Systems and methods for unauthorized activity defense
First Claim
1. A malicious traffic sensor adapted for coupling with a communication network, comprising:
- one or more virtual computing systems to process network data that is associated with communications traffic received from the communication network and directed to a destination device and comprises one or more suspicious characteristics associated with malware, each of the one or more virtual computing systems includes a virtual machine to process the network data; and
a hardware-based controller communicatively coupled to the one or more virtual computing systems, the controller being configured tomonitor behaviors of the one or more virtual computing systems during processing of the network data,determine, during processing of the network data, that at least one of the monitored behaviors represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the one or more virtual computing systems that indicates the network data includes malware, andgenerate a signature that characterizes the malware.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.
707 Citations
79 Claims
-
1. A malicious traffic sensor adapted for coupling with a communication network, comprising:
-
one or more virtual computing systems to process network data that is associated with communications traffic received from the communication network and directed to a destination device and comprises one or more suspicious characteristics associated with malware, each of the one or more virtual computing systems includes a virtual machine to process the network data; and a hardware-based controller communicatively coupled to the one or more virtual computing systems, the controller being configured to monitor behaviors of the one or more virtual computing systems during processing of the network data, determine, during processing of the network data, that at least one of the monitored behaviors represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the one or more virtual computing systems that indicates the network data includes malware, and generate a signature that characterizes the malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method comprising:
-
monitoring communications traffic from a communication network; receiving network data that includes a copied portion of the communications traffic from the communication network directed to a destination device, the network data comprises one or more suspicious characteristics of malware, wherein the one or more suspicious characteristics indicating that the network data should be analyzed to determine whether or not the network data comprises malware; determining whether the network data comprises malware by analyzing the network data, the analyzing of the network data comprising (i) monitoring behaviors of at least one virtual machine during a processing of the network data within the at least one virtual machine of an analysis environment and (ii) determining, during the processing of the network data, that at least one monitored behavior represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the at least one virtual machine and that indicates the network data includes malware; and generating a signature that characterizes the malware in response to the network data being determined to include malware during processing of the network data within the at least one virtual machine. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform operations comprising:
-
monitoring communications traffic from a communication network; receiving network data that includes a copied portion of the communications traffic from the communication network, the network data comprises one or more suspicious characteristics of malware, wherein the one or more suspicious characteristics indicating that the network data should be analyzed to determine whether or not the network data comprises malware; determining whether the network data comprises malware by analyzing the network data, the analyzing of the network data comprising (i) monitoring behavior of a virtual machine during processing of the network data within the virtual machine, and (ii) determining that the monitored behavior represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the virtual machine and that indicates the network data includes malware; and generating a signature that characterizes the malware in response to the network data being determined to include malware during processing of the network data within the virtual machine. - View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
-
-
62. An apparatus, comprising:
-
a hardware processor; and a memory storage device communicatively coupled with the hardware processor, the memory storage device comprises a software configuration unit that is configured to generate one or more virtual machines to process data received as input by the one or more virtual machines, the data comprises one or more suspicious characteristics associated with malware and being a portion of information being transmitted over a network, and a controller communicatively coupled to the memory storage device, the controller configured to monitor behaviors of the one or more virtual machines during processing of the data, determine, during processing of the data, that at least one of the monitored behaviors represents an anomalous behavior that indicates the data includes malware, the anomalous behavior includes an unauthorized activity that is conducted during the processing of the data by the one or more virtual machines, and generate a signature that characterizes the malware. - View Dependent Claims (63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79)
-
Specification