Systems and methods for unauthorized activity defense

US 9,306,960 B1
Filed: 08/19/2013
Issued: 04/05/2016
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A malicious traffic sensor adapted for coupling with a communication network, comprising:

one or more virtual computing systems to process network data that is associated with communications traffic received from the communication network and directed to a destination device and comprises one or more suspicious characteristics associated with malware, each of the one or more virtual computing systems includes a virtual machine to process the network data; and

a hardware-based controller communicatively coupled to the one or more virtual computing systems, the controller being configured tomonitor behaviors of the one or more virtual computing systems during processing of the network data,determine, during processing of the network data, that at least one of the monitored behaviors represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the one or more virtual computing systems that indicates the network data includes malware, andgenerate a signature that characterizes the malware.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

707 Citations

79 Claims

1. A malicious traffic sensor adapted for coupling with a communication network, comprising:
- one or more virtual computing systems to process network data that is associated with communications traffic received from the communication network and directed to a destination device and comprises one or more suspicious characteristics associated with malware, each of the one or more virtual computing systems includes a virtual machine to process the network data; and
  
  a hardware-based controller communicatively coupled to the one or more virtual computing systems, the controller being configured tomonitor behaviors of the one or more virtual computing systems during processing of the network data,determine, during processing of the network data, that at least one of the monitored behaviors represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the one or more virtual computing systems that indicates the network data includes malware, andgenerate a signature that characterizes the malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The malicious traffic sensor of claim 1, wherein each of the one or more virtual computing systems using machine virtualization technologies to provide the virtual machine.
  - 3. The malicious traffic sensor of claim 2 being transparent to the communication network.
  - 4. The malicious traffic sensor of claim 2, wherein the network data comprises a copied portion of the communications traffic from the communication network.
  - 5. The malicious traffic sensor of claim 4, wherein the one or more virtual computing systems to process the network data by performing a plurality of network activities on the network data.
  - 6. The malicious traffic sensor of claim 1, wherein the malware includes malicious traffic that is part of the communications traffic.
  - 7. The malicious traffic sensor of claim 1 being in communication via the communication network with a management system that is configured to obtain the signature and distribute the signature to a malicious traffic blocking system.
  - 8. The malicious traffic sensor of claim 7 being in communication via the communication network with the management system that automatically distributes the signature to the malicious traffic blocking system.
  - 9. The malicious traffic sensor of claim 7 communicatively coupled to a management system to deactivate the malicious traffic sensor in response to a lack of payment of a subscription fee.
  - 10. The malicious traffic sensor of claim 1, wherein the signature is based on a universal resource locator (URL).
  - 11. The malicious traffic sensor of claim 10, wherein the signature is for use by an inline signature based intrusion detection system, the signature being shared with the inline signature based intrusion detection system.
  - 12. The malicious traffic sensor of claim 1, wherein the controller provides the signature to a malicious traffic blocking system.
  - 13. The malicious traffic sensor of claim 12, wherein the malicious traffic blocking system, using the signature, blocks incoming network data subsequent to the network data when the incoming network data includes a portion of the network data determined as being associated with malware.
  - 14. The malicious traffic sensor of claim 13 being separate from and in communications with the malicious traffic blocking system operating as a network appliance.
  - 15. The malicious traffic sensor of claim 13 being collocated with the malicious traffic blocking system.
  - 16. The malicious traffic sensor of claim 15, wherein the malicious traffic blocking system operating as an intrusion detection and protection system.
  - 17. The malicious traffic sensor of claim 12, wherein the signature characterizes the anomalous behavior monitored during processing of the network data within the one or more virtual computing systems.
  - 18. The malicious traffic sensor of claim 12, wherein the signature includes characteristics associated with data contained in the network data that includes malware.
  - 19. The malicious traffic sensor of claim 1, wherein the controller provides the signature to a network router operating as a malicious traffic blocking system.
  - 20. The malicious traffic sensor of claim 19, wherein the controller comprises a heuristic module that receives at least the network data and conducts heuristic analysis on the network data to determine if the network data comprises one or more suspicious characteristics.
  - 21. The malicious traffic sensor of claim 20, wherein the one or more suspicious characteristics indicate that the network data should be analyzed within the one or more virtual computing systems to determine whether or not the network data comprises malware.
  - 22. The malicious traffic sensor of claim 21, wherein the network data is identified as suspicious based on a suspicious activity threshold.
  - 23. The malicious traffic sensor of claim 22, wherein the suspicious activity threshold comprises a threshold in that one or more commands within the part of the communications traffic cause the network data to be identified as suspicious.
  - 24. The malicious traffic sensor of claim 22, wherein the suspicious activity threshold comprises a threshold in that a combination of commands or a repetitive set of commands within the part of the communications traffic cause the network data to be identified as suspicious.
  - 25. The malicious traffic sensor -of claim 1, wherein the malware is a passive computer worm propagating within the communication network.

