Prospective client identification using malware attack detection

US 9,027,135 B1
Filed: 02/21/2007
Issued: 05/05/2015
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving network traffic;

detecting a malware attack based on analysis of the network traffic;

identifying, by a hardware controller based on address information within the network traffic, a malware device being a digital device that provided the network traffic associated with the malware attack;

identifying, by the hardware controller, a device in communication with the malware device;

determining, by the hardware controller, at least one of a first entity having responsibility for the malware device or a second entity having responsibility for the device in communication with the malware device, each of the first entity and the second entity being a business or person; and

communicating a first message to the first entity having the responsibility for the malware device and a second message to the second entity having responsibility for the device in communication with the malware device without affecting performance of at least one of the malware device or the device, wherein the first message to the first entity comprises a first type of content including at least one of (i) a notification of a possible infection of malware associated with the malware attack, or (ii) an offer of services to eliminate the malware and wherein the second message to the second entity includes a second type of content that comprises an offer for security related products or services that is directed to at least one of (i) stopping an on-going malware attack or (ii) removing the malware from the device in communication with the malware device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for prospective client identification using malware attack detection are provided. A malware device is identified. The entity with the responsibility for the malware device or a potentially compromised device in communication with the malware device is determined. A message is communicated to the entity based on the determination. In various embodiments, the message comprises an offer for security related products and/or services.

586 Citations

37 Claims

1. A method comprising:
- receiving network traffic;
  
  detecting a malware attack based on analysis of the network traffic;
  
  identifying, by a hardware controller based on address information within the network traffic, a malware device being a digital device that provided the network traffic associated with the malware attack;
  
  identifying, by the hardware controller, a device in communication with the malware device;
  
  determining, by the hardware controller, at least one of a first entity having responsibility for the malware device or a second entity having responsibility for the device in communication with the malware device, each of the first entity and the second entity being a business or person; and
  
  communicating a first message to the first entity having the responsibility for the malware device and a second message to the second entity having responsibility for the device in communication with the malware device without affecting performance of at least one of the malware device or the device, wherein the first message to the first entity comprises a first type of content including at least one of (i) a notification of a possible infection of malware associated with the malware attack, or (ii) an offer of services to eliminate the malware and wherein the second message to the second entity includes a second type of content that comprises an offer for security related products or services that is directed to at least one of (i) stopping an on-going malware attack or (ii) removing the malware from the device in communication with the malware device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 27, 28, 29, 34)
- - 2. The method of claim 1, wherein identifying the malware device comprises retrieving a malware device Internet Protocol (IP) address from the network data.
  - 3. The method of claim 1, wherein identifying the malware device comprises:
    - copying network data from a communication network;
      
      analyzing the copied network data with a heuristic to determine if the network data is suspicious; and
      
      orchestrating the transmission of the network data to the device to detect the malware attack.
  - 4. The method of claim 3, wherein orchestrating the transmission of the network data to the device comprises:
    - retrieving a virtual machine configured to receive the network data;
      
      providing the network data to the virtual machine;
      
      controlling a replayer operating with the virtual machine to simulate transmission of network data with the malware device; and
      
      analyzing a response by the virtual machine to detect the malware attack.
  - 5. The method of claim 1, wherein the determining of at least one of the first entity or the second entity comprises determining a registrant associated with the address information being an Internet Protocol (IP) address for the at least one of the first entity or the second entity.
  - 6. The method of claim 1, wherein communicating the first message to the first entity or the second message to the second entity comprises transmitting an email to businesses or persons determined to have responsibility for the device.
  - 7. The method of claim 1, wherein communicating the first message to the first entity or the second message to the second entity comprises transmitting a text message.
  - 27. The method of claim 1, further comprising adding the first or second entities to a potential customer list, and storing the potential customer list, wherein the potential customer list is accessed prior to the communicating the first message or the second message in order to access contact information for the first or second entities.
  - 28. The method of claim 1, wherein communicating the first message and the second message comprises transmitting electronic message of the first type to the first entity and transmitting the second message as an electronic message of the second type having different content than the first type to the second entity.
  - 29. The method of claim 28, wherein the electronic message of the first type having a format of one of an email or a text message and the electronic message of the second type having a different format that the electronic message of the first type and being a remaining type of the one of the text message or the email.
  - 34. The method of claim 1, wherein the malware device is the digital device that is infected by the malware originating from another digital device and provides the network traffic associated with the malware attack to the device.

