System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers

US 9,398,028 B1
Filed: 06/26/2014
Issued: 07/19/2016
Est. Priority Date: 06/26/2014
Status: Active Grant

First Claim

Patent Images

1. A network security system comprising:

a security network device including a preliminary analysis engine to conduct an analysis on network traffic and to upload one or more identifiers associated with the network traffic when the analysis determines that at least one object included in the network traffic may be associated with an exploit; and

a detection cloud remotely located from the preliminary analysis engine, the detection cloud includinga hardware communication interface communicatively coupled with the security network device, anda dynamic analysis engine communicatively coupled to the hardware communication interface, the dynamic analysis engine to receive the one or more identifiers including a first identifier identifying a source of the network traffic that includes the at least one object, the dynamic analysis engine comprisesone or more virtual machines that are adapted to execute a browser application and establish communications with at least one server by accessing website hosted by the at least one server using the first identifier; and

monitoring logic in communication with the one or more virtual machines, the monitoring logic to detect anomalous behaviors by the one or more virtual machines based on the communications with the at least one server.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a dynamic analysis engine is configured to receive an identifier associated with a source for network traffic including at least one object having at least a prescribed probability of being associated with an exploit. Deployed within a detection cloud, the dynamic analysis engine comprises one or more virtual machines and monitoring logic. The virtual machines are adapted to virtually process the identifier by establishing a communication session with a server hosting a website accessible by the identifier. In communication with the virtual machines, the monitoring logic is adapted to detect anomalous behaviors by the virtual machines during the communication session with the server.

Citations

59 Claims

1. A network security system comprising:
- a security network device including a preliminary analysis engine to conduct an analysis on network traffic and to upload one or more identifiers associated with the network traffic when the analysis determines that at least one object included in the network traffic may be associated with an exploit; and
  
  a detection cloud remotely located from the preliminary analysis engine, the detection cloud includinga hardware communication interface communicatively coupled with the security network device, anda dynamic analysis engine communicatively coupled to the hardware communication interface, the dynamic analysis engine to receive the one or more identifiers including a first identifier identifying a source of the network traffic that includes the at least one object, the dynamic analysis engine comprisesone or more virtual machines that are adapted to execute a browser application and establish communications with at least one server by accessing website hosted by the at least one server using the first identifier; and
  
