Systems and methods for computer worm defense
First Claim
1. A system comprising:
- one or more traffic analysis devices that are configured to perform an analysis of network traffic propagating over a communication network, the analysis includes identifying network communications characteristics associated with potential malware; and
a malicious traffic sensor implemented as part of a computing device and communicatively coupled to the one or more traffic analysis devices, the malicious traffic sensor to receive a portion of the analyzed network traffic, the malicious traffic sensor comprisesone or more virtual machines that perform activities in response to a processing of the received portion of the analyzed network traffic, anda controller communicatively coupled to the one or more virtual machines, the controller to select software profiles for the one or more virtual machines and determine whether the received portion of the analyzed network traffic comprises malware by at least (i) monitoring behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (ii) determining whether the monitored behaviors denote a presence of malware by at least determining that a probability of the portion of the analyzed network traffic including malware exceeds a predetermined threshold, and (iii) responsive to the probability of the portion of the analyzed network traffic including malware exceeds a predetermined threshold, generating an identifier for the portion of the analyzed network traffic, the identifier operating as a signature for use in detecting the malware in at least a second computing device that is different from the computing device and communicatively coupled to the computing device via the communication network.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.
673 Citations
21 Claims
-
1. A system comprising:
-
one or more traffic analysis devices that are configured to perform an analysis of network traffic propagating over a communication network, the analysis includes identifying network communications characteristics associated with potential malware; and a malicious traffic sensor implemented as part of a computing device and communicatively coupled to the one or more traffic analysis devices, the malicious traffic sensor to receive a portion of the analyzed network traffic, the malicious traffic sensor comprises one or more virtual machines that perform activities in response to a processing of the received portion of the analyzed network traffic, and a controller communicatively coupled to the one or more virtual machines, the controller to select software profiles for the one or more virtual machines and determine whether the received portion of the analyzed network traffic comprises malware by at least (i) monitoring behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (ii) determining whether the monitored behaviors denote a presence of malware by at least determining that a probability of the portion of the analyzed network traffic including malware exceeds a predetermined threshold, and (iii) responsive to the probability of the portion of the analyzed network traffic including malware exceeds a predetermined threshold, generating an identifier for the portion of the analyzed network traffic, the identifier operating as a signature for use in detecting the malware in at least a second computing device that is different from the computing device and communicatively coupled to the computing device via the communication network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
monitoring communications traffic from a communication network; filtering the communications traffic from the communication network, the filtered communications traffic comprises one or more suspicious characteristics associated with malicious traffic, wherein the one or more suspicious characteristics indicating that the filtered communication traffic should be analyzed to determine whether or not the filtered communications traffic comprises malware; determining whether the filtered communications traffic comprises malware by analyzing the filtered communications traffic, the analyzing of the filtered communications traffic comprises (i) monitoring behaviors of one or more virtual machines during processing of at least a portion of the filtered communications traffic and (ii) determining whether the monitored behaviors denote a presence of malware within the filtered communications traffic by at least determining that a probability of the portion of the filtered communications traffic including malware exceeds a predetermined threshold; and responsive to the probability of the portion of the filtered communications traffic exceeding a predetermined threshold, generating an identifier for the portion of the filtered communications traffic, the identifier operating as a signature for use in detecting the malware in other communications traffic that is different from the communications traffic and propagating over the communication network. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform an unauthorized activity defense method comprising:
-
monitoring communications traffic from a communication network; filtering the communications traffic from the communication network, the filtered communications traffic comprises one or more suspicious characteristics of malicious traffic, wherein the one or more suspicious characteristics identifying whether the filtered communication traffic should be analyzed to determine whether or not the filtered communications traffic comprises malware; determining whether the filtered communications traffic comprises malware by analyzing the filtered communications traffic, the analyzing comprising (i) monitoring behaviors of one or more virtual machines during processing of at least a portion of the filtered communications traffic and (ii) determining whether the monitored behaviors denote a presence of malware within the filtered communications traffic by at least determining that a probability of the portion of the filtered communications traffic including malware exceeds a predetermined threshold; and responsive to the probability of the portion of the filtered communications traffic exceeding a predetermined threshold, generating an identifier for the portion of the filtered communications traffic, the identifier operating as a signature for use in detecting the malware in other communications traffic that is different from the communications traffic and propagating over the communication network.
-
Specification