Modularized database architecture using vertical partitioning for a state machine

US 9,467,460 B1
Filed: 12/23/2014
Issued: 10/11/2016
Est. Priority Date: 12/23/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a memory connected to a processor; and

program code executing on the processor, the program code operable to;

configure a database to store object metadata of one or more objects processed by a state machine to generate processing results, the database including one or more object tables, state sub-block structures, state co-table structures, and state transition queue structures, the database vertically organized as a plurality of stages to implement the state machine, wherein each stage includes a state sub-block structure, a state co-table structure and a state transition queue structure, the database further organized such that each stage corresponds to a module of an analysis engine operating on an object, and wherein the module corresponding to each stage executes according to a dependency on the processing results.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A modularized architecture using vertical partitioning of a database is configured to store object metadata and processing results of one or more objects analyzed by a state machine, such as an analysis engine of a malware detection system. The database may include a plurality of data structures, such as one or more master blocks, state sub-blocks, and state co-tables, as well as state transition queues. The modularized architecture may organize the database as one or more stages of a state machine, wherein each stage includes a state sub-block, a state co-table and a state transition queue. The modularized architecture may further organize the database such that each stage corresponds to an action, i.e., module, of the state machine on the object. The module may process the data structures of its corresponding stage such that a state sub-block receives information from its state transition queue, wherein the module generates results that are stored in its associated state co-table, which then provides information for a next stage.

142 Citations

20 Claims

1. A system comprising:
- a memory connected to a processor; and
  
  program code executing on the processor, the program code operable to;
  
  configure a database to store object metadata of one or more objects processed by a state machine to generate processing results, the database including one or more object tables, state sub-block structures, state co-table structures, and state transition queue structures, the database vertically organized as a plurality of stages to implement the state machine, wherein each stage includes a state sub-block structure, a state co-table structure and a state transition queue structure, the database further organized such that each stage corresponds to a module of an analysis engine operating on an object, and wherein the module corresponding to each stage executes according to a dependency on the processing results.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1 wherein the module is configured to process the object metadata stored in the structures of a corresponding stage such that the state sub-block structure receives the object metadata from the state transition queue structure and the module generates the processing results that are stored in the state co-table structure.
  - 3. The system of claim 2 wherein the state co-table structure is configured to provide a portion of the processing results to a next state transition queue structure of a next stage.
  - 4. The system of claim 3 wherein dependency logic associated with each stage determines whether the dependency is satisfied.
  - 5. The system of claim 4 wherein each object table comprises an initial state metadata having one of an object identifier and an object hash.
  - 6. The system of claim 4 wherein each state sub-block structure is configured to store a status of the processing results of the stage for processing by the corresponding module of the analysis engine.
  - 7. The system of claim 6 wherein the object metadata comprises one of a start timestamp, an end timestamp and the status.
  - 8. The system of claim 6 wherein each state co-table structure is configured to store results of the processing by the corresponding module.
  - 9. The system of claim 8 wherein the results comprise analytical information associated with the object observed at an associated state.
  - 10. The system of claim 8 wherein each state transition queue structure is configured to store updates for transitioning between the stages.
  - 11. The system of claim 10 wherein each state transition queue structure is further configured to manipulate entries within the queue structure to insert into the state sub-block structure.

12. A method comprising:
- organizing an analysis database as a state machine having a plurality of stages, wherein each stage includes a state sub-block structure, a state co-table structure and a state transition queue structure;
  
  storing object metadata and processing results of an object in the analysis database, the object metadata processed by an analysis engine of a node having a processor to generate the processing results; and
  
  processing, at the node, the object metadata stored in the structures of a stage such that a state sub-block structure receives the object metadata from a state transition queue and provides the processing results for storage in the state co-table.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12 further comprising forwarding a portion of the processing results to a next stage.
  - 14. The method of claim 12 wherein the analysis database is organized such that each stage corresponds to a module of the analysis engine operating on the object and wherein the module of each stage executes according to a dependency on the processing results.
  - 15. The method of claim 14 further comprising:
    - determining whether the dependency is satisfied; and
      
      in response to determining that the dependency is satisfied, invoking the analysis engine to perform a next stage by inserting an action request into the state transition queue of the next stage.
  - 16. The method of claim 14 wherein organizing the analysis database further comprises configuring the state sub-block structure to store a status of processing by a corresponding module of the analysis engine.
  - 17. The method of claim 16 wherein organizing the analysis database further comprises configuring the state transition queue structure to store updates for transitioning between the stages.
  - 18. The method of claim 17 wherein the state transition queue structure is configured to manipulate entries stored in the state transition queue structure to insert into the state sub-block structure.
  - 19. The method of claim 14 wherein organizing the analysis database further comprises configuring the state co-table structure such that the processing results stored in the state co-table may be accessible by reference from the analysis database.

20. A non-transitory computer readable medium containing instructions for execution on a processor for a method comprising:
- organizing an analysis database of a node including the processor as a state machine having a plurality of stages, wherein each stage includes a state sub-block structure, a state co-table structure and a state transition queue structure, and wherein each stage corresponds to a module of an analysis engine operating on an object;
  
  storing object metadata and processing results of the object in the analysis database, the object metadata processed by the analysis engine to generate the processing results; and
  
  processing the object metadata stored in the structures of a stage such that a state sub-block structure receives the object metadata from a state transition queue.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Otvagin, Alexander, Kumar, Vineet, Movsesyan, Arsen
Primary Examiner(s)
McNally, Michael S

Application Number

US14/580,501
Time in Patent Office

658 Days
Field of Search

726/3, 726/23
US Class Current

1/1
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 16/245   Query processing

G06F 21/00   Security arrangements for p...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Modularized database architecture using vertical partitioning for a state machine

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

142 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Modularized database architecture using vertical partitioning for a state machine

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others