System and method of detecting malicious traffic while reducing false positives
First Claim
1. A system comprising:
- a traffic analysis device configured to analyze network traffic received over a communication network and duplicate at least select network communications within the network traffic having characteristics associated with malicious traffic when the network communications are determined through heuristic analysis to satisfy a heuristic threshold, the heuristic threshold being set to a first level that results in a first rate of false positives that is associated with erroneous detections by the traffic analysis device of network communications having characteristics associated with malicious traffic; and
a network device in communication with the traffic analysis device, the network device comprises a controller in communication with one or more virtual machines and is configured to (i) receive the duplicated network communications previously determined as having characteristics associated with malicious traffic by the traffic analysis device, and (ii) perform subsequent analysis on the duplicated network communications, including (a) monitoring a behavior of a first virtual machine of the one or more virtual machines in response to processing of the duplicated network communications within the first virtual machine, (b) identifying an anomalous behavior as an unexpected occurrence in the monitored behavior, and (c) determining, based on the identified anomalous behavior, a presence of the malicious traffic in the duplicated network communications,wherein the subsequent analysis results in a second rate of false positives in determining the presence of the malicious traffic in the duplicated network communications that is less than the first rate of false positives.
4 Assignments
0 Petitions
Accused Products
Abstract
A system comprises a traffic analysis device and a network device. The traffic analysis device is configured to analyze network traffic received over a communication network and duplicate at least select network communications within the network traffic having characteristics associated with malicious traffic when determined through heuristic analysis to satisfy a heuristic threshold. The network device comprises a controller in communication with one or more virtual machines that are configured to (i) receive the duplicated network communications from the traffic analysis device, (ii) monitor a behavior of a first virtual machine of the one or more virtual machines in response to processing of the duplicated network communications within the first virtual machine, (iii) identify an anomalous behavior as an unexpected occurrence in the monitored behavior, and (iv) determine, based on the identified anomalous behavior, the presence of the malicious traffic in the duplicated network communications.
457 Citations
62 Claims
-
1. A system comprising:
-
a traffic analysis device configured to analyze network traffic received over a communication network and duplicate at least select network communications within the network traffic having characteristics associated with malicious traffic when the network communications are determined through heuristic analysis to satisfy a heuristic threshold, the heuristic threshold being set to a first level that results in a first rate of false positives that is associated with erroneous detections by the traffic analysis device of network communications having characteristics associated with malicious traffic; and a network device in communication with the traffic analysis device, the network device comprises a controller in communication with one or more virtual machines and is configured to (i) receive the duplicated network communications previously determined as having characteristics associated with malicious traffic by the traffic analysis device, and (ii) perform subsequent analysis on the duplicated network communications, including (a) monitoring a behavior of a first virtual machine of the one or more virtual machines in response to processing of the duplicated network communications within the first virtual machine, (b) identifying an anomalous behavior as an unexpected occurrence in the monitored behavior, and (c) determining, based on the identified anomalous behavior, a presence of the malicious traffic in the duplicated network communications, wherein the subsequent analysis results in a second rate of false positives in determining the presence of the malicious traffic in the duplicated network communications that is less than the first rate of false positives. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer implemented method comprising:
-
analyzing, by a traffic analysis device, network traffic received over a communication network; duplicating, by the traffic analysis device, at least select network communications within the network traffic having characteristics associated with malicious traffic as determined using heuristics analysis; if the duplicated network communications satisfies a heuristics threshold, submitting, by the traffic analysis device, the duplicated network communications for subsequent traffic analysis, the heuristic threshold being set to a first level that results in a first rate of false positives that is associated with erroneous detections by the traffic analysis device of network communications having characteristics associated with malicious traffic; and performing the subsequent traffic analysis in a network device by monitoring behaviors of at least one of a plurality of virtual machines in response to processing of the duplicated network communications within the at least one of the plurality of virtual machines, identifying one or more anomalous behaviors, and determining, based on the identified anomalous behavior, presence of the malicious traffic in the duplicated network communications, wherein the subsequent analysis results in a second rate of false positives in determining the presence of the malicious traffic in the duplicated network communications that is less than the first rate of false positives. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A non-transitory memory storage device containing computer program code that, when executed in a computer system, perform operations comprising:
-
analyzing network traffic received over a communication network; determining whether at least select network communications within the network traffic have characteristics associated with malicious traffic; submitting the network communications for subsequent traffic analysis upon determining that a prescribed threshold has been met, the prescribed threshold representing that the network communications have characteristics associated with malicious traffic and being set to a level that results in a first rate of false positives representing erroneous detections by the traffic analysis device of network communications having characteristics associated with malicious traffic; and performing the subsequent traffic analysis by (i) monitoring behaviors of at least one of a plurality of virtual machines in response to processing of the network communications within the at least one of the plurality of virtual machines, (ii) identifying one or more anomalous behaviors, and (iii) determining, based on the identified anomalous behavior, a presence of the malicious traffic in the network communications, wherein the subsequent analysis results in a second rate of false positives in determining a presence of the malicious traffic in the network communications that is less than the first rate of false positives. - View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
-
-
62. A system comprising:
-
a traffic analysis device configured to analyze network traffic received over a communication network in accordance with a first threshold, the first threshold representing a level of analysis as to whether network communications within the network traffic have characteristics associated with malicious traffic and being set to a level that results in a first rate of false positives representing erroneous detections by the traffic analysis device of the network communications having characteristics associated with malicious traffic; and a network device in communication with the traffic analysis device and including a controller in communication with one or more virtual machines, the network device is configured to (i) receive the network communications previously determined as having characteristics associated with malicious traffic by the traffic analysis device, and (ii) perform subsequent analysis on the network communications, including (a) monitoring a behavior of a first virtual machine of the one or more virtual machines in response to processing of the network communications within the first virtual machine, (b) identifying an anomalous behavior as an unexpected occurrence in the monitored behavior, and (c) determining, based on the identified anomalous behavior, the presence of the malicious traffic in the network communications, wherein the subsequent analysis results in a second rate of false positives in determining the presence of the malicious traffic in the network communications that is less than the first rate of false positives.
-
Specification