System and method for detecting malicious traffic using a virtual machine configured with a select software environment
First Claim
1. A network device comprising:
- a plurality of virtual machines based on one or more software modules stored within a memory storage device; and
a hardware controller, operating with a first virtual machine of the plurality of virtual machines to(i) monitor one or more behaviors of at least the first virtual machine,(ii) accelerate one or more activities in the first virtual machine to detect a time-delayed malware that performs one or more operations to avoid detection, the accelerating of the one or more activities comprises (a) intercepting one or more time-sensitive system calls and (b) modifying the one or more time-sensitive system calls or corresponding one or more responses to the one or more of the time-sensitive system calls,(iii) identify at least one behavior of the one or more monitored behaviors as an anomalous behavior, and(iv) detect, based at least in part on the identified at least one anomalous behavior, the time-delayed malware in the first virtual machine.
5 Assignments
0 Petitions
Accused Products
Abstract
The system comprises a traffic analysis device in communication with a network device. The traffic analysis device can analyze network traffic received over a communication network and duplicate at least select network communications within the network traffic having characteristics associated with malicious traffic when the network communications are determined through heuristic analysis to satisfy a heuristic threshold. The network device comprises a controller in communication with one or more virtual machines that are configured to (i) receive the duplicated network communications from the traffic analysis device, (ii) monitor a behavior of a first virtual machine of the one or more virtual machines in response to processing of the duplicated network communications within the first virtual machine, (iii) identify an anomalous behavior as an unexpected occurrence in the monitored behavior, and (iv) determine, based on the identified anomalous behavior, the presence of the malicious traffic in the duplicated network communications.
518 Citations
57 Claims
-
1. A network device comprising:
-
a plurality of virtual machines based on one or more software modules stored within a memory storage device; and a hardware controller, operating with a first virtual machine of the plurality of virtual machines to (i) monitor one or more behaviors of at least the first virtual machine, (ii) accelerate one or more activities in the first virtual machine to detect a time-delayed malware that performs one or more operations to avoid detection, the accelerating of the one or more activities comprises (a) intercepting one or more time-sensitive system calls and (b) modifying the one or more time-sensitive system calls or corresponding one or more responses to the one or more of the time-sensitive system calls, (iii) identify at least one behavior of the one or more monitored behaviors as an anomalous behavior, and (iv) detect, based at least in part on the identified at least one anomalous behavior, the time-delayed malware in the first virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network device comprising:
-
a plurality of virtual machines based on one or more software modules stored within a memory storage device; and a hardware controller operating with a first virtual machine of the plurality of virtual machines to (i) monitor one or more behaviors of at least the first virtual machine, (ii) accelerate one or more activities in the first virtual machine to reduce an amount of time to detect a time-delayed malware that performs one or more operations to avoid detection by (a) intercepting one or more time-sensitive system calls and (b) modifying the intercepted one or more time-sensitive system calls, (iii) identify at least one behavior of the one or more monitored behaviors as an anomalous behavior, and (iv) detect, based at least in part on the identified at least one anomalous behavior, the time-delayed malware in the first virtual machine. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A network device comprising:
-
a plurality of virtual machines based on one or more software modules stored within a memory storage device; and a hardware controller operating with a first virtual machine of the plurality of virtual machines, the hardware controller accelerating one or more activities in the first virtual machine by at least (i) identifying a time consuming program loop executing in the first virtual machine and monitoring one or more behaviors of the time consuming program loop, (ii) accelerating execution of the time consuming program loop in the first virtual machine to detect a time-delayed malware that is attempting to avoid detection, wherein the hardware controller further (iii) identifying at least one anomalous behavior of the one or more monitored behaviors, and (iv) detecting, based at least in part on the identifying of the at least one anomalous behavior, the time-delayed malware operating with the time consuming program loop in the first virtual machine. - View Dependent Claims (19)
-
-
20. A method for detecting a presence of malware within data under analysis, the method comprising:
-
monitoring, by a controller, one or more behaviors that have occurred in response to processing the data under analysis within a first virtual machine; accelerating, by the controller operating with the first virtual machine, one or more activities in the first virtual machine to detect a time-delayed malware that performs one or more operations to avoid detection, the accelerating of the one or more activities comprises intercepting one or more time-sensitive system calls and modifying one or more responses to the one or more of the time-sensitive system calls; identifying, by the controller, at least one anomalous behavior in the one or more monitored behaviors; and detecting, by the controller, the time-delayed malware in the data based, at least in part, on the identified at least one anomalous behavior. - View Dependent Claims (21)
-
-
22. A network device comprising:
-
