Systems and methods for malware attack prevention

US 8,898,788 B1
Filed: 03/12/2007
Issued: 11/25/2014
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A malware attack prevention method comprising:

copying a first network data from a communication network;

configuring a replayer to dynamically modify one or more session variables and simulate behavior of a device responsible for transmission of the first network data on the communication network, the replayer to transmit modified first network data including at least a portion of the copied first network data and the one or more session variables to a virtual machine;

before determining whether the at least the portion of the copied first network data is indicative of a malware attack, transmitting the modified first network data to the virtual machine, the virtual machine being configured to receive the modified first network data and provide a response thereto;

analyzing the response by the virtual machine to the modified first network data to determine whether at least the portion of the copied first network data is indicative of a malware attack; and

intercepting a second network data based on determining that at least the portion of the copied first network data is indicative of a malware attack.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for malware attack prevention are provided. Network data is copied from a communication network. It is then determined if a possible malware attack is within the copied network data. The network data is intercepted based on the determination. The network data is then analyzed to identify a malware attack.

608 Citations

90 Claims

1. A malware attack prevention method comprising:
- copying a first network data from a communication network;
  
  configuring a replayer to dynamically modify one or more session variables and simulate behavior of a device responsible for transmission of the first network data on the communication network, the replayer to transmit modified first network data including at least a portion of the copied first network data and the one or more session variables to a virtual machine;
  
  before determining whether the at least the portion of the copied first network data is indicative of a malware attack, transmitting the modified first network data to the virtual machine, the virtual machine being configured to receive the modified first network data and provide a response thereto;
  
  analyzing the response by the virtual machine to the modified first network data to determine whether at least the portion of the copied first network data is indicative of a malware attack; and
  
  intercepting a second network data based on determining that at least the portion of the copied first network data is indicative of a malware attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 26, 27, 28, 29, 30, 31, 32, 33)
- - 2. The method of claim 1, wherein the intercepting of the second network data comprises:
    - identifying a source internet protocol address of the portion of the copied first network data; and
      
      intercepting the second network data from the communication network transmitted from the source internet protocol address, the second network data being received by the controller subsequent to the first network data.
  - 3. The method of claim 1, wherein the intercepting of the second network data comprises:
    - identifying a target internet protocol address of the portion of the copied first network data; and
      
      intercepting the second network data from the communication network transmitted to the target internet protocol address.
  - 4. The method of claim 1, further comprising generating an unauthorized activity signature based on determining that at least the portion of the copied first network data is indicative of a malware attack.
  - 5. The method of claim 4, further comprising:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to another digital device.
  - 6. The method of claim 1, wherein before transmitting the modified first network data to the virtual machine, analyzing the copied first network data by applying heuristics or probability analysis to determine if the copied first network data is suspicious and transmitting only the suspicious, copied first network data as the portion of the copied first network data to the virtual machine.
  - 7. The method of claim 1, wherein the virtual machine providing the response based on processing of the modified first network data within the virtual machines.
  - 8. The method of claim 1, wherein the modified first network data is transmitted between the replayer and the virtual machine over a virtual switch, the virtual switch simulates a communication network.
  - 26. The malware attack prevention method of claim 1, wherein the transmitting of the modified first network data to the virtual machine and the analyzing of the response by the virtual machine to the modified first network data is conducted within a private computer network.
  - 27. The malware attack prevention method of claim 1, wherein the replayer is configured to dynamically modify the session variables to emulate a protocol sequence.
  - 28. The malware attack prevention method of claim 27, wherein the session variables include dynamically assigned ports.
  - 29. The malware attack prevention method of claim 27, wherein the session variables include transaction identifiers.
  - 30. The malware attack prevention method of claim 1, wherein the virtual machine is configured based on analysis of a packet format of the copied first network data.
  - 31. The malware attack prevention method of claim 1, wherein the virtual machine is configured based on analysis of a protocol utilized by the copied first network data.
  - 32. The malware attack prevention method of claim 31, wherein the virtual machine is configured by retrieving the virtual machine according to a packet format of the copied first network data or the protocol utilized by the copied first network data from a virtual machine pool.
  - 33. The malware attack prevention method of claim 1, wherein the replayer simulates a transmission of at least the portion of the copied first network data being a data flow including one or more related data packets.