  monitoring logic in communication with the one or more virtual machines, the monitoring logic to detect anomalous behaviors by the one or more virtual machines based on the communications with the at least one server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The network security system of claim 1, wherein the one or more identifiers received by the dynamic analysis engine further include a second identifier that identifies an address for a client device targeted to receive the network traffic.
  - 3. The network security system of claim 1, wherein the first identifier includes a Uniform Resource Locators (URL) associated with the website hosted by the at least one server operating as the source for the network traffic, and contents of the at least one object identified by the URL are not uploaded to the detection cloud.
  - 4. The network security system of claim 1, wherein the monitoring logic of the dynamic analysis engine of the detection cloud to detect the anomalous behaviors during a communication session between the virtual execution logic and the at least one server.
  - 5. The network security system of claim 4, wherein the monitoring logic of the dynamic analysis engine of the detection cloud to detect the anomalous behaviors based on receipt of information including an embedded executable.
  - 6. The network security system of claim 4, wherein the monitoring logic of the dynamic analysis engine of the detection cloud to detect the anomalous behaviors during the communication session that is maintained until a prescribed time has elapsed or the one or more virtual machines has conducted a sufficient number of operations for detecting whether the at least one server is malicious or non-malicious.
  - 7. The method of claim 6, wherein the communication session is configured based Hypertext Transfer Protocol.
  - 8. The network security system of claim 4, wherein the detection cloud corresponds to a first sub-network of an enterprise network, a second sub-network different than the first sub-network includes the security network device.
  - 9. The network security system of claim 4, wherein the security network device is deployed within an enterprise network and the detection cloud being completely external from the enterprise network.
  - 10. The network security system of claim 4, wherein the security network device including the preliminary analysis engine being deployed within an electronic device.
  - 11. The network security system of claim 4, wherein the detection cloud further comprising provisioning logic to provision, based on at least one identifier of the one or more identifiers, at least one virtual machine of the one or more virtual machines with an operating system corresponding in type to an operating system of a client device being a destination of the network traffic.
  - 12. The network security system of claim 4, wherein the detection cloud further comprising provisioning logic to provision, based on at least one identifier of the one or more identifiers, at least one virtual machine of the one or more virtual machines with an application corresponding in type to an application running on a client device being a destination of the network traffic.
  - 13. The network security system of claim 12, wherein the at least one virtual machine, when in operation, communicates with the at least one server using at least the first identifier of the one or more identifiers.
  - 14. The network security system of claim 13, wherein the at least one virtual machine is communicatively coupled to an anonymizing proxy to establish communications with the at least one server.
  - 15. The network security system of claim 13, wherein the detection cloud further comprising static analysis logic that can perform additional analysis on content returned from the at least one server prior to reaching the at least one virtual machine in order to base a determination of maliciousness based on heuristics, emulation or black/whitelisting techniques.
  - 16. The network security system of claim 1, wherein the detection cloud further comprising provisioning logic to provision at least one virtual machine of the one or more virtual machines with the browser application corresponding in type to a browser application running on a client device being a destination of the network traffic.
  - 17. The network security system of claim 1, wherein the detection cloud further comprising provisioning logic adapted to provision a plurality of virtual machines of the one or more virtual machines operating concurrently in time based on one or more of (i) a second identifier of the one or more identifiers corresponds to a customer identifier and (ii) a third identifier of the one or more identifiers that identifies an address for a client device targeted to receive the network traffic.
  - 18. The network security system of claim 1, wherein the detection cloud further comprising a customer portal where each customer can customize a set of guest images that are run within a provisioned virtual machine of the one or more virtual machines operating inside the detection cloud.
  - 19. The network security system of claim 1, wherein the detection cloud further comprising an alert generation mechanism that generates one or more alert messages based on results of the dynamic analysis and transmits the one or more alert messages back to the security network device.
  - 20. The network security system of claim 1, wherein the security network device includes a firewall.
  - 21. The network security system of claim 1, wherein the detection cloud further comprises reputation logic communicatively coupled between the hardware communication interface and the dynamic analysis engine, the reputation logic to access a list including at least one of malicious identifiers or non-malicious identifiers and to circumvent operations by the dynamic analysis engine using the first identifier in response to detecting by the reputation logic that the first identifier of the one or more identifiers is present on the list.

22. A system comprising:
- a hardware communication interface for coupling to a network;
  
  a dynamic analysis engine communicatively coupled to the communication interface, the dynamic analysis engine to receive one or more identifiers including a first identifier identifying a source of network traffic including at least one object that is considered to be potentially associated with an exploit, the dynamic analysis engine comprisesone or more virtual machines that are adapted to process a browser application using at least the first identifier of the one or more identifiers to establish communications with at least one server hosting a website, andmonitoring logic in communication with the one or more virtual machines, the monitoring logic to detect anomalous behaviors by the browser application being processed by the one or more virtual machines based on the communications with the at least one server; and
  
