System and method for offloading packet processing and static analysis operations

US 9,591,015 B1
Filed: 03/28/2014
Issued: 03/07/2017
Est. Priority Date: 03/28/2014
Status: Active Grant

First Claim

Patent Images

1. An electronic device, comprising:

a traffic analysis controller including a first connector, a first processing unit and a first memory communicatively couple to the first processing unit, the first memory including (1) a filtering logic configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as objects of interest, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects and (2) a static analysis logic configured to determine whether at least a first object of the second plurality of objects includes one or more characteristics associated with a malicious attack; and

a host including a second connector communicatively coupled to the first connector of the traffic analysis controller via a transmission medium, the host further includes (i) a second processing unit being different and remotely located from the first processing unit and (ii) a second memory communicatively coupled to the second processing unit, the second memory including a virtual execution logic that includes at least one virtual machine configured to process content within at least a second object of the second plurality of objects, the virtual execution logic configured to monitor for behaviors during the processing of the second object to determine whether the second object has one or more characteristics associated with a malicious attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a network security device configured to detect malicious content within received network traffic comprises a traffic analysis controller (TAC) is provided. The traffic analysis controller comprises a network processing unit (NPU) and is configured to perform at least packet processing on the NPU with a set of pre-filters. In addition, the network security device further comprises a central processing unit (CPU) and is configured to perform at least virtual machine (VM)-based processing. The set of pre-filters is configured to distribute objects of received network traffic such that either static analysis or dynamic analysis may be performed on an object to determine whether the object contains malicious content. The static analysis may be performed on either the NPU or the CPU while the dynamic analysis is performed on the CPU.

Citations

35 Claims

1. An electronic device, comprising:
- a traffic analysis controller including a first connector, a first processing unit and a first memory communicatively couple to the first processing unit, the first memory including (1) a filtering logic configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as objects of interest, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects and (2) a static analysis logic configured to determine whether at least a first object of the second plurality of objects includes one or more characteristics associated with a malicious attack; and
  
  a host including a second connector communicatively coupled to the first connector of the traffic analysis controller via a transmission medium, the host further includes (i) a second processing unit being different and remotely located from the first processing unit and (ii) a second memory communicatively coupled to the second processing unit, the second memory including a virtual execution logic that includes at least one virtual machine configured to process content within at least a second object of the second plurality of objects, the virtual execution logic configured to monitor for behaviors during the processing of the second object to determine whether the second object has one or more characteristics associated with a malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The electronic device of claim 1, wherein the first object of the second plurality of objects is different from the second object of the second plurality of objects.
  - 3. The electronic device of claim 1, wherein the filtering logic is