System and method for analyzing suspicious network data

US 8,984,638 B1
Filed: 11/12/2013
Issued: 03/17/2015
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a tap configured to copy network data from a communication network, wherein the network data being associated with an original destination; and

a controller coupled to the tap, the controller being configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if at least a portion of the copy of the network data is associated with malware, flag at least the portion of the copy of the network data as suspicious based on the heuristic determination, and simulate transmission of the flagged, suspicious copy of the network data to at least one virtual destination device of a first plurality of virtual destination devices, wherein the at least one virtual destination device of the first plurality of virtual destination devices is configured based on the original destination.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided with a controller and a device configured to receive and output network data from a communication network to the controller. Accordingly, the controller is configured to (i) receive the network data from the device, (ii) conduct heuristic analysis on the network data, (iii) identify at least a portion of the network data as suspicious upon determining by the heuristic analysis of a likelihood that at least the portion of the network data including malware, (iv) simulate transmission of the suspicious network data to at least one virtual machine of a plurality of virtual machines that is selected or configured using at least one software profile, and (v) analyze effects of the suspicious network data on the at least one virtual machine.

473 Citations

54 Claims

1. A system comprising:
- a tap configured to copy network data from a communication network, wherein the network data being associated with an original destination; and
  
  a controller coupled to the tap, the controller being configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if at least a portion of the copy of the network data is associated with malware, flag at least the portion of the copy of the network data as suspicious based on the heuristic determination, and simulate transmission of the flagged, suspicious copy of the network data to at least one virtual destination device of a first plurality of virtual destination devices, wherein the at least one virtual destination device of the first plurality of virtual destination devices is configured based on the original destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the controller concurrently simulates transmission of first and second portions of the flagged, suspicious copy of the network data to respective first and second virtual destination devices included in the first plurality of virtual destination devices.
  - 3. The system of claim 1, wherein the at least one virtual destination device of the first plurality of virtual destination devices is configured based, at least in part, on the original destination in that the at least one virtual destination is configured with a web browser when a digital device of the original destination includes a web browser.
  - 4. The system of claim 1, wherein the first plurality of virtual destination devices concurrently processes the suspicious copy of the network data.
  - 5. The system of claim 4, wherein each of the first plurality of virtual destination devices processes a different portion of the suspicious copy of the network data.
  - 6. The system of claim 1, wherein the heuristic is configured to detect an instance of at least the portion of network data being addressed to an invalid internet protocol address.
  - 7. The system of claim 1, wherein the controller is further configured to receive to copy of other network data from the tap, analyze the copy of the other network data with another heuristic to determine if at least a portion of the copied other network data is associated with malware, flag the at least a portion of the copied other network data as suspicious based on the heuristic determination, simulate transmission of the other network data to at least one virtual destination device of a second plurality of virtual destination devices, and concurrently analyze a first response from the at least one virtual destination device of the first plurality of virtual destination devices and a second response from the at least one virtual destination device of the second plurality of virtual destination devices.
  - 8. The system of claim 1, wherein the at least one virtual destination device is configured with a particular operating system of a digital device that is at least part of the original destination.
  - 9. The system of claim 1, wherein the at least one virtual destination device is configured with a port or a device driver associated with a network device operating at least in part as the original destination that is targeted to receive the network data.
  - 10. The system of claim 1, wherein the at least one virtual destination device of the first plurality of virtual destination devices is configured only with features of a digital device included as at least part of the original destination that are affected by the network data.
  - 11. The system of claim 1, wherein characteristics of at least one virtual destination device are configured to mimic only features of a network device being the original destination that are affected by the network data.