9. A malware attack prevention system comprising:
- a controller including a digital device that is configured to receive a copy of a first network data from a communication network, the controller comprising;
  
  a scheduler to initiate configuration of a virtual machine, the virtual machine configured to, at least in part, correspond in functionality to a destination device targeted to receive the copied first network data; and
  
  an analysis environment configured to simulate transmission of the first network data to determine whether at least a portion of the copied first network data is indicative of a malware attack based on monitored behavior of the virtual machine, the analysis environment comprisesa replayer configured to dynamically modify one or more session variables and simulate behavior of a device responsible for transmission of the first network data on the communication network, the replayer to further transmit modified first network data including at least the portion of the copied first network data and the one or more modified session variables to a virtual machine,the virtual machine configured to receive the modified first network data before the system determines whether at least the portion of the copied first network data is indicative of a malware attack, the virtual machine being further configured to provide a response to the modified first network data, andan interception module configured to intercept second network data upon determining that at least the portion of the copied first network data is indicative of a malware attack.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 10. The system of claim 9, wherein the interception module is configured to identify a source internet protocol address of the portion of the copied first network data and intercept the second network data from the communication network transmitted from the source internet protocol address, the second network data being received by the controller subsequent to the first network data.
  - 11. The system of claim 9, wherein the interception module is configured to identify a target internet protocol address of the portion of the copied first network data and intercept the second network data from the communication network transmitted from the target internet protocol address.
  - 12. The system of claim 9, wherein the analysis environment comprises an analysis module configured to analyze the response of the virtual machine to determine, based on the behavior of the virtual machine, whether at least the portion of the copied first network data is indicative of a malware attack.
  - 13. The system of claim 9, further comprising a signature module configured to generate an unauthorized activity signature based on determining that at least the portion of the copied first network data is indicative of a malware attack.
  - 14. The system of claim 13, wherein the signature module is further configured to:
    - store the unauthorized activity signature; and
      
      send the unauthorized activity signature to another digital device different than the controller.
  - 15. The system of claim 9, wherein the controller further comprises a heuristic module configured to analyze the copied first network data with a heuristic.
  - 16. The system of claim 9, wherein the virtual machine to provide the response based on processing the modified first network data within the virtual machine.
  - 17. The system of claim 9, wherein the analysis environment transmits the copied modified network data between the replayer and the virtual machine over a virtual switch.
  - 34. The malware attack prevention system of claim 9 further comprising a tap configured to copy the first network data from the communication network, the tap and the controller are positioned within a private computer network.
  - 35. The malware attack prevention system of claim 9, wherein the replayer of the analysis environment is configured to dynamically modify the session variables to emulate a protocol sequence.
  - 36. The malware attack prevention system of claim 35, wherein the session variables include dynamically assigned ports.
  - 37. The malware attack prevention system of claim 35, wherein the session variables include transaction identifiers.
  - 38. The malware attack prevention system of claim 9, wherein the configuration of the virtual machine of the analysis environment is based on an analysis of a packet format of the copied first network data.
  - 39. The malware attack prevention system of claim 9, wherein the configuration of the virtual machine of the analysis environment is based on an analysis of a protocol utilized by the copied first network data.
  - 40. The malware attack prevention system of claim 38, wherein the configuration of the virtual machine of the analysis environment is performed by retrieving the virtual machine from a virtual machine pool according to the packet format of the copied first network data or a protocol utilized by the copied first network data.
  - 41. The malware attack prevention system of claim 9, wherein the analysis environment further comprises a virtual switch communicatively coupled to both the replayer and the virtual machine, the virtual switch simulates a communication network that enables communications between the replayer and one or more ports of the virtual machine.
  - 42. The malware attack prevention system of claim 9, wherein the replayer of the analysis environment simulates a transmission of at least the portion of the first network data being a data flow including one or more related data packets.

18. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor within a first digital device for performing operations for malware prevention comprising:
- receiving first network data from a communication network;
  
  dynamically modifying the first network data by a replayer, the replayer to simulate behavior of a device responsible for transmission of the first network data on the communication network;
  
  transmitting the modified first network data to a virtual machine, the virtual machine being configured to receive the modified first network data and provide a response thereto;
  
  analyzing the response by the virtual machine to the modified first network data to determine whether the modified first network data is indicative of a malware attack; and
  
  intercepting second network data based on determining that the modified first network data is indicative of a malware attack.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The non-transitory machine readable medium of claim 18, wherein intercepting the second network data based on the determination comprises:
    - identifying a source internet protocol address of the modified first network data; and
      
      intercepting the second network data from the communication network that is received subsequent from the modified first network data and transmitted from the source internet protocol address.
  - 20. The non-transitory machine readable medium of claim 18, wherein intercepting of the second network data comprises:
    - identifying a target internet protocol address of the modified first network data; and
      
      intercepting the second network data from the communication network transmitted to the target internet protocol address, the second network data including network data corresponding to the modified first network data and the second network data received subsequent to the first network data.
  - 21. The non-transitory machine readable medium of claim 18, wherein analyzing of the response comprises analyzing the response of the virtual machine to determine, based on the behavior of the virtual machine, whether the modified first network data is indicative of a malware attack.
  - 22. The non-transitory machine readable medium of claim 21, wherein the method further comprises generating an unauthorized activity signature based on determining that the modified first network data is indicative of a malware attack.
  - 23. The non-transitory machine readable medium of claim 22, wherein the method further comprises:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to a second digital device different than the first digital device.

24. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor for performing operations for malware prevention comprising:
- receiving network data from a communication network;
  
  dynamically modifying the network data by a replayer, the replayer to simulate behavior of a device responsible for transmission of the network data on the communication network;
  
  transmitting the modified network data to a virtual machine that is configured to, at least in part, correspond in functionality to a device targeted to receive the network data, the virtual machine being configured to receive the modified network data and provide a response thereto while processing the modified network data;
  
  analyzing the response by the virtual machine to the modified network data to determine whether the modified network data is indicative of a malware attack; and
  
  intercepting subsequent network data based on determining that the modified network data is indicative of a malware attack.
- View Dependent Claims (25, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 25. The non-transitory machine readable medium of claim 24, wherein the replayer to operate with the virtual machine to produce the response by the virtual machine that includes results of an analysis of the modified network data by the virtual machine, the replayer being configured to dynamically modify session variables and simulate behavior of the device responsible for transmission of the network data on the communication network to produce the modified network data.
  - 43. The non-transitory machine readable medium of claim 24, wherein the processor performs an operation of intercepting the subsequent network data by identifying a source internet protocol address of the network data and intercepting the subsequent network data from the communication network transmitted from the source internet protocol address, the subsequent network data being received by the controller after the network data.
  - 44. The non-transitory machine readable medium of claim 24, wherein the processor performs an operation of intercepting the subsequent network data by identifying a target internet protocol address of the network data and intercepting the subsequent network data from the communication network transmitted to the target internet protocol address.
  - 45. The non-transitory machine readable medium of claim 24, wherein the processor performs an operation that comprises generating an unauthorized activity signature based on the identification.
  - 46. The non-transitory machine readable medium of claim 45, wherein the processor further performs operations comprising:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to another digital device.
  - 47. The non-transitory machine readable medium of claim 24, wherein before transmitting the modified network data to the virtual machine, the network data is analyzed by applying heuristics or probability analysis to determine if the network data is suspicious and transmitting only the suspicious network data to the virtual machine.
  - 48. The non-transitory machine readable medium of claim 24, wherein the replayer and the virtual machine conduct processing within a controller situated within a private computer network, the controller being a digital device configured to receive and analyze the network data to detect the malware attack.
  - 49. The non-transitory machine readable medium of claim 24, wherein the replayer comprises a module executed by the processor that is configured to dynamically modify the session variables to emulate a protocol sequence.
  - 50. The non-transitory machine readable medium of claim 49, wherein the session variables include dynamically assigned ports.
  - 51. The non-transitory machine readable medium of claim 49, wherein the session variables include transaction identifiers.
  - 52. The non-transitory machine readable medium of claim 24, wherein the virtual machine is configured based on analysis of a packet format of the network data.
  - 53. The non-transitory machine readable medium of claim 24, wherein the virtual machine is configured based on analysis of a protocol utilized by the network data.
  - 54. The non-transitory machine readable medium of claim 53, wherein the virtual machine is configured by retrieving the virtual machine according to a packet format of the network data or the protocol utilized by the network data from a virtual machine pool.
  - 55. The non-transitory machine readable medium of claim 24, wherein replayer is configured to communicate with the virtual machine through a virtual switch, the virtual switch simulates a communication network.
  - 56. The non-transitory machine readable medium of claim 24, wherein the replayer simulates a transmission of the network data being a data flow including one or more related data packets.

