System and method for analyzing packets

US 9,282,109 B1
Filed: 06/30/2014
Issued: 03/08/2016
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an interface configured to copy data of a data flow transmitted over a network between a first device and a second device, the data flow including data originating from the first device and data originating from the second device, the copied data of the data flow being transmitted over the network in accordance with a protocol;

a heuristic module configured to receive the copied data from the interface and identify at least a portion of the copied data as suspicious based on a determination that the portion of the copied data has characteristics of malware; and

an analysis environment including a replayer configured to operate as the first device and a virtual machine configured to operate as the second device, the replayer configured to receive the portion of the copied data identified as suspicious, modify the portion of the copied data identified as suspicious, and transmit the modified portion of the copied data identified as suspicious to the virtual machine in accordance with the protocol.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided with an interface and controller. The interface is configured to receive packets transmitted over a network between a first device and a second device. Transmitted over the network in accordance with a packet protocol, the packets include at least one packet transmitted from the first device and at least one packet transmitted from the second device. Coupled to the interface, the controller is configured to determine whether a plurality of packets have suspicious characteristics of malware and transmit the suspicious packets to an analysis environment. The analysis environment is configured to receive the plurality of packets that have suspicious characteristics of malware, modify at least a portion of these suspicious packets, and transmit at least the modified portion of the plurality of packets that have suspicious characteristics of malware to a virtual machine in accordance with a sequence of the packet protocol.

684 Citations

71 Claims

1. A system comprising:
- an interface configured to copy data of a data flow transmitted over a network between a first device and a second device, the data flow including data originating from the first device and data originating from the second device, the copied data of the data flow being transmitted over the network in accordance with a protocol;
  
  a heuristic module configured to receive the copied data from the interface and identify at least a portion of the copied data as suspicious based on a determination that the portion of the copied data has characteristics of malware; and
  
  an analysis environment including a replayer configured to operate as the first device and a virtual machine configured to operate as the second device, the replayer configured to receive the portion of the copied data identified as suspicious, modify the portion of the copied data identified as suspicious, and transmit the modified portion of the copied data identified as suspicious to the virtual machine in accordance with the protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein the interface includes a tap.
  - 3. The system of claim 1, wherein the analysis environment further includes a virtual switch configured to receive the modified portion of the copied data identified as suspicious transmitted by the replayer and route the modified portion of the copied data identified as suspicious to the virtual machine.
  - 4. The system of claim 1, wherein the replayer is configured to dynamically modify one or more variables in communications with the virtual machine to maintain the protocol between the replayer and the virtual machine.
  - 5. The system of claim 4, wherein the one or more variables includes at least one of assigned ports or transaction identifiers.
  - 6. The system of claim 4, wherein the one or more variables include a variable that is dynamic to a protocol session between the virtual machine and the replayer.
  - 7. The system of claim 1, wherein the heuristic module is further configured to identify another portion of the copied data as suspicious based on a determination that the copied data is directed to an unassigned Internet Protocol (IP) address or is transmitted to an unassigned port address.
  - 8. The system of claim 1 further comprising a scheduler, wherein the scheduler retrieves the virtual machine from a virtual machine pool containing a plurality of virtual machines.
  - 9. The system of claim 1 further comprising a scheduler,wherein the scheduler retrieves the virtual machine from a virtual machine pool, andwherein the virtual machine is configurable to mimic multiple destination devices including the second device.
  - 10. The system of claim 9, wherein the scheduler dynamically configures the virtual machine based on a software profile of the second device.
  - 11. The system of claim 1, wherein the virtual machine configured to operate as the second device mimics a performance of an operating system of the second device.
  - 12. The system of claim 1, wherein the replayer configured to operate as the first device mimics a behavior of the first device in transmitting the modified portion of the copied data identified as suspicious, andwherein the virtual machine configured to operate as the second device mimics a performance of a feature of the second device affected by the modified portion of the copied data identified as suspicious.
  - 13. The system of claim 1, wherein the heuristic module identifying the portion of the copied data as suspicious based on a determination that the copied data has characteristics of malware by performing a heuristic analysis to identify a first portion of the portion of the copied data that may include malware and applying a rule to identify a second portion of the portion of the copied data that may include malware, the rule being based on the relationship of the second portion to the first portion.
  - 14. The system of claim 1, wherein the replayer modifying the portion of the copied data identified as suspicious by changing a destination address.
  - 15. The system of claim 1, wherein the replayer is configured to dynamically modify information within a response to a request initiated from the virtual machine that is configured to mimic a browser application, the response corresponding to a response that would have been generated by a web server.
  - 16. The system of claim 15, wherein the analysis environment to simulate at least a portion of the data flow between the first device and the second device.
  - 17. The system of claim 1, wherein the data flow comprises a plurality of related packets that are transmitted during a particular communication session.

