System and method for analyzing suspicious network data
First Claim
1. A system comprising:
- a tap configured to copy network data from a communication network, wherein the network data being associated with an original destination; and
a controller coupled to the tap, the controller being configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if at least a portion of the copy of the network data is associated with malware, flag at least the portion of the copy of the network data as suspicious based on the heuristic determination, and simulate transmission of the flagged, suspicious copy of the network data to at least one virtual destination device of a first plurality of virtual destination devices, wherein the at least one virtual destination device of the first plurality of virtual destination devices is configured based on the original destination.
6 Assignments
0 Petitions
Accused Products
Abstract
A system is provided with a controller and a device configured to receive and output network data from a communication network to the controller. Accordingly, the controller is configured to (i) receive the network data from the device, (ii) conduct heuristic analysis on the network data, (iii) identify at least a portion of the network data as suspicious upon determining by the heuristic analysis of a likelihood that at least the portion of the network data including malware, (iv) simulate transmission of the suspicious network data to at least one virtual machine of a plurality of virtual machines that is selected or configured using at least one software profile, and (v) analyze effects of the suspicious network data on the at least one virtual machine.
-
Citations
54 Claims
-
1. A system comprising:
-
a tap configured to copy network data from a communication network, wherein the network data being associated with an original destination; and a controller coupled to the tap, the controller being configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if at least a portion of the copy of the network data is associated with malware, flag at least the portion of the copy of the network data as suspicious based on the heuristic determination, and simulate transmission of the flagged, suspicious copy of the network data to at least one virtual destination device of a first plurality of virtual destination devices, wherein the at least one virtual destination device of the first plurality of virtual destination devices is configured based on the original destination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a device configured to receive and output network data from a communication network; and a controller coupled to the device, the controller to (i) receive the network data from the device, (ii) conduct heuristic analysis on the network data, (iii) identify at least a portion of the network data as suspicious upon determining by the heuristic analysis of a likelihood that at least the portion of the network data including malware, (iv) simulate transmission of the suspicious network data to at least one virtual machine of a plurality of virtual machines that is selected or configured using at least one software profile, and (v) analyze effects of the suspicious network data on the at least one virtual machine. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A method comprising:
-
receiving network data from a communication network, the network data being associated with an original source; conducting heuristic analysis on the network data to determine if at least a portion of the network data is identified as suspicious by exhibiting anomalous behavior; classifying the original source as a suspicious source based on association with the suspicious network data; and simulating transmission of the network data from the suspicious source to one or more virtual machines of a plurality of virtual machines that is configured to operate as at least one virtual destination device to identify unauthorized activity and monitoring how the network data from the suspicious source affects operations of the one or more virtual machines. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A non-transitory computer readable medium for storing computer readable code, the computer readable code configured to be executed by a processor to perform a method for analyzing data, the method comprising:
-
receiving, by a processor, network data from a communication network, the network data being associated with an original destination; conducting, by the processor, heuristic analysis by the processor on the network data to identify that at least a portion of the network data is suspicious upon determining that a particular likelihood of at least the portion of the network data including malware; simulating, by the processor, transmission of the suspicious network data to at least one virtual machine of a plurality of virtual machines that is selected or configured using at least one software profile; and analyzing, by the processor, effects of the suspicious network data on the at least one virtual machine. - View Dependent Claims (40, 41, 42, 43)
-
-
44. A system comprising:
-
a device configured to receive and output network data from a communication network; and a controller coupled to the device, the controller to (i) receive the network data from the device, (ii) conduct heuristic analysis on the network data, (iii) identify at least a portion of the network data as suspicious upon determining by the heuristic analysis of a likelihood that at least the portion of the network data including malware, (iv) process the suspicious network data by least one virtual machine of a plurality of virtual machines that is selected or configured at least based on one or more features of a digital device targeted to receive the network data, and (v) analyze effects of the suspicious network data on the at least one virtual machine. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
-
Specification