System and method for malware containment

US 9,071,638 B1
Filed: 10/21/2013
Issued: 06/30/2015
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A malware containment method comprising:

detecting a digital device upon connection with a communication network;

temporarily redirecting network data from the digital device by configuring a network switch of the communication network to direct the network data from the digital device to a controller coupled to the communication network; and

analyzing the temporarily redirected network data by the controller to detect malware within the digital device by at least configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to processing of the network data within the virtual machine to identify a malware attack;

continuing to redirect the network data from the digital device until expiration of a predetermined period of time without detection of malware; and

continuing to redirect the network data from the digital device beyond the predetermined period of time when malware is detected.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for malware containment on connection is provided. In exemplary embodiments, digital devices are quarantined for a predetermined period of time upon connection to the communication network. When a digital device is quarantined, all network data transmitted by the digital device is temporarily directed to a controller which then analyzes the network data to identify unauthorized activity and/or malware within the newly connected digital device. An exemplary method to contain malware comprises detecting a digital device upon connection with a communication network, temporarily redirecting network data from the digital device, and analyzing the network data to identify malware within the digital device.

Citations

45 Claims

1. A malware containment method comprising:
- detecting a digital device upon connection with a communication network;
  
  temporarily redirecting network data from the digital device by configuring a network switch of the communication network to direct the network data from the digital device to a controller coupled to the communication network; and
  
  analyzing the temporarily redirected network data by the controller to detect malware within the digital device by at least configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to processing of the network data within the virtual machine to identify a malware attack;
  
  continuing to redirect the network data from the digital device until expiration of a predetermined period of time without detection of malware; and
  
  continuing to redirect the network data from the digital device beyond the predetermined period of time when malware is detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 22)
- - 2. The method of claim 1, wherein temporarily redirecting network data comprises Address Resolution Protocol (ARP) manipulation to temporarily direct the network data from the digital device to the controller.
  - 3. The method of claim 1, wherein temporarily redirecting network data comprises configuring Dynamic Host Configuration Protocol (DHCP) services to temporarily direct the network data from the digital device to the controller.
  - 4. The method of claim 1, wherein analyzing the temporarily redirected network data further comprises determining if the digital device is associated with a white list, and halting the redirecting if the digital device is determined to be associated with the white list.
  - 5. The method of claim 1, wherein analyzing the temporarily redirected network data further comprises comparing some or all of the temporarily redirected network data with an unauthorized activity signature to detect a malware attack.
  - 6. The method of claim 1, further comprising generating an unauthorized activity signature based on a detection of the malware.
  - 7. The method of claim 6, further comprising:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to another digital device.
  - 8. The method of claim 6, wherein the unauthorized activity signature is used to subsequently identify the malware and mitigate vulnerabilities including changing a setting settings in a browser application or an operating system.
  - 9. The method of claim 1, wherein analyzing the temporarily redirected network data comprises:
    - analyzing the temporarily redirected network data with a heuristic to identify the network data has a prescribed likelihood of including malware and to use metadata associated with the network data to configure the virtual machine.
  - 10. The method of claim 1 further comprising sending information to a client associated with the digital device to remove the malware.
  - 22. The method of claim 10, wherein the information comprises an unauthorized activity signature that is generated by the controller based on a detection of the malware.

11. A malware containment system comprising:
- a memory to store instructions; and
  
  a controller for containing malware comprising;
  