8. A method comprising:
- monitoring network data between a plurality of digital devices within a communication network;
  
  storing communication data associated with the network data in a memory;
  
  identifying a malware device within the plurality of digital devices based on the communication data, the malware device being a digital device that provided the network data that includes malware;
  
  determining a first entity having responsibility for the malware device;
  
  reviewing the stored communication data to identify a device within the plurality of digital devices that has communicated with the malware device;
  
  determining a second entity having responsibility for the device that has communicated with the malware device, the entity determined to have responsibility being a business or person; and
  
  communicating a first message to the first entity having responsibility for the malware device and a second message to the second entity having the responsibility for the device that has communicated with the malware device without affecting performance of at least one of the malware device or the device, wherein the first message to the first entity comprises a first type of content including at least one of (i) a notification of a possible infection of the malware device by the malware and being associated with a malware attack, or (ii) an offer of services to eliminate the malware and wherein the second message to the second entity includes a second type of content that comprises an offer for security related products or services that is directed to at least one of (i) stopping an on-going malware attack or (ii) removing the malware from the device in communication with the malware device.
- View Dependent Claims (9, 10, 11, 12, 13, 30, 31, 35)
- - 9. The method of claim 8, wherein identifying the malware device comprises:
    - copying network data from the communication network;
      
      analyzing the copied network data with a heuristic to determine if the network data is suspicious; and
      
      orchestrating the transmission of the network data to the device to detect the malware attack.
  - 10. The method of claim 9, wherein orchestrating the transmission of the network data to the device comprises:
    - retrieving a virtual machine configured to receive the network data;
      
      providing the network data to the virtual machine;
      
      controlling a replayer operating with the virtual machine to simulate transmission of network data with the malware device; and
      
      analyzing a response by the virtual machine to detect the malware attack.
  - 11. The method of claim 8, wherein determining the entity having responsibility for the device that has communicated with the malware device includes determining a registrant associated with an Internet Protocol (IP) address for the device from the stored communication data.
  - 12. The method of claim 8, wherein communicating the first message to the first entity having responsibility for the malware device comprises transmitting an email to a business or person determined to have responsibility for the malware device.
  - 13. The method of claim 8, wherein communicating the first message to the first entity having responsibility for the malware device comprises transmitting a text message to a business or person determined to have responsibility for the malware device.
  - 30. The method of claim 8, wherein communicating the second message to the second entity having responsibility for the device comprises transmitting an email to a business or person determined to have responsibility for the device.
  - 31. The method of claim 8, wherein communicating the second message to the second entity having responsibility for the device that has communicated with the malware device comprises transmitting a text message to a business or person determined to have responsibility for the device.
  - 35. The method of claim 8, wherein the malware device is the digital device that is infected by the malware originating from another digital device of the plurality of digital devices and provides the network data including the malware.

14. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor for performing a method comprising:
- detecting a malware attack based on analysis of monitored network traffic;
  
  identifying a malware device, the malware device being a digital device that provided the monitored network data including malware;
  
  determining, based on the monitored network data, at least one of a first entity having responsibility for the malware device or a second entity having responsibility for a device in communication with the malware device, each of the first entity and the second entity determined to be a business or person; and
  
  communicating a first message to the first entity having the responsibility for the malware device and a second message to the second entity having responsibility for the device in communication with the malware device without affecting performance of at least one of the malware device or the device, wherein the first message to the first entity comprises a first type of content including at least one of (i) a notification of a possible infection of malware associated with the malware attack, or (ii) an offer of services to eliminate the malware and wherein the message to the second entity includes a second type of content that comprises an offer for security related products or services that is directed to at least one of (i) stopping an on-going malware attack or (ii) removing the malware from the device in communication with the malware device.
- View Dependent Claims (15, 16, 17, 18, 19, 25, 32, 33)
- - 15. The non-transitory computer readable storage medium of claim 14, wherein detecting the malware attack comprises:
    - copying network data from a communication network;
      
      analyzing the copied network data with a heuristic to determine if the network data is suspicious; and
      
      orchestrating the transmission of the network data to the device to detect the malware attack.
  - 16. The non-transitory computer readable storage medium of claim 15, wherein orchestrating the transmission of the network data to the device comprises:
    - retrieving a virtual machine configured to receive the network data;
      
      providing the network data to the virtual machine; and
      
      controlling a replayer operating with the virtual machine to simulate transmission of network data with the malware device; and
      