12. A system comprising:
- a device configured to receive and output network data from a communication network; and
  
  a controller coupled to the device, the controller to (i) receive the network data from the device, (ii) conduct heuristic analysis on the network data, (iii) identify at least a portion of the network data as suspicious upon determining by the heuristic analysis of a likelihood that at least the portion of the network data including malware, (iv) simulate transmission of the suspicious network data to at least one virtual machine of a plurality of virtual machines that is selected or configured using at least one software profile, and (v) analyze effects of the suspicious network data on the at least one virtual machine.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 13. The system of claim 12, wherein the heuristic analysis is configured to detect an instance of at least the portion of network data being addressed to an invalid internet protocol address.
  - 14. The system of claim 12, wherein the device is implemented within the controller.
  - 15. The system of claim 12, wherein the device comprises a tap that is configured to copy other network data from the communication network and output the copy of the other network data as the network data to the controller.
  - 16. The system of claim 15, wherein the controller is further configured to receive the copy of the other network data from the tap, conduct heuristic analysis on the copy of the other network data to determine if at least a portion of the copied other network data is suspicious, identify at least the portion of the copied other network data as suspicious based on the heuristic analysis, simulate transmission of the other network data to another virtual machine of the plurality of virtual machines configured with performance characteristics of a destination device targeted to receive the other network data, and concurrently analyze a first response from a first virtual machine of the at least one virtual machine of the plurality of virtual machines and a second response from at least a second virtual machine of the plurality of virtual machines.
  - 17. The system of claim 16, wherein the at least one virtual machine of the plurality of virtual machines is different from the second virtual machine of the plurality of virtual machines.
  - 18. The system of claim 12, wherein the controller comprises a scheduler that is adapted to select or configure the at least one virtual machine based on the at least one software profile so that the at least one virtual machine mimics performance characteristics of a destination device targeted to receive the network data, wherein the performance characteristics include features of the destination device that are affected by the network data.
  - 19. The system of claim 18, wherein the features of the destination device include ports to receive the network data.
  - 20. The system of claim 18, wherein the features of the destination device include device drivers that respond to the network data.
  - 21. The system of claim 18, wherein the features of the destination device include software that processes the network data.
  - 22. The system of claim 12, wherein a heuristic module of the controller buffers the suspicious network data into one or more data flows prior to simulating transmission of the suspicious network and analyzing the effects of the suspicious network data on the at least one virtual machine.
  - 23. The system of claim 12, wherein the controller further comprises a fingerprint module coupled to a scheduler, the fingerprint module determines a packet format of the network data and provides the packet format to the scheduler for use in retrieval or configuration of the at least one virtual machine.
  - 24. The system of claim 12, wherein the controller further comprises a heuristic module and a policy engine coupled to the heuristic module, the policy engine provides policies used by the heuristic engine to identify at least the portion of the network data as suspicious.
  - 25. The system of claim 12, wherein the at least one virtual machine of the plurality of virtual machines is configured with the software profile that includes an application that is capable of being used by a digital device targeted to receive the network data.
  - 26. The system of claim 25, wherein the application includes a browser application.
  - 27. The system of claim 12, wherein the at least one virtual machine of the plurality of virtual machines is configured with a web browser when a digital device targeted to receive the network data includes a web browser.
  - 28. The system of claim 18, wherein the scheduler to configure the at least one virtual machine based on the at least one software profile that includes a particular operating system of the destination device.

29. A method comprising:
- receiving network data from a communication network, the network data being associated with an original source;
  
  conducting heuristic analysis on the network data to determine if at least a portion of the network data is identified as suspicious by exhibiting anomalous behavior;
  
  classifying the original source as a suspicious source based on association with the suspicious network data; and
  
  simulating transmission of the network data from the suspicious source to one or more virtual machines of a plurality of virtual machines that is configured to operate as at least one virtual destination device to identify unauthorized activity and monitoring how the network data from the suspicious source affects operations of the one or more virtual machines.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 30. The method of claim 29, wherein the monitoring how the network data from the suspicious source affects operations of the one or more virtual machines comprises monitoring if a virtual machine of the one or more virtual machines crashes.
  - 31. The method of claim 29, wherein the monitoring how the network data from the suspicious source affects operations of the one or more virtual machines comprises monitoring if processing of the network data causes a virtual machine of the one or more virtual machines to conduct an unauthorized access of stored data.
  - 32. The method of claim 29, wherein the monitoring how the network data from the suspicious source affects operations of the one or more virtual machines comprises monitoring if the processing of the network data causes a virtual machine of the one or more virtual machines to perform an illegal operation.
  - 33. The method of claim 29, wherein the heuristic analysis is conducted to detect an instance of at least the portion of network data being addressed to an invalid internet protocol address.
  - 34. The method of claim 29, wherein identifying the unauthorized activity includes identifying malware associated with the network data from the suspicious source.
  - 35. The method of claim 29, wherein identifying the unauthorized activity includes identifying a hacker associated with the network data from the suspicious source.
  - 36. The method of claim 29, wherein the one or more virtual machines that operate as at least one virtual destination device is configured with a particular operating system of a digital device that is a targeted destination for the network data.
  - 37. The method of claim 29, wherein the one or more virtual machines that operate as at least one virtual destination device is configured with a port or a device driver associated with a network device operating at least in part as the original destination that is targeted to receive the network data.
  - 38. The method of claim 29, wherein the one or more virtual machines of the plurality of virtual machines is configured with a web browser when a digital device targeted to receive the network data from the original source includes a web browser.