18. A system comprising:
- an interface configured to receive a plurality of packets transmitted over a network between a first device and a second device, wherein the plurality of packets are transmitted over the network in accordance with a packet communication protocol; and
  
  a controller coupled to the interface, wherein the controller is configured to determine whether the plurality of packets have suspicious characteristics of malware and transmit the plurality of packets that have suspicious characteristics of malware to an analysis environment, wherein the analysis environment is configured to receive the plurality of packets that have suspicious characteristics of malware, modify at least a portion of the plurality of packets that have suspicious characteristics of malware, and transmit at least the modified portion of the plurality of packets that have suspicious characteristics of malware to a virtual machine in accordance with the packet communication protocol.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The system of claim 18, wherein the controller comprises at least one processor that is configured to modify at least the portion of the plurality of packets that have suspicious characteristics of malware, and transmit at least the modified portion of the plurality of packets that have suspicious characteristics of malware to the virtual machine.
  - 20. The system of claim 18, wherein the analysis environment of the controller further comprising a virtual switch configured to route the modified at least the portion of the plurality of packets that have suspicious characteristics of malware to the virtual machine.
  - 21. The system of claim 18, wherein the controller is further configured to analyze the effects of the modified at least the portion of the plurality of packets that have suspicious characteristics of malware on the virtual machine to identify unauthorized activity.
  - 22. The system of claim 18, wherein modifying the at least the portion of the plurality of packets that have suspicious characteristics of malware by the controller includes identifying a first session identifier and substituting the first session identifier with a second session identifier received in a response from the virtual machine.
  - 23. The system of claim 18, wherein modifying the at least the portion of the plurality of packets that have suspicious characteristics of malware by the controller includes performing network address translation (NAT) to thereby redirect the at least the portion of the plurality of packets that have suspicious characteristics of malware to the virtual machine.
  - 24. The system of claim 18, wherein the controller comprises at least one hardware processor and software that collectively operates to determine whether the plurality of packets have suspicious characteristics of malware, and upon determining that the plurality of packets have suspicious characteristics, modify at least a portion of the plurality of packets that have suspicious characteristics of malware, and transmit at least the modified portion of the plurality of packets that have suspicious characteristics of malware to the virtual machine.
  - 25. The system of claim 18, wherein the analysis environment of the controller comprises the virtual machine and a replayer that is configured to dynamically modify one or more variables in communications with the virtual machine to maintain a sequence of the packet transmission protocol between the replayer and the virtual machine.
  - 26. The system of claim 25, wherein the one or more variables assigned ports.
  - 27. The system of claim 25, wherein the one or more variables includes a variable that is dynamic to a protocol session between the virtual machine and the replayer.
  - 28. The system of claim 18, wherein the controller comprises a replayer that is configured to dynamically modify information within a response to a request initiated from the virtual machine to maintain the sequence of the protocol between the replayer and the virtual machine, the virtual machine being configured to mimic a browser application.
  - 29. The system of claim 28, wherein the replayer generating the response to mimic operations by a web server to which the request is directed.

30. A method comprising:
- copying data including a plurality of packets traveling over a network;
  
  determining that the copied data has suspicious characteristics of malware;
  
  based on the determination, transmitting the copied data that has suspicious characteristics of malware to an analysis environment;
  
  within the analysis environment, modifying the copied data that has suspicious characteristics of malware and transmitting, in accordance with a protocol sequence, the modified copied data that has suspicious characteristics of malware to a virtual machine; and
  
