System and method for analyzing packets
First Claim
1. A system comprising:
- an interface configured to copy data of a data flow transmitted over a network between a first device and a second device, the data flow including data originating from the first device and data originating from the second device, the copied data of the data flow being transmitted over the network in accordance with a protocol;
a heuristic module configured to receive the copied data from the interface and identify at least a portion of the copied data as suspicious based on a determination that the portion of the copied data has characteristics of malware; and
an analysis environment including a replayer configured to operate as the first device and a virtual machine configured to operate as the second device, the replayer configured to receive the portion of the copied data identified as suspicious, modify the portion of the copied data identified as suspicious, and transmit the modified portion of the copied data identified as suspicious to the virtual machine in accordance with the protocol.
5 Assignments
0 Petitions
Accused Products
Abstract
A system is provided with an interface and controller. The interface is configured to receive packets transmitted over a network between a first device and a second device. Transmitted over the network in accordance with a packet protocol, the packets include at least one packet transmitted from the first device and at least one packet transmitted from the second device. Coupled to the interface, the controller is configured to determine whether a plurality of packets have suspicious characteristics of malware and transmit the suspicious packets to an analysis environment. The analysis environment is configured to receive the plurality of packets that have suspicious characteristics of malware, modify at least a portion of these suspicious packets, and transmit at least the modified portion of the plurality of packets that have suspicious characteristics of malware to a virtual machine in accordance with a sequence of the packet protocol.
684 Citations
71 Claims
-
1. A system comprising:
-
an interface configured to copy data of a data flow transmitted over a network between a first device and a second device, the data flow including data originating from the first device and data originating from the second device, the copied data of the data flow being transmitted over the network in accordance with a protocol; a heuristic module configured to receive the copied data from the interface and identify at least a portion of the copied data as suspicious based on a determination that the portion of the copied data has characteristics of malware; and an analysis environment including a replayer configured to operate as the first device and a virtual machine configured to operate as the second device, the replayer configured to receive the portion of the copied data identified as suspicious, modify the portion of the copied data identified as suspicious, and transmit the modified portion of the copied data identified as suspicious to the virtual machine in accordance with the protocol. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
an interface configured to receive a plurality of packets transmitted over a network between a first device and a second device, wherein the plurality of packets are transmitted over the network in accordance with a packet communication protocol; and a controller coupled to the interface, wherein the controller is configured to determine whether the plurality of packets have suspicious characteristics of malware and transmit the plurality of packets that have suspicious characteristics of malware to an analysis environment, wherein the analysis environment is configured to receive the plurality of packets that have suspicious characteristics of malware, modify at least a portion of the plurality of packets that have suspicious characteristics of malware, and transmit at least the modified portion of the plurality of packets that have suspicious characteristics of malware to a virtual machine in accordance with the packet communication protocol. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method comprising:
-
copying data including a plurality of packets traveling over a network; determining that the copied data has suspicious characteristics of malware; based on the determination, transmitting the copied data that has suspicious characteristics of malware to an analysis environment; within the analysis environment, modifying the copied data that has suspicious characteristics of malware and transmitting, in accordance with a protocol sequence, the modified copied data that has suspicious characteristics of malware to a virtual machine; and confirming that the modified copied data that has suspicious characteristics of malware contains malware by observing an anomalous behavior of the virtual machine while the virtual machine is processing the modified copied data that has suspicious characteristics of malware. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
-
-
38. A non-transitory readable storage medium storing computer readable code, the computer readable code containing instructions that when executed by a processor perform operations comprising:
-
receiving packets from a network, the packets being transmitted in accordance with a protocol sequence over the network to a destination device; determining that the packets have suspicious characteristics of malware; and responsive to the determining that the packets have suspicious characteristics of malware, transmitting the packets that have suspicious characteristics of malware to a replayer, the replayer being configured to modify a header of the packets that have suspicious characteristics of malware and transmit the modified packets that have suspicious characteristics of malware in accordance with the protocol sequence to a virtual machine representing the destination device. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A system comprising:
-
an interface configured to receive data that is part of a data flow transmitted over a network between a first device and a second device, the received data being transmitted over the network in accordance with a protocol; and a controller communicatively coupled to the interface, the controller comprises one or more hardware processors, and a memory coupled to the one or more hardware processors, the memory comprises software that includes a first software module configured to receive the received data from the interface and identify a portion of the received data as suspicious based on a determination that the portion of the received data has characteristics of malware, and a second software module that includes a replayer configured to operate as the first device and a virtual machine configured to operate as the second device, the replayer configured to receive the portion of the received data identified as suspicious, modify the portion of the received data identified as suspicious, and transmit the modified portion of the received data identified as suspicious to the virtual machine in accordance with the protocol. - View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
-
71. A system comprising:
-
an interface configured to receive data transmitted over a network between a first device and a second device, the received data being transmitted over the network in accordance with a prescribed protocol; and a controller communicatively coupled to the interface, the controller comprises one or more hardware processors, and a memory coupled to the one or more hardware processors, the memory comprises software that includes a first software module that, when processed by the one or more hardware processors, is configured to receive the received data from the interface and identify a portion of the received data as suspicious based on a determination that the portion of the received data has characteristics of malware, and a second software module that includes a replayer configured to operate as the first device and a virtual machine configured to operate as the second device, the replayer, when processed by the one or more hardware processors, is configured to receive the portion of the received data identified as suspicious, modify the portion of the received data identified as suspicious, and transmit the modified portion of the received data identified as suspicious to the virtual machine in accordance with the prescribed protocol.
-
Specification