein the controller is configured to coordinate one or more predetermined network or computing activities when the virtual machine processes the copy of the network traffic.
  - 46. The system of claim 13, wherein the unexpected behavior comprises one or more of an execution anomaly or a network anomaly associated with the virtual machine when the virtual machine processes the copy of the network traffic.
  - 47. The system of claim 13, wherein the scheduler is configured to retrieve the virtual machine from among the plurality of virtual machines by (i) retrieving a first virtual machine and one of a plurality of different virtual machine configurations, and (ii) configuring the first virtual machine with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device.
  - 48. The system of claim 13, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to retrieve a first virtual machine and one of a plurality of different virtual machine configurations, and to cause the first virtual machine to be configured with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device to receive the network traffic.
  - 49. The system of claim 13, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to create a virtual machine configured with a selected software profile.
  - 50. The system of claim 49, wherein the scheduler configured to create the virtual machine comprises the scheduler configured to establish a software environment within the created virtual machine with the selected software profile, wherein the software environment includes one or more operating systems and application software components associated with the destination device.
  - 51. The system of claim 13, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to create a virtual machine with a selected software environment.
  - 52. The system of claim 13, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to configure the virtual machine with a selected software environment.

21. A system for detection of malicious code, comprising:
- a traffic analysis device configured to copy network traffic traveling over a communication network;
  
  a network defense system implemented in at least one computing device and comprising;
  
  a controller configured to (i) determine whether the copy of the network traffic contains malicious code by observing an anomalous behavior of a virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed, and (ii) automatically generate a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code,a scheduler configured to cause the virtual machine to be retrieved from among a plurality of virtual machines, wherein the virtual machine is configured to receive the copy of the network traffic, anda transmitter configured to simulate transmission of the copy of network traffic to a destination device by transmission of the copy of the network traffic to the virtual machine;
  
  means for sharing the signature with a detection system for use in detecting malicious code in network traffic traveling over the communication network or a different communication network; and
  
  means for detecting network communications of the malicious code, based on the signature.
- View Dependent Claims (22, 23, 24, 34, 53, 54, 55, 56, 57, 58, 59, 60)
- - 22. The system of claim 21 wherein the means for detecting comprises a blocking system configured to receive the signature and to block the propagation of the malicious code within the communication network or the different communication network.
  - 23. The system of claim 21 wherein the means for sharing comprises a management system configured to obtain the signature from the network defense system and distribute the signature to the means for detecting.
  - 24. The system of claim 21 wherein the traffic analysis device is configured toidentify at least a portion of the network traffic as potentially containing malicious content, andtransmit the identified portion of the network traffic to the virtual machine for observation of behavior of the virtual machine processing the portion of the network traffic, wherein the copy of the network traffic comprises the identified portion of the network traffic.
  - 34. The system of claim 21, wherein the traffic analysis device is further configured to filter the network traffic based at least in part on a heuristic that identifies suspicious network traffic.
  - 53. The system of claim 21, wherein the controller is configured to coordinate one or more predetermined network or computing activities when the virtual machine processes the copy of the network traffic.
  - 54. The system of claim 21, wherein the unexpected behavior comprises one or more of an execution anomaly or a network anomaly associated with the virtual machine when the virtual machine processes the copy of the network traffic.
  - 55. The system of claim 21, wherein the scheduler is configured to retrieve the virtual machine from among the plurality of virtual machines by retrieving a first virtual machine and one of a plurality of different virtual machine configurations, and configuring the first virtual machine with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device.
  - 56. The system of claim 21, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to retrieve a first virtual machine and one of a plurality of different virtual machine configurations, and to cause the first virtual machine to be configured with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device to receive the network traffic.
  - 57. The system of claim 21, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to create a virtual machine configured with a selected software profile.
  - 58. The system of claim 57, wherein the scheduler configured to create the virtual machine comprises the scheduler configured to establish a software environment within the created virtual machine with the selected software profile, wherein the software environment includes one or more operating systems and application software components associated with the destination device.
  - 59. The system of claim 21, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to create a virtual machine with a selected software environment.
  - 60. The system of claim 21, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to configure the virtual machine with a selected software environment.

25. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform a method for detecting malicious code comprising:
- copying network traffic traveling over a communication network;
  
  determining whether the copy of the network traffic contains malicious code by (i) retrieving a virtual machine, configured to receive the copy of the network traffic, from among a plurality of virtual machines, (ii) configuring a transmitter to simulate transmission of the copy of the network traffic to a destination device by transmitting the copy of the network traffic to the virtual machine, (iii) simulating transmission of the copy of the network traffic to the destination device by transmitting the copy of the network traffic to the virtual machine, (iv) receiving the copy of the network traffic by the virtual machine, and (v) observing an anomalous behavior of the virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed;
  
  generating a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, the signature being generated by a network defense system implemented within at least one computing device; and
  