57. A computerized method comprising:
- receiving a first network data from a communication network;
  
  configuring a replayer to dynamically modify session variables and simulate behavior of a device responsible for transmission of the first network data on the communication network, the replayer to transmit modified first network data including at least a portion of the first network data and one or more modified session variables to a virtual machine;
  
  before determining whether the first network data is indicative of a malware attack, transmitting the modified first network data to the virtual machine, the virtual machine being configured to receive the modified first network data and provide a response based on a processing of the modified first network data within the virtual machine; and
  
  analyzing the response by the virtual machine to the modified first network data to determine whether at least the portion of the first network data is indicative of a malware attack.
- View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
- - 58. The method of claim 57 further comprising intercepting a second network data based on determining that the first network data is indicative of a malware attack.
  - 59. The method of claim 58, wherein the intercepting of the second network data comprises:
    - identifying a source internet protocol address of the first network data; and
      
      intercepting the second network data from the communication network transmitted from the source internet protocol address, the second network data being received by the controller subsequent to the first network data.
  - 60. The method of claim 58, wherein the intercepting of the second network data comprises:
    - identifying a target internet protocol address of the first network data; and
      
      intercepting the second network data from the communication network transmitted to the target internet protocol address.
  - 61. The method of claim 58, further comprising generating an unauthorized activity signature based on determining that at least the portion of the first network data is indicative of a malware attack.
  - 62. The method of claim 61, further comprising:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to another digital device.
  - 63. The method of claim 58, wherein before transmitting the first network data to the virtual machine, analyzing the first network data by applying heuristics or probability analysis to determine if the first network data is suspicious and transmitting the portion of the first network data being the suspicious, first network data to the virtual machine.
  - 64. The method of claim 58, wherein the modified first network data is transmitted between the replayer and the virtual machine over a virtual switch, the virtual switch simulates a communication network.
  - 65. The method of claim 57, wherein the transmitting of the modified first network data to the virtual machine and the analyzing of the response by the virtual machine to the modified first network data is conducted within a private computer network.
  - 66. The method of claim 57, wherein the replayer is configured to dynamically modify the session variables to emulate a protocol sequence.
  - 67. The method of claim 66, wherein the session variables include dynamically assigned ports.
  - 68. The method of claim 66, wherein the session variables include transaction identifiers.
  - 69. The method of claim 57, wherein the virtual machine is configured based on analysis of a packet format of the first network data.
  - 70. The method of claim 57, wherein the virtual machine is configured based on analysis of a protocol utilized by the first network data.
  - 71. The method of claim 69, wherein the virtual machine is configured by retrieving the virtual machine according to the packet format of the first network data or a protocol utilized by the first network data from a virtual machine pool.
  - 72. The method of claim 57, wherein the replayer simulates a transmission of the modified first network data that comprises a data flow including one or more related data packets.