a plurality of virtual machines operating within the network device; and a hardware controller in communication with and operating in conjunction with a first virtual machine of the plurality of virtual machines, to (i) monitor one or more behaviors of at least the first virtual machine, (ii) accelerate one or more activities in the first virtual machine, to reduce an amount of time needed to detect a time-delayed malware that performs one or more operations to avoid detection, by at least intercepting one or more time-sensitive system calls and modifying one or more responses to the one or more of the time-sensitive system calls, (iii) identify at least one anomalous behavior in the one or more monitored behaviors, and (iv) detect, based at least in part on the identified at least one anomalous behavior, the time-delayed malware in the first virtual machine. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
-
30. A network device comprising:
-
a plurality of virtual machines operating within the network device; and a hardware controller operating with at least a first virtual machine of the plurality of virtual machines to (a) monitor one or more behaviors of at least the first virtual machine of the plurality of virtual machines, (b) accelerate one or more activities in the first virtual machine to detect a time-delayed malware that performs one or more operations to avoid detection by at least (i) intercepting a system call and (ii) modifying a response to the intercepted system call so as to accelerate the one or more activities in the first virtual machine that are occurring during processing of data under analysis by the first virtual machine, (c) identify at least one anomalous behavior in the one or more monitored behaviors, and (d) detect, based at least in part on the identified at least one anomalous behavior, the time-delayed malware in the data under analysis processed by the first virtual machine. - View Dependent Claims (31, 32)
-
-
33. A network device comprising:
-
a plurality of virtual machines operating within the network device; and a hardware controller operating with at least a first virtual machine of the plurality of virtual machines to (a) monitor one or more behaviors of at least the first virtual machine of the plurality of virtual machines, (b) accelerate one or more activities in the first virtual machine to detect a time-delayed malware that performs one or more operations to avoid detection by at least (i) identifying a time consuming program loop executing in the first virtual machine, and (ii) accelerating execution of the time consuming program loop in the first virtual machine by increasing a priority of execution of the time consuming program loop in the first virtual machine, (c) identify at least one anomalous behavior in the one or more monitored behaviors, and (d) detect, based at least in part on the identified at least one anomalous behavior the time-delayed malware in the first virtual machine.
-
-
34. A system comprising:
-
a traffic analysis device configured to receive data over a communication network; and a network device in communication with the traffic analysis device, the network device to receive suspicious data from the traffic analysis device, wherein the network device comprises (1) a plurality of virtual machines including a first virtual machine and (2) a controller operating with at least the first virtual machine of the plurality of virtual machines to (a) monitor one or more behaviors of at least the first virtual machine processing the suspicious data, (b) accelerate the one or more activities in the first virtual machine to detect a time-delayed malware that performs one or more operations to avoid detection by controlling interception of one or more time-sensitive system calls and modifying one or more responses to the one or more of the time-sensitive system calls, (c) identify at least one behavior of the one or more behaviors as an anomalous behavior, and (d) detect, based at least in part on the identified at least one anomalous behavior, the time-delayed malware within the suspicious data processed by the first virtual machine. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A system comprising:
-
a traffic analysis device configured to receive data over a communication network; and a network device in communication with the traffic analysis device, the network device to receive suspicious data from the traffic analysis device, wherein the network device comprises (1) a plurality of virtual machines including a first virtual machine and (2) a controller operating with at least the first virtual machine of the plurality of virtual machines to (a) monitor behaviors of at least the first virtual machine, (b) accelerate one or more activities in the first virtual machine, to reduce an amount of time needed to detect a time-delayed malware that performs one or more operations to avoid detection, by (i) identifying a time consuming program loop executing in the first virtual machine and (ii) accelerating execution of the time consuming program loop in the first virtual machine, (c) identify at least one anomalous behavior of the monitored behaviors, and (d) detect, based at least in part on the identified at least one anomalous behavior, the time consuming program loop being associated with the time-delayed malware within the first virtual machine. - View Dependent Claims (47, 48, 49)
-
-
50. A network device comprising:
-
one or more virtual machines, including a first virtual machine; and a hardware controller operating with the one or more virtual machines to (i) monitor one or more behaviors of at least the first virtual machine during processing of data under analysis, (ii) accelerate one or more activities in at least the first virtual machine to detect a time-delayed malware that performs one or more operations to avoid detection by intercepting one or more time-sensitive system calls and modifying one or more responses to the one or more of the time-sensitive system calls, (iii) identify at least one behavior of the one or more behaviors as an anomalous behavior, and (iv) detect, based at least in part on the identified at least one anomalous behavior, the time-delayed malware within the data. - View Dependent Claims (51, 52, 53, 54, 55, 56, 57)
-
Specification