  a preliminary analysis engine communicatively coupled to and geographically remote from the dynamic analysis engine, the preliminary analysis engine to conduct an analysis on the network traffic and to upload the one or more identifiers associated with the network traffic to the dynamic analysis engine over the network when the analysis determines that at least one object included in the network traffic is potentially considered to be associated with the exploit, whereinthe preliminary analysis engine is deployed within a security network device at a customer premises while the dynamic analysis engine is deployed within a detection cloud.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 23. The system of claim 22, wherein the first identifier of the one or more identifiers includes a Uniform Resource Locator (URL), a second identifier of the one or more identifiers includes a customer identification that identifies a customer associated with the security network device, a third identifier of the one or more identifiers includes representative data to identify a client device targeted by the suspicious web traffic, and other contents of the at least one object identified by the URL are not uploaded to the detection cloud.
  - 24. The system of claim 22, wherein the detection cloud is a first sub-network of an enterprise network, a second sub-network different than the first sub-network includes the security network device.
  - 25. The system of claim 22 deployed within an enterprise network and the detection cloud being completely external from the enterprise network.
  - 26. The system of claim 22, wherein the preliminary analysis engine being deployed within an electronic device.
  - 27. The system of claim 26, wherein the electronic device includes a firewall.
  - 28. The system of claim 22 further comprising provisioning logic to provision at least one virtual machine of the one or more virtual machines with an operating system corresponding in type to an operating system of a client device being a destination of the network traffic.
  - 29. The system of claim 22 further comprising provisioning logic to provision at least one virtual machine of the one or more virtual machines with the browser application corresponding in type to a browser application running on a client device being a destination of the network traffic.
  - 30. The system of claim 29, wherein the at least one virtual machine is communicatively coupled to an anonymizing proxy to establish communications with the at least one server.
  - 31. The system of claim 29 further comprising a static analysis logic that can perform additional analysis on content returned from the at least one server prior to reaching the at least one virtual machine in order to base a determination of maliciousness based on heuristics, emulation or black/whitelisting techniques.
  - 32. The system of claim 22 further comprising provisioning logic adapted to provision a plurality of virtual machines operating concurrently in time based on a customer identification uploaded to the dynamic analysis engine as part of the one or more identifiers.
  - 33. The system of claim 22 further comprising a customer portal where each customer can customize a set of guest images that are run within a provisioned virtual machine of the one or more virtual machines operating inside the detection cloud.
  - 34. The system of claim 22 further comprising provisioning logic that is adapted to provision a maximum number of virtual machines operating concurrently in time based on a customer identification being a second identifier of the one or more identifiers.
  - 35. The system of claim 22 further comprising an alert generation mechanism that generates one or more alert messages based on results of the dynamic analysis and transmits the one or more alert messages back to a security network device that submitted the one or more identifiers over a secure communication channel.
  - 36. The system of claim 22 further comprising reputation logic communicatively coupled between the hardware communication interface and the dynamic analysis engine, the reputation logic to access a list including at least one of malicious identifiers or non-malicious identifiers and to circumvent operations by the dynamic analysis engine using the first identifier in response to detecting by the reputation logic that the first identifier of the one or more identifiers is present on the list.
  - 37. The system of claim 22, wherein the monitoring logic of the dynamic analysis engine to detect the anomalous behaviors during a communication session between the browser application executed in the one or more virtual machines and the at least one server.
  - 38. The system of claim 22, wherein the monitoring logic of the dynamic analysis engine to detect the anomalous behaviors during a communication session between the dynamic analysis engine and the at least one server.
  - 39. The system of claim 38, wherein the communication session is maintained until a prescribed time has elapsed or the one or more virtual machines has conducted a sufficient number of operations for detecting whether the at least one server is malicious or non-malicious.
  - 40. The system of claim 39, wherein the communication session is configured based on Hypertext Transfer Protocol.

41. A computerized method comprising:
- receiving, from a security network device via a network and in response to conducting an analysis of incoming network traffic for malware, one or more identifiers including a first identifier associated with a source of the network traffic that includes at least one object that is determined to be potentially associated with an exploit for storage in a data store;
  
  responsive to receipt of the first identifier that is stored in the data store, processing a browser application by one or more virtual machines operating as part of virtual execution logic and establishing communications with at least one server by accessing a website hosted by the at least one server using the first identifier; and
  
