System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers
First Claim
1. A network security system comprising:
- a security network device including a preliminary analysis engine to conduct an analysis on network traffic and to upload one or more identifiers associated with the network traffic when the analysis determines that at least one object included in the network traffic may be associated with an exploit; and
a detection cloud remotely located from the preliminary analysis engine, the detection cloud includinga hardware communication interface communicatively coupled with the security network device, anda dynamic analysis engine communicatively coupled to the hardware communication interface, the dynamic analysis engine to receive the one or more identifiers including a first identifier identifying a source of the network traffic that includes the at least one object, the dynamic analysis engine comprisesone or more virtual machines that are adapted to execute a browser application and establish communications with at least one server by accessing website hosted by the at least one server using the first identifier; and
monitoring logic in communication with the one or more virtual machines, the monitoring logic to detect anomalous behaviors by the one or more virtual machines based on the communications with the at least one server.
7 Assignments
0 Petitions
Accused Products
Abstract
In an embodiment, a dynamic analysis engine is configured to receive an identifier associated with a source for network traffic including at least one object having at least a prescribed probability of being associated with an exploit. Deployed within a detection cloud, the dynamic analysis engine comprises one or more virtual machines and monitoring logic. The virtual machines are adapted to virtually process the identifier by establishing a communication session with a server hosting a website accessible by the identifier. In communication with the virtual machines, the monitoring logic is adapted to detect anomalous behaviors by the virtual machines during the communication session with the server.
-
Citations
59 Claims
-
1. A network security system comprising:
-
a security network device including a preliminary analysis engine to conduct an analysis on network traffic and to upload one or more identifiers associated with the network traffic when the analysis determines that at least one object included in the network traffic may be associated with an exploit; and a detection cloud remotely located from the preliminary analysis engine, the detection cloud including a hardware communication interface communicatively coupled with the security network device, and a dynamic analysis engine communicatively coupled to the hardware communication interface, the dynamic analysis engine to receive the one or more identifiers including a first identifier identifying a source of the network traffic that includes the at least one object, the dynamic analysis engine comprises one or more virtual machines that are adapted to execute a browser application and establish communications with at least one server by accessing website hosted by the at least one server using the first identifier; and monitoring logic in communication with the one or more virtual machines, the monitoring logic to detect anomalous behaviors by the one or more virtual machines based on the communications with the at least one server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
a hardware communication interface for coupling to a network; a dynamic analysis engine communicatively coupled to the communication interface, the dynamic analysis engine to receive one or more identifiers including a first identifier identifying a source of network traffic including at least one object that is considered to be potentially associated with an exploit, the dynamic analysis engine comprises one or more virtual machines that are adapted to process a browser application using at least the first identifier of the one or more identifiers to establish communications with at least one server hosting a website, and monitoring logic in communication with the one or more virtual machines, the monitoring logic to detect anomalous behaviors by the browser application being processed by the one or more virtual machines based on the communications with the at least one server; and a preliminary analysis engine communicatively coupled to and geographically remote from the dynamic analysis engine, the preliminary analysis engine to conduct an analysis on the network traffic and to upload the one or more identifiers associated with the network traffic to the dynamic analysis engine over the network when the analysis determines that at least one object included in the network traffic is potentially considered to be associated with the exploit, wherein the preliminary analysis engine is deployed within a security network device at a customer premises while the dynamic analysis engine is deployed within a detection cloud. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A computerized method comprising:
-
receiving, from a security network device via a network and in response to conducting an analysis of incoming network traffic for malware, one or more identifiers including a first identifier associated with a source of the network traffic that includes at least one object that is determined to be potentially associated with an exploit for storage in a data store; responsive to receipt of the first identifier that is stored in the data store, processing a browser application by one or more virtual machines operating as part of virtual execution logic and establishing communications with at least one server by accessing a website hosted by the at least one server using the first identifier; and detecting anomalous behaviors during processing of the browser application by the one or more virtual machines based on the communications with the at least one server. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
-
-
53. A computerized method comprising:
-
conducting an analysis, by a security network device at a customer premises, on network traffic received via a network and uploading one or more identifiers including a first identifier associated with the network traffic when the analysis determines that at least one object included in the network traffic is potentially associated with an exploit; receiving the one or more identifiers including the first identifier identifying a source of the network traffic for storage in a data store that is part of a detection cloud; responsive to receipt of the first identifier that is stored in the data store, executing at least a browser application by one or more virtual machines operating as part of virtual execution logic within the detection cloud and using the first identifier to establish communications by the detection cloud with at least one server hosting a website accessible by the first identifier; and detecting anomalous behaviors by the one or more virtual machines executing the browser application based on the communications with the least one server. - View Dependent Claims (54, 55, 56, 57, 58, 59)
-
Specification