26. A method comprising:
- monitoring communications traffic from a communication network;
  
  receiving network data that includes a copied portion of the communications traffic from the communication network directed to a destination device, the network data comprises one or more suspicious characteristics of malware, wherein the one or more suspicious characteristics indicating that the network data should be analyzed to determine whether or not the network data comprises malware;
  
  determining whether the network data comprises malware by analyzing the network data, the analyzing of the network data comprising (i) monitoring behaviors of at least one virtual machine during a processing of the network data within the at least one virtual machine of an analysis environment and (ii) determining, during the processing of the network data, that at least one monitored behavior represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the at least one virtual machine and that indicates the network data includes malware; and
  
  generating a signature that characterizes the malware in response to the network data being determined to include malware during processing of the network data within the at least one virtual machine.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 27. The method of claim 26, wherein the analysis environment further comprises a replayer that simulates communications of the network data from a source device by modifying session variables and virtual switch for forwarding the network data to the at least one virtual machine.
  - 28. The method of claim 26, wherein the receiving of the network data comprising:
    - copying the network data that is a portion of the communications traffic from the communication network; and
      
      processing the network data in a virtual computer network including the at least one virtual machine.
  - 29. The method of claim 26, wherein the processing of the network data comprises:
    - executing a virtual machine of the at least one virtual machine;
      
      transmitting the network data to a virtual destination device; and
      
      identifying the anomalous behavior by analyzing a response of the virtual destination device to the network data.
  - 30. The method of claim 26 further comprising distributing the signature from a first unauthorized activity detection system including the at least the virtual machine to a second unauthorized activity detection system.
  - 31. The method of claim 30, wherein the distributing of the signature is performed by a management system.
  - 32. The method of claim 30, wherein distributing the signature comprises charging a fee to a subscriber associated with the second unauthorized activity detection system.
  - 33. The method of claim 30 further comprising blocking incoming network data subsequent to the network data from propagating in a communication network associated with the second unauthorized activity detection system.
  - 34. The method of claim 33, wherein the blocking of the incoming network data from propagating in the communication network comprises, using the signature, to block the incoming network data from being downloaded into a prescribed computing system.
  - 35. The method of claim 34, wherein the second unauthorized activity detection system being separate from and in communications with the malicious traffic blocking system operating as a network appliance.
  - 36. The method of claim 34, wherein the second unauthorized activity detection system being collocated with a malicious traffic sensor that is configured for the monitoring of the communications traffic, the receiving of the network data, and the determining whether the network data, the malicious traffic sensor includes a hardware-based controller.
  - 37. The method of claim 36, wherein the second unauthorized activity detection system operating as an intrusion detection and protection system.
  - 38. The method of claim 26, wherein the generating of the signature further comprises:
    - generating one or more network activities within the at least one virtual machine based on a pattern of network activities; and
      