39. A non-transitory computer readable medium for storing computer readable code, the computer readable code configured to be executed by a processor to perform a method for analyzing data, the method comprising:
- receiving, by a processor, network data from a communication network, the network data being associated with an original destination;
  
  conducting, by the processor, heuristic analysis by the processor on the network data to identify that at least a portion of the network data is suspicious upon determining that a particular likelihood of at least the portion of the network data including malware;
  
  simulating, by the processor, transmission of the suspicious network data to at least one virtual machine of a plurality of virtual machines that is selected or configured using at least one software profile; and
  
  analyzing, by the processor, effects of the suspicious network data on the at least one virtual machine.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The non-transitory computer readable medium of claim 39, wherein the computer readable code is further configured to direct the processor to conduct heuristic analysis by analyzing whether characteristics of the network data identify a presence of malware.
  - 41. The non-transitory computer readable medium of claim 39, wherein the transmission of the suspicious network data is simulated to the at least one virtual machine that is configured using particular operating system of a digital device that is the original destination for the network data.
  - 42. The non-transitory computer readable medium of claim 39, wherein the transmission of the suspicious network data is simulated to the at least one virtual machine that is configured with a port or a device driver associated with a network device operating as the original destination that is targeted to receive the network data.
  - 43. The non-transitory computer readable medium of claim 39, wherein the at least one virtual machine of the plurality of virtual machines is configured with a web browser when a digital device targeted to receive the network data includes a web browser.

44. A system comprising:
- a device configured to receive and output network data from a communication network; and
  
  a controller coupled to the device, the controller to (i) receive the network data from the device, (ii) conduct heuristic analysis on the network data, (iii) identify at least a portion of the network data as suspicious upon determining by the heuristic analysis of a likelihood that at least the portion of the network data including malware, (iv) process the suspicious network data by least one virtual machine of a plurality of virtual machines that is selected or configured at least based on one or more features of a digital device targeted to receive the network data, and (v) analyze effects of the suspicious network data on the at least one virtual machine.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 45. The system of claim 44, wherein the heuristic analysis is configured to detect an instance of at least the portion of network data being addressed to an invalid internet protocol address.
  - 46. The system of claim 44, wherein the device is implemented within the controller.
  - 47. The system of claim 44, wherein the controller comprises a scheduler that is adapted to select or configure the at least one virtual machine further based on at least one software profile so that the at least one virtual machine mimics performance characteristics of the digital device, wherein the performance characteristics include features of the digital device that are affected by the network data.
  - 48. The system of claim 47, wherein the features of the digital device include ports to receive the network data.
  - 49. The system of claim 47, wherein the features of the digital device include one or more device drivers that respond to the network data.
  - 50. The system of claim 47, wherein the features of the digital device include software that processes the network data.
  - 51. The system of claim 44, wherein the controller further simulates transmission of the suspicious network data to the at least one virtual machine in order to analyze the effects of the suspicious network data on the at least one virtual machine.
  - 52. The system of claim 44, wherein the at least one virtual machine of a plurality of virtual machines is configured with an application that is capable of being used by a digital device targeted to receive the network data.
  - 53. The system of claim 52, wherein the application includes a browser application.
  - 54. The system of claim 44, wherein the at least one virtual machine of the plurality of virtual machines is configured with a web browser when a digital device targeted to receive the network data includes a web browser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Radhakrishnan, Ramesh, Ismael, Osman
Primary Examiner(s)
ABRISHAMKAR, KAVEH

Application Number

US14/078,376
Time in Patent Office

490 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

System and method for analyzing suspicious network data

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

473 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for analyzing suspicious network data

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

473 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links