  confirming that the modified copied data that has suspicious characteristics of malware contains malware by observing an anomalous behavior of the virtual machine while the virtual machine is processing the modified copied data that has suspicious characteristics of malware.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- - 31. The method of claim 30, further comprising, within the analysis environment, retrieving the virtual machine from a virtual machine pool including multiple virtual machines.
  - 32. The method of claim 30, further comprising, within the analysis environment, receiving by a virtual switch the modified copied data that has suspicious characteristics of malware and routing the modified copied data identified as suspicious to the virtual machine.
  - 33. The method of claim 30, wherein copying of the data is performed using a tap.
  - 34. The method of claim 30, wherein determining that the copied data has suspicious characteristics of malware includes receiving a predetermined number of packets belonging to the copied data and performing a probability analysis to determine a likelihood that the copied data has suspicious characteristics of malware.
  - 35. The method of claim 30, wherein modifying the copied data that has suspicious characteristics of malware includes substituting a first session identifier of the copied data that has suspicious characteristics of malware with a second session identifier of the virtual machine.
  - 36. The method of claim 30, wherein modifying the copied data that has suspicious characteristics of malware includes substituting a first destination address of the copied data that has suspicious characteristics of malware with a second destination of the virtual machine.
  - 37. The method of claim 30, wherein modifying the copied data that has suspicious characteristics of malware includes performing network address translation (NAT) to redirect the copied data that has suspicious characteristics of malware to the virtual machine.

38. A non-transitory readable storage medium storing computer readable code, the computer readable code containing instructions that when executed by a processor perform operations comprising:
- receiving packets from a network, the packets being transmitted in accordance with a protocol sequence over the network to a destination device;
  
  determining that the packets have suspicious characteristics of malware; and
  
  responsive to the determining that the packets have suspicious characteristics of malware, transmitting the packets that have suspicious characteristics of malware to a replayer, the replayer being configured to modify a header of the packets that have suspicious characteristics of malware and transmit the modified packets that have suspicious characteristics of malware in accordance with the protocol sequence to a virtual machine representing the destination device.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 39. The medium of claim 38, wherein upon execution of the computer readable code, the processor further performs operations comprising analyzing the effects of the modified packets that have suspicious characteristics of malware on the virtual machine to identify unauthorized activity.
  - 40. The medium of claim 38, wherein upon execution of the computer readable code, the processor further performs operations comprising receiving by a virtual switch the modified packets that have suspicious characteristics of malware transmitted by the replayer and routing the modified packets that have suspicious characteristics of malware to the virtual machine.
  - 41. The medium of claim 38, wherein the processor receiving packets from the network from a tap.
  - 42. The medium of claim 38, wherein upon execution of the computer readable code, the processor further performs operations comprising modifying the header of the packets that have suspicious characteristics of malware includes analyzing the packets that have suspicious characteristics of malware in a sequence to identify a first session identifier and substituting the first session identifier with a second session identifier associated with the virtual machine.
  - 43. The medium of claim 38, wherein upon execution of the computer readable code, the processor further performs operations comprising modifying the header of the packets that have suspicious characteristics of malware includes overwriting a first value of a field in the header of the packets that have suspicious characteristics of malware with a second value received from the virtual machine.
  - 44. The medium of claim 43, wherein the first value corresponds to an address of the destination device, and the second value corresponds to an address of the virtual machine.
  - 45. The medium of claim 38, wherein the replayer is configured to synchronize data received from the virtual machine.
  - 46. The medium of claim 38, wherein the virtual machine mimics a performance of the destination device thereby representing the destination device.
  - 47. The medium of claim 46, wherein the virtual machine mimics the performance of the destination device by mimicking the performance of an operating system of the destination device.
  - 48. The medium of claim 46, wherein the virtual machine mimics the performance of the destination device by mimicking the performance of ports of the destination device.
  - 49. The medium of claim 46, wherein the virtual machine mimics the performance of the destination device by mimicking the performance of drivers of the destination device.
  - 50. The medium of claim 46, wherein the virtual machine mimics the performance of the destination device by mimicking features of the destination device predetermined to be affected by the modified packets that have suspicious characteristics of malware.