      analyzing a response by the virtual machine to detect the malware attack.
  - 17. The non-transitory computer readable storage medium of claim 14, wherein the determining of at least one of the first entity or the second entity comprises determining a registrant associated with the address information being an Internet Protocol (IP) address for the at least one of the first entity or the second entity.
  - 18. The non-transitory computer readable storage medium of claim 14, wherein communicating the message comprises transmitting an email comprising the notification or the offer of services to at least one of businesses or persons determined to have the responsibility for the malware device.
  - 19. The non-transitory computer readable storage medium of claim 14, wherein communicating the message comprises transmitting a text message to the first entity.
  - 25. The non-transitory computer readable storage medium of claim 14, wherein identifying the malware device comprises providing the network data to a virtual machine, analyzing the network data to detect the malware and generating a response by the virtual machine to identify the malware device.
  - 32. The non-transitory computer readable storage medium of claim 14, wherein communicating the second message comprises transmitting an email comprising the offer for security related products or services.
  - 33. The non-transitory computer readable storage medium of claim 14, wherein communicating the second message comprises transmitting a text message to the second entity.

20. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor for performing a method comprising:
- monitoring network data between a plurality of digital devices within a communication network;
  
  storing communication data associated with the network data in a memory;
  
  identifying a malware device within the plurality of digital devices based on the communication data, the malware device being a digital device that provided the network data associated with a malware attack;
  
  determining a first entity having responsibility for the malware device;
  
  reviewing the stored communication data to identify a device within the plurality of digital devices that has communicated with the malware device;
  
  determining a second entity having responsibility for the device that has communicated with the malware device, the entity determined to have responsibility being a business or person; and
  
  communicating a first message to the first entity having responsibility for the malware device and a second message to the second entity having the responsibility for the device that has communicated with the malware device without affecting performance of at least one of the malware device or the device, wherein the first message to the first entity comprises a first type of content including at least one of (i) a notification of a possible infection of malware associated with the malware attack, or (ii) an offer of services to eliminate the malware and wherein the message to the second entity includes a second type of content that comprises an offer for security related products or services that is directed to at least one of (i) stopping an on-going malware attack or (ii) removing the malware from the device in communication with the malware device.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The non-transitory computer readable storage medium of claim 20, wherein identifying the malware device comprises:
    - copying network data from the communication network;
      
      analyzing the copied network data with a heuristic to determine if the network data is suspicious; and
      
      orchestrating the transmission of the network data to the device to detect the malware attack.
  - 22. The non-transitory computer readable storage medium of claim 21, wherein orchestrating the transmission of the network data to the destination device comprises:
    - retrieving a virtual machine configured to receive the network data;
      
      providing the network data to the virtual machine; and
      
      controlling a replayer operating with the virtual machine to simulate transmission of network data with the malware device; and
      
      analyzing a response by the virtual machine to detect the malware attack.
  - 23. The non-transitory computer readable storage medium of claim 20, wherein determining the second entity having responsibility for the device includes determining a registrant associated with an Internet Protocol (IP) address for the device from the stored communication data.
  - 24. The non-transitory computer readable storage medium of claim 20, wherein communicating the second message to the second entity having responsibility for the device comprises transmitting at least one of an email or a text message to a business or person determined to have responsibility for the device that has communicated with the malware device.

26. A system comprising:
- a processor configured to receive a copy of network data, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, simulate transmission of the network data to a destination device to identify a malware device being a digital device that provided the suspicious network data, determine a first entity having responsibility for the malware device, identify a device in communication with the malware device, determine a second entity having responsibility for the device in communication with the malware device based on address information within the network data, communicate a first message to the first entity including a first type of content including at least one of (i) a notification of a possible infection of malware associated with the malware attack, or (ii) an offer of services to eliminate the malware, and communicate a second message to the second entity including a second type of content including at least one of an offer for security related products or services that is directed to at least one of (i) stopping an on-going malware attack by the malware device or (ii) removing the malware from the device based on communications with the malware device.
- View Dependent Claims (36, 37)
- - 36. The system of claim 26, wherein the processor to add the first entity associated with the malware device to a list without communicating the first message to the first entity.
  - 37. The system of claim 26, wherein the malware device is the digital device that is provided with the suspicious network data from another digital.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US11/709,570
Time in Patent Office

2,995 Days
Field of Search

726 22- 25
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Prospective client identification using malware attack detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

586 Citations

37 Claims

Specification

Use Cases

Quick Links

Others

Prospective client identification using malware attack detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

586 Citations

37 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others