      determining the signature that characterizes the malware by comparing observed behavior in the at least one virtual machine with behavior expected from the pattern of network activities.
  - 39. The method of claim 38, wherein the pattern of network activities dynamically changes over time.
  - 40. The method of claim 26, wherein the malware is a passive computer worm propagating within the communication network.
  - 41. The method of claim 26, further comprising:
    - detecting the malware within the network data; and
      
      blocking the propagation of the network data within the communication network.
  - 42. The method of claim 26, wherein the monitoring of the behaviors of at least one virtual machine during the processing of the network data further comprises monitoring processing of one or more data contents of the network data.
  - 43. The method of claim 26, the monitoring of the behaviors of at least one virtual machine during the processing of the network data further comprises monitoring processing of packets of the network data.
  - 44. The method of claim 26, wherein the monitoring of the behaviors of at least one virtual machine during the processing of the network data further comprises monitoring a processing of information that is part of the network data.
  - 45. The method of claim 26, wherein the monitoring of the communications traffic, the receiving of the network data, and the determining whether the network data comprises malware is conducted within a malicious traffic sensor, the malicious traffic sensor includes a hardware-based controller.
  - 46. The method of claim 26, wherein the signature characterizes the anomalous behavior monitored during processing of the network data within the at least one virtual machine.
  - 47. The method of claim 26, wherein the signature includes characteristics associated with data contained in the network data that includes malware.

48. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform operations comprising:
- monitoring communications traffic from a communication network;
  
  receiving network data that includes a copied portion of the communications traffic from the communication network, the network data comprises one or more suspicious characteristics of malware, wherein the one or more suspicious characteristics indicating that the network data should be analyzed to determine whether or not the network data comprises malware;
  
  determining whether the network data comprises malware by analyzing the network data, the analyzing of the network data comprising (i) monitoring behavior of a virtual machine during processing of the network data within the virtual machine, and (ii) determining that the monitored behavior represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the virtual machine and that indicates the network data includes malware; and
  
  generating a signature that characterizes the malware in response to the network data being determined to include malware during processing of the network data within the virtual machine.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 49. The non-transitory machine readable medium of claim 48, wherein the virtual machine comprises a virtual computing system using machine virtualization technologies that processes the network data.
  - 50. The non-transitory machine readable medium of claim 49, wherein the receiving of the network data from the communication network comprises copying at least the network data being a portion of the communications traffic;
    - andprocessing of the network data in a virtual computer network that comprises the virtual machine.
  - 51. The non-transitory machine readable medium of claim 50, wherein the processing of the network data comprises:
    - executing the virtual machine that comprises a virtual destination device;
      
      transmitting the network data to a virtual destination device; and
      
      identifying anomalous behavior by analyzing a response of the virtual destination device to receipt of the network data.
  - 52. The non-transitory machine readable medium of claim 51, wherein the executable code being executable by the processor to perform operations further comprises blocking malicious traffic including the malware from propagating in the communication network.
  - 53. The non-transitory machine readable medium of claim 48, wherein the executable code being executable by the processor to perform operations further comprising distributing the signature from a first unauthorized activity detection system including the virtual machine to a second unauthorized activity detection system.
  - 54. The non-transitory machine readable medium of claim 53, wherein the distributing of the signature is performed by a management system.
  - 55. The non-transitory machine readable medium of claim 53, wherein the distributing of the signature comprises charging a fee to a subscriber associated with the second unauthorized activity detection system.
  - 56. The non-transitory machine readable medium of claim 48, wherein the executable code, being executable by the processor to perform an operation of the generating of the signature, further comprises:
    - generating one or more network activities within a virtual machine based on a pattern of network activities; and
      
      determining the signature that characterizes the malware by comparing observed behavior in the virtual machine with behavior expected from the pattern of network activities.
  - 57. The non-transitory machine readable medium of claim 56, wherein the pattern of network activities dynamically changes over time.
  - 58. The non-transitory machine readable medium of claim 48, wherein the malware is a passive computer worm propagating within the communication network.
  - 59. The non-transitory machine readable medium of claim 48, wherein the executable code, when executed by the processor, further performs the operations comprising:
    - blocking the propagation of the network data within the communication network.
  - 60. The non-transitory machine readable medium of claim 48, wherein the signature characterizes the anomalous behavior monitored during processing of the network data within the virtual machine.
  - 61. The non-transitory machine readable medium of claim 48, wherein the signature includes characteristics associated with data contained in the network data that includes malware.