51. A system comprising:
- an interface configured to receive data that is part of a data flow transmitted over a network between a first device and a second device, the received data being transmitted over the network in accordance with a protocol; and
  
  a controller communicatively coupled to the interface, the controller comprises one or more hardware processors, anda memory coupled to the one or more hardware processors, the memory comprises software that includesa first software module configured to receive the received data from the interface and identify a portion of the received data as suspicious based on a determination that the portion of the received data has characteristics of malware, anda second software module that includes a replayer configured to operate as the first device and a virtual machine configured to operate as the second device, the replayer configured to receive the portion of the received data identified as suspicious, modify the portion of the received data identified as suspicious, and transmit the modified portion of the received data identified as suspicious to the virtual machine in accordance with the protocol.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 52. The system of claim 51, wherein the interface includes a tap.
  - 53. The system of claim 51, wherein the second software module further includes a virtual switch configured to receive the modified portion of the received data identified as suspicious transmitted by the replayer and route the modified portion of the received data identified as suspicious to the virtual machine.
  - 54. The system of claim 51, wherein the replayer of the second software module is configured to dynamically modify one or more variables in communications from the virtual machine to maintain the protocol between the replayer and the virtual machine.
  - 55. The system of claim 54, wherein the one or more variables includes at least one of assigned ports or transaction identifiers.
  - 56. The system of claim 54, wherein the one or more variables include a variable that is dynamic to a protocol session between the virtual machine and the replayer.
  - 57. The system of claim 51, wherein the first software module includes a heuristic module that is further configured to identify the portion of the received data as suspicious based on a determination that the received data is directed to an unassigned Internet Protocol (IP) address or is transmitted to an unassigned port address.
  - 58. The system of claim 51, wherein the memory further comprises a third software module that comprises a scheduler that is configured to retrieve the virtual machine from a virtual machine pool containing a plurality of virtual machines.
  - 59. The system of claim 51, wherein the memory further comprises a third software module that comprises a scheduler that configures the virtual machine to operate as the second device.
  - 60. The system of claim 59, wherein the scheduler dynamically configures the virtual machine based on a software profile of the second device.
  - 61. The system of claim 51, wherein the virtual machine of the second software module configured to operate as the second device with an operating system of the second device.
  - 62. The system of claim 51, wherein the replayer configured to operate as the first device by operating in accordance with a behavior of the first device in transmitting the modified portion of the received data identified as suspicious, andwherein the virtual machine configured to operate as the second device by operating with accordance with a performance of a feature of the second device affected by the modified portion of the received data identified as suspicious.
  - 63. The system of claim 51, wherein the replayer of the second software module modifying the portion of the received data identified as suspicious by at least changing a destination address.
  - 64. The system of claim 51, wherein the replayer of the second software module is configured to dynamically modify information within a response to a request initiated from the virtual machine that is configured to operate as a browser application to maintain the sequence of the protocol between the replayer and the virtual machine.
  - 65. The system of claim 64, wherein the replayer generating the response to mimic operations by a web server to which the request is directed.
  - 66. The system of claim 51, wherein the data comprises a plurality of related packets that are transmitted during a particular communication session.
  - 67. The system of claim 51, wherein the replayer comprises a queue to store the portion of the received data and, when in operation, simulates network communications from the first device with the virtual machine.
  - 68. The system of claim 51, wherein the replayer simulates network communications by modifying at least one of (i) a session identifier and (ii) session variables in the data packets to simulate a sequence of network communications.
  - 69. The system of claim 51, wherein the replayer simulates network communications by sending the received data as data packets to the virtual machine via a Transmission Control Protocol (TCP) connection or a User Datagram Protocol (UDP) session.
  - 70. The system of claim 51, wherein the replayer simulates network communications by synchronizes return network traffic by terminating the TCP connection or UDP session.

71. A system comprising:
- an interface configured to receive data transmitted over a network between a first device and a second device, the received data being transmitted over the network in accordance with a prescribed protocol; and
  
  a controller communicatively coupled to the interface, the controller comprisesone or more hardware processors, anda memory coupled to the one or more hardware processors, the memory comprises software that includesa first software module that, when processed by the one or more hardware processors, is configured to receive the received data from the interface and identify a portion of the received data as suspicious based on a determination that the portion of the received data has characteristics of malware, anda second software module that includes a replayer configured to operate as the first device and a virtual machine configured to operate as the second device, the replayer, when processed by the one or more hardware processors, is configured to receive the portion of the received data identified as suspicious, modify the portion of the received data identified as suspicious, and transmit the modified portion of the received data identified as suspicious to the virtual machine in accordance with the prescribed protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Radhakrishnan, Ramesh, Ismael, Osman
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/320,195
Time in Patent Office

617 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

System and method for analyzing packets

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

684 Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for analyzing packets

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

684 Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links