×

System and method of detecting malicious traffic while reducing false positives

  • US 8,776,229 B1
  • Filed: 08/28/2013
  • Issued: 07/08/2014
  • Est. Priority Date: 04/01/2004
  • Status: Active Grant
First Claim
Patent Images

1. A system comprising:

  • a traffic analysis device configured to analyze network traffic received over a communication network and duplicate at least select network communications within the network traffic having characteristics associated with malicious traffic when the network communications are determined through heuristic analysis to satisfy a heuristic threshold, the heuristic threshold being set to a first level that results in a first rate of false positives that is associated with erroneous detections by the traffic analysis device of network communications having characteristics associated with malicious traffic; and

    a network device in communication with the traffic analysis device, the network device comprises a controller in communication with one or more virtual machines and is configured to (i) receive the duplicated network communications previously determined as having characteristics associated with malicious traffic by the traffic analysis device, and (ii) perform subsequent analysis on the duplicated network communications, including (a) monitoring a behavior of a first virtual machine of the one or more virtual machines in response to processing of the duplicated network communications within the first virtual machine, (b) identifying an anomalous behavior as an unexpected occurrence in the monitored behavior, and (c) determining, based on the identified anomalous behavior, a presence of the malicious traffic in the duplicated network communications,wherein the subsequent analysis results in a second rate of false positives in determining the presence of the malicious traffic in the duplicated network communications that is less than the first rate of false positives.

View all claims
  • 4 Assignments
Timeline View
Assignment View
    ×
    ×