  detecting anomalous behaviors during processing of the browser application by the one or more virtual machines based on the communications with the at least one server.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 42. The method of claim 41, wherein at least one virtual machine of the one or more virtual machines, when processing the browser application that accesses the website using a Uniform Resource Locator (URL) corresponding to the first identifier, communicates with the at least one server.
  - 43. The method of claim 42, wherein the at least one virtual machine is communicatively coupled to an anonymizing proxy to establish communications with the at least one server.
  - 44. The method of claim 42, wherein the virtual execution logic further comprising static analysis logic that can perform additional analysis on content returned from the least one server prior to reaching the at least one virtual machine in order to base a determination of maliciousness based on heuristics, emulation or black/whitelisting techniques.
  - 45. The method of claim 44 further comprising:
    - generating one or more alert messages based on the results of dynamic and additional analysis and that can transmit the one or more alert messages back to the security network device that submitted the one or more identifiers over a secure communication channel.
  - 46. The method of claim 42, wherein the receiving of the one or more identifiers, the processing of the browser application by the one or more virtual machines, and the detecting of the anomalous behaviors by the browser application is conducted within a detection cloud.
  - 47. The method of claim 46, wherein the detection cloud is part of a sub-network of the network.
  - 48. The method of claim 41, wherein the detecting of the anomalous behaviors based on the communications with the at least one server comprises detecting, during a communication session between the virtual execution logic and the at least one server, the anomalous behaviors based on responses from the at least one server.
  - 49. The method of claim 48, wherein the one or more identifiers includes the first identifier being a Uniform Resource Locator (URL) directed to the website, a second identifier being an identifier for an entity that is associated with the security network device, and a third identifier that identifies an electronic device targeted to receive the network traffic.
  - 50. The method of claim 48, wherein the detecting of the anomalous behaviors during the communication session includes detecting of an anomalous behavior based on receipt of information including an embedded executable.
  - 51. The method of claim 48, wherein the communication session is maintained until a prescribed time has elapsed or the one or more virtual machines has conducted a sufficient number of operations for detecting whether the at least one server is malicious or non-malicious.
  - 52. The method of claim 51, wherein the communication session is configured based on Hypertext Transfer Protocol (HTTP).

53. A computerized method comprising:
- conducting an analysis, by a security network device at a customer premises, on network traffic received via a network and uploading one or more identifiers including a first identifier associated with the network traffic when the analysis determines that at least one object included in the network traffic is potentially associated with an exploit;
  
  receiving the one or more identifiers including the first identifier identifying a source of the network traffic for storage in a data store that is part of a detection cloud;
  
  responsive to receipt of the first identifier that is stored in the data store, executing at least a browser application by one or more virtual machines operating as part of virtual execution logic within the detection cloud and using the first identifier to establish communications by the detection cloud with at least one server hosting a website accessible by the first identifier; and
  
  detecting anomalous behaviors by the one or more virtual machines executing the browser application based on the communications with the least one server.
- View Dependent Claims (54, 55, 56, 57, 58, 59)
- - 54. The method of claim 53, wherein the detecting of the anomalous behaviors occurs during a communication session between the detection cloud and the at least one server.
  - 55. The method of claim 54, wherein receiving the one or more identifiers further includes a second identifier that identifies the customer and a third identifier that identifies an address for a client device targeted to receive the network traffic.
  - 56. The method of claim 54, wherein the communication session is maintained until a prescribed time has elapsed or the one or more virtual machines has conducted a sufficient number of operations for detecting whether the at least one server is malicious or non-malicious.
  - 57. The method of claim 56, wherein the communication session is configured based on Hypertext Transfer Protocol.
  - 58. The method of claim 53, wherein the detection cloud is part of a first sub-network of an enterprise network, a second sub-network different than the first sub-network includes the security network device.
  - 59. The method of claim 53, wherein the detection cloud is completely external from an enterprise network including the security network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Khalid, Yasir, Karandikar, Shrikrishna, Amin, Muhammad, Deshpande, Shivani
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/316,714
Time in Patent Office

754 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links