62. An apparatus, comprising:
- a hardware processor; and
  
  a memory storage device communicatively coupled with the hardware processor, the memory storage device comprisesa software configuration unit that is configured to generate one or more virtual machines to process data received as input by the one or more virtual machines, the data comprises one or more suspicious characteristics associated with malware and being a portion of information being transmitted over a network, anda controller communicatively coupled to the memory storage device, the controller configured tomonitor behaviors of the one or more virtual machines during processing of the data,determine, during processing of the data, that at least one of the monitored behaviors represents an anomalous behavior that indicates the data includes malware, the anomalous behavior includes an unauthorized activity that is conducted during the processing of the data by the one or more virtual machines, andgenerate a signature that characterizes the malware.
- View Dependent Claims (63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79)
- - 63. The apparatus of claim 62 further comprising a tap that is communicatively coupled to the network to receive the information being transmitted over the network and send a copy of the information as the data for processing by the one or more virtual machines.
  - 64. The apparatus of claim 63, wherein the one or more virtual machines to process the data by performing a plurality of network activities on the data.
  - 65. The apparatus of claim 62 being in communication with a management system that is configured to obtain the signature and distribute the signature to a malicious traffic blocking system.
  - 66. The apparatus of claim 65 being in communications with the management system that automatically distributes the signature to the malicious traffic blocking system.
  - 67. The apparatus of claim 65, wherein the malicious traffic blocking system, using the signature, blocks incoming data subsequent to the data when the incoming data includes the data that includes malware.
  - 68. The apparatus of claim 65 being separate from and in communications with the malicious traffic blocking system operating as a network appliance.
  - 69. The apparatus of claim 65 being collocated with the malicious traffic blocking system.
  - 70. The apparatus of claim 69, wherein the malicious traffic blocking system operating as an intrusion detection and protection system.
  - 71. The apparatus of claim 62 being in communications with a management system that is configured to deactivate the apparatus in response to a lack of payment of a subscription fee.
  - 72. The apparatus of claim 62, wherein the anomalous behavior includes an unauthorized activity that is conducted by the data in response to processing of the data within the one or more virtual machines.
  - 73. The apparatus of claim 62, wherein the controller to generate the signature based on a universal resource locator (URL).
  - 74. The apparatus of claim 62, wherein the controller provides the signature to a malicious traffic blocking system.
  - 75. The apparatus of claim 62, wherein the controller provides the signature to a network router operating as a malicious traffic blocking system.
  - 76. The apparatus of claim 75, wherein the controller comprises a heuristic module that receives at least the data and conducts heuristic analysis on the data to determine if the data comprises one or more suspicious characteristics.
  - 77. The apparatus of claim 76, wherein the one or more virtual machines of the controller to receive the data that comprises one or more suspicious characteristics after analysis of the data by the heuristic module.
  - 78. The apparatus of claim 62, wherein the signature characterizes the anomalous behavior monitored during processing of the network data within the one or more virtual machines.
  - 79. The apparatus of claim 62, wherein the signature includes characteristics associated with a portion of the data that has been determined to include malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar
Primary Examiner(s)
Chen, Shin-Hon

Application Number

US13/970,248
Time in Patent Office

960 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06Q 20/10   specially adapted for elect...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491 : using deception as counterm...

H04L 63/20 : for managing network securi...

View All

Systems and methods for unauthorized activity defense

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

707 Citations

79 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for unauthorized activity defense

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

707 Citations

79 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links