73. A system comprising:
- a controller including a digital device that is configured to receive first network data from a communication network, the controller comprising;
  
  a scheduler to initiate configuration of a virtual machine, the virtual machine being configured, at least in part, to correspond in functionality to a destination device targeted to receive the first network data; and
  
  an analysis environment configured to simulate transmission of the first network data to determine whether the first network data is indicative of a malware attack based on monitored behavior of the virtual machine, the analysis environment comprisesa replayer configured to dynamically modify one or more session variables and simulate behavior of a device responsible for transmission of the first network data on the communication network, the replayer to further transmit modified first network data including at least a portion of the first network data and the one or more modified session variables to a virtual machine, andthe virtual machine configured to receive the modified first network data before the system determines whether at least the portion of the first network data is indicative of a malware attack, the virtual machine being further configured to provide a response to the modified first network data while being processed in the virtual machine.
- View Dependent Claims (74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90)
- - 74. The system of claim 73, wherein the analysis environment further comprises an interception module configured to intercept second network data upon determining that at least the portion of the first network data is indicative of a malware attack.
  - 75. The system of claim 74, wherein the interception module is configured to identify a source internet protocol address of the portion of the first network data and intercept the second network data from the communication network transmitted from the source internet protocol address, the second network data being received by the controller subsequent to the first network data.
  - 76. The system of claim 74, wherein the interception module is configured to identify a target internet protocol address of the portion of the first network data and intercept the second network data from the communication network transmitted from the target internet protocol address.
  - 77. The system of claim 73, wherein the analysis environment comprises an analysis module configured to analyze the response of the virtual machine to determine, based on the behavior of the virtual machine, whether the portion of the first network data is indicative of a malware attack.
  - 78. The system of claim 73, further comprising a signature module configured to generate an unauthorized activity signature based on the identification.
  - 79. The system of claim 78, wherein the signature module is further configured to:
    - store the unauthorized activity signature; and
      
      send the unauthorized activity signature to another digital device different than the controller.
  - 80. The system of claim 73, wherein the controller further comprises a heuristic module configured to analyze the first network data with a heuristic.
  - 81. The system of claim 73, wherein the analysis environment transmits the modified first network data between the replayer and the virtual machine over a virtual switch.
  - 82. The system of claim 73 further comprising a tap configured to copy the first network data from the communication network, wherein the tap and the controller are positioned within a private computer network.
  - 83. The system of claim 73, wherein the replayer of the analysis environment is configured to dynamically modify the session variables to emulate a protocol sequence.
  - 84. The system of claim 83, wherein the session variables include dynamically assigned ports.
  - 85. The system of claim 73, wherein the session variables include transaction identifiers.
  - 86. The system of claim 73, wherein the configuration of the virtual machine of the analysis environment is based on an analysis of a packet format of the first network data.
  - 87. The system of claim 73, wherein the configuration of the virtual machine of the analysis environment is based on an analysis of a protocol utilized by the first network data.
  - 88. The system of claim 87, wherein the configuration of the virtual machine of the analysis environment is performed by retrieving the virtual machine from a virtual machine pool according to a packet format of the first network data or the protocol utilized by the first network data.
  - 89. The system of claim 73, wherein the analysis environment further comprises a virtual switch communicatively coupled to both the replayer and the virtual machine, the virtual switch simulates a communication network that enables communications between the replayer and one or more ports of the virtual machine.
  - 90. The system of claim 73, wherein the replayer of the analysis environment simulates a transmission of the modified first network data being a data flow including one or more related data packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Lai, Wei-Lung, Manni, Jayaraman
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US11/717,474
Time in Patent Office

2,815 Days
Field of Search

380/270, 380/255, 380/247, 713/150, 713/100, 713/182, 713/188, 713/189, 726/26, 726/27, 726/28, 726/29, 726/30
US Class Current

726/24
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/00   Network architectures or ne...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Systems and methods for malware attack prevention

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

608 Citations

90 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for malware attack prevention

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

608 Citations

90 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links