  sharing the signature with another network defense system for use in detecting malicious code in network traffic traveling over the communication network or a different communications network.
- View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68)
- - 61. The computer-readable medium of claim 25, wherein the unexpected behavior comprises one or more of an execution anomaly or a network anomaly associated with the virtual machine when the virtual machine processes the copy of the network traffic.
  - 62. The computer-readable medium of claim 25, wherein retrieving the virtual machine from among the plurality of virtual machines comprises retrieving a first virtual machine and one of a plurality of different virtual machine configurations, and configuring the first virtual machine with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device.
  - 63. The computer-readable medium of claim 25, wherein retrieving the virtual machine from among the plurality of virtual machines comprises retrieving a first virtual machine and one of a plurality of different virtual machine configurations, and configuring the first virtual machine with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device to receive the network traffic.
  - 64. The computer-readable medium of claim 25, wherein retrieving the virtual machine from among a plurality of virtual machines comprises creating a virtual machine configured with a selected software profile.
  - 65. The computer-readable medium of claim 64, wherein creating the virtual machine comprises establishing a software environment within the created virtual machine with the selected software profile, wherein the software environment includes one or more operating systems and application software components associated with the destination device.
  - 66. The computer-readable medium of claim 25, wherein retrieving the virtual machine comprises creating the virtual machine with a selected software environment.
  - 67. The computer-readable medium of claim 25, wherein retrieving the virtual machine comprises configuring the virtual machine with a selected software environment.
  - 68. The computer-readable medium of claim 25, wherein (i)-(v) performed for determining whether the copy of the network traffic contains malicious code are order independent.

30. A system for detection of malicious code, comprising:
- a traffic analysis device configured to copy network traffic traveling over a communication network;
  
  a network defense system implemented in at least one computing device and comprising a controller configured to (i) determine whether the copy of the network traffic contains malicious code by observing an anomalous behavior of a virtual machine processing the copy of the network traffic, the anomalous behavior corresponding to an unexpected behavior of the virtual machine while the copy of the network traffic is being processed and (ii) automatically generate a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, and share the signature for use in detecting malicious code in network traffic traveling over a different communication network;
  
  a scheduler configured to cause the virtual machine to be retrieved from among a plurality of virtual machines, wherein the virtual machine is configured to receive the copy of the network traffic; and
  
  a transmitter configured to simulate transmission of the copy of the network traffic to a destination device by transmission of the copy of the network traffic to the virtual machine.
- View Dependent Claims (31, 32, 33, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80)
- - 31. The system of claim 30, wherein the traffic analysis device is further configured to identify at least a portion of the network traffic as potentially containing malicious content, and transmit the identified portion of the network traffic to the virtual machine for observation of behavior of the virtual machine processing the portion of the network traffic, wherein the copy of the network traffic comprises the identified portion of the network traffic.
  - 32. The system of claim 30, wherein the controller is further configured to generate the signature based at least in part on a URL.
  - 33. The system of claim 30, wherein the traffic analysis device is further configured to filter the network traffic based at least in part on a heuristic that identifies suspicious network traffic.
  - 69. The system of claim 30, wherein the controller is configured to coordinate one or more predetermined network or computing activities when the virtual machine processes the copy of the network traffic.
  - 70. The system of claim 30, wherein the unexpected behavior comprises one or more of an execution anomaly or a network anomaly associated with the virtual machine when the virtual machine processes the copy of the network traffic.
  - 71. The system of claim 30, wherein the traffic analysis device comprises a policy engine configured to identify network traffic as potentially containing the malicious code based on a comparison of the network traffic to one or more polices.
  - 72. The system of claim 71, wherein the copy of the network traffic is provided to the network defense system when the policy engine identifies the copy of the network traffic as potentially containing malicious code.
  - 73. The system of claim 30 further comprising:
    - a configuration unit configured to dynamically create the virtual machine that the scheduler causes to be retrieved.
  - 74. The system of claim 73, wherein the configuration unit is further configured to configure the virtual machine with a selected software profile having at least one computer program and to process the copy of the network traffic using the computer program.
  - 75. The system of claim 74, wherein the configuration unit is further configured to initialize a software state of the at least one computer program.
  - 76. The system of claim 30, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to retrieve a first virtual machine and one of a plurality of different virtual machine configurations, and to cause the first virtual machine to be configured with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device to receive the network traffic.
  - 77. The system of claim 30, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to cause a virtual machine to be configured with a selected software profile.
  - 78. The system of claim 77, wherein the scheduler configured to create the virtual machine comprises the scheduler configured to establish a software environment within the created virtual machine with the selected software profile, wherein the software environment includes one or more operating systems and application software components associated with the destination device.
  - 79. The system of claim 30, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to create a virtual machine with a selected software environment.
  - 80. The system of claim 30, wherein the scheduler configured to cause the virtual machine to be retrieved comprises the scheduler configured to configure the virtual machine with a selected software environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US13/629,387
Publication Number

US 20130036472A1
Time in Patent Office

551 Days
Field of Search

726 22- 24, 713/151, 713/153, 713/187
US Class Current

726/24
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06Q 20/10   specially adapted for elect...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491 : using deception as counterm...

H04L 63/20 : for managing network securi...

View All

Malware defense system and method

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

266 Citations

80 Claims

Specification

Solutions

Use Cases

Quick Links

Malware defense system and method

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

266 Citations

80 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links