  a processor; and
  
  a memory coupled to the processor, the memory comprisesa quarantine module stored in the memory, the quarantine module that, when executed by the processor, configured to execute instructions stored in the memory to detects a digital device upon connection with a communication network, to temporarily redirect network data from the digital device to the controller, andan analysis module a policy engine stored in the memory, the analysis module that, when executed by the processor, configured to analyzes the temporarily redirected network data to detect malware within the digital device by at least (i) receiving and processing, by configuring a virtual machine, to receive the temporarily redirected network data and (ii) analyzing a response of the virtual machine to the processing of the temporarily redirected network data within the virtual machine to identify a malware attack,wherein the quarantine module is further configured to temporarily redirect the network data until expiration of a predetermined period of time without identifying the malware attack and continuing to redirect the network data beyond the predetermined period of time if the malware attack has been identified.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 44)
- - 12. The system of claim 11, wherein the quarantine module is configured to manipulate Address Resolution Protocol (ARP) to temporarily direct the network data from the digital device to the controller.
  - 13. The system of claim 11, wherein the quarantine module to configure Dynamic Host Configuration Protocol (DHCP) services to temporarily direct the network data from the digital device to the controller.
  - 14. The system of claim 11, wherein the memory further comprises a policy engine that, when executed by the processor, analyzes the temporarily redirected network data by at least determining if the digital device is associated with a white list.
  - 15. The system of claim 11, wherein the memory further comprises a policy engine that, when executed by the processor, analyzes the temporarily redirected network data by at least comparing some or all of the temporarily redirected network data with an unauthorized activity signature to detect malware.
  - 16. The system of claim 11, wherein the memory further comprising:
    - a heuristic module that, when executed by the processor, analyzes the temporarily redirected network data with a heuristic to identify the temporarily redirected network data has a prescribed likelihood of including malware; and
      
      a scheduler that, when executed by the processor, configures the virtual machine based on metadata associated with the temporarily redirected network data.
  - 17. The system of claim 15, wherein the memory further comprising a signature module that, when executed by the processor, generates an unauthorized activity signature based on a detection of the malware.
  - 18. The system of claim 17, wherein the unauthorized activity signature is used by the policy engine to subsequently identify the malware associated with another malware attack without virtual execution of the malware.
  - 44. The system of claim 11, wherein the memory comprises a semiconductor memory or a storage drive that includes at least one of a flash drive, a hard disk drive or an optical drive.

19. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor for performing a malware containment method, the method comprising:
- detecting a digital device upon connection with a communication network;
  
  redirecting network data from the digital device until a predetermined period of time expires by configuring a network switch of the communication network to direct the network data from the digital device to a controller coupled to the communication network;
  
  analyzing the redirected network data during the predetermined period of time to detect malware within the digital device by at least configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to processing of the network data within the virtual machine to identify a malware attack; and
  
  generating an unauthorized activity signature directed to the newly detected malware associated with the malware attack,wherein the redirecting of the network data from the digital device (i) continues until expiration of the predetermined period of time without detection of malware and (ii) continues after the predetermined period of time expires when the malware is detected during the predetermined period of time.
- View Dependent Claims (20, 21)
- - 20. The non-transitory machine readable medium of claim 19, wherein the unauthorized activity signature is further used to alter at least one setting in one of an application or an operating system that is susceptible to the malware.
  - 21. The non-transitory machine readable medium of claim 20, wherein the altered setting includes a setting in a browser application.

23. A malware containment method comprising:
- detecting a digital device upon connection with a communication network;
  
  temporarily redirecting network data from the digital device by configuring a network switch of the communication network to direct the network data from the digital device to a controller coupled to the communication network; and
  
  analyzing the temporarily redirected network data to detect malware within the digital device by at least configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to processing of the network data within the virtual machine to identify a malware attack; and
  
  generating an unauthorized activity signature based on detection of the malware, the unauthorized activity signature is used to subsequently identify the malware and mitigate vulnerabilities including changing a setting in a browser application on the digital device.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The method of claim 23, wherein temporarily redirecting network data comprises one of (1) Address Resolution Protocol (ARP) manipulation to temporarily direct the network data from the digital device to the controller and (2) configuring Dynamic Host Configuration Protocol (DHCP) services to temporarily direct the network data from the digital device to the controller.
  - 25. The method of claim 23, wherein analyzing the temporarily redirected network data comprises determining if the digital device is associated with a white list, and halting the redirecting if the digital device is determined to be associated with the white list.
  - 26. The method of claim 23, wherein analyzing the temporarily redirected network data comprises comparing some or all of the temporarily redirected network data with an unauthorized activity signature to detect a malware attack.
  - 27. The method of claim 23, wherein the changing of the setting in the browser application comprises disabling ActiveX controls in the browser application.
  - 28. The method of claim 26, further comprising:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to another digital device.
  - 29. The method of claim 23, wherein analyzing the temporarily redirected network data comprises:
    - analyzing the temporarily redirected network data with a heuristic to identify network data has a prescribed likelihood of including malware and to use metadata associated with the network data to configure the virtual machine.
  - 30. The method of claim 23, wherein the controller is configured to continue the redirecting if malware is not detected until after a predetermined period of time expires, and continue the redirecting if malware is detected beyond the predetermined period of time.

31. A malware containment system controller, comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprises;
  
  a quarantine module stored in the memory and configured, when executed by the processor, to detect a digital device upon connection with a communication network, to temporarily redirect network data from the digital device to the controller;
  
  an analysis module stored in the memory and configured, when executed by the processor, to analyze the temporarily redirected network data to detect malware within the digital device by at least (i) receiving and processing the temporarily redirected network data by a virtual machine and (ii) analyzing a response of the virtual machine to the processing of the temporarily redirected network data to identify a malware attack, anda signature module stored in the memory and configured, when executed by the processor, to generate an unauthorized activity signature based on detection of the malware, the unauthorized activity signature is used to subsequently identify the malware and mitigate vulnerabilities including changing a setting in a browser application on the digital device.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 45)
- - 32. The controller of claim 31, wherein the quarantine module stored in the memory is configured to manipulate Address Resolution Protocol (ARP) to temporarily direct the network data from the digital device to the controller.
  - 33. The controller of claim 31, wherein the quarantine module stored in the memory to configure Dynamic Host Configuration Protocol (DHCP) services to temporarily direct the network data from the digital device to the controller.
  - 34. The controller of claim 31, wherein the memory further comprises a policy engine that is configured, when executed by the processor, to analyze the temporarily redirected network data by at least determining if the digital device is associated with a white list.
  - 35. The controller of claim 31, wherein the memory further comprises a policy engine that is configured, when executed by the processor, to analyze the temporarily redirected network data by at least comparing some or all of the temporarily redirected network data with the unauthorized activity signature to detect malware.
  - 36. The controller of claim 35, wherein the signature module is further configured to store the unauthorized activity signature and send the unauthorized activity signature to another digital device.
  - 37. The controller of claim 31, wherein the memory further comprises:
    - a heuristic module that is configured, when executed by the processor, to analyze the temporarily redirected network data with a heuristic to identify the temporarily redirected network data has a prescribed likelihood of including malware; and
      
      a scheduler that, when executed by the processor, configures the virtual machine based on metadata associated with the temporarily redirected network data.
  - 38. The controller of claim 31, wherein the unauthorized activity signature is used to change the setting in the browser application by disabling ActiveX controls in the browser application.
  - 39. The controller of claim 31, wherein the unauthorized activity signature is used by a policy engine stored in the memory and executed by the processor, to subsequently identify the malware associated with another malware attack without virtual execution of the malware.
  - 45. The controller of claim 31, wherein the memory comprises a semiconductor memory or a storage drive that includes at least one of a flash drive, a hard disk drive or an optical drive.

40. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor for performing a malware containment method comprising:
- detecting a digital device upon connection with a communication network;
  
  redirecting network data from the digital device until a predetermined period of time expires by configuring a network switch of the communication network to direct the network data from the digital device to a controller coupled to the communication network;
  
  analyzing the redirected network data during the predetermined period of time to detect malware within the digital device by at least configuring a virtual machine to receive the network data and analyzing a response of the virtual machine to processing of the network data within the virtual machine to identify a malware attack;
  
  generating an unauthorized activity signature directed to the newly detected malware associated with the malware attack, the unauthorized activity signature is further used to subsequently mitigate vulnerabilities in one of an application or an operating system that is susceptible to the malware by changing a setting in the application or the operating system.
- View Dependent Claims (41, 42, 43)
- - 41. The non-transitory machine readable medium of claim 40, wherein the unauthorized activity signature is to subsequently change the setting in a browser application.
  - 42. The non-transitory machine readable medium of claim 41, wherein the setting in the browser application includes ActiveX controls in the browser application.
  - 43. The non-transitory machine readable medium of claim 40 having embodied thereon the executable code that is executable by the processor to further store the unauthorized activity signature and send the unauthorized activity signature to another digital device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Lai, Wei-Lung, Manni, Jayaraman
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US14/059,381
Time in Patent Office

617 Days
Field of Search

726/1, 726/2, 726/3, 726/22, 726/23, 726/24, 726/25, 726/26, 726/27, 713/1, 713/156
US Class Current

1/1
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method for malware containment

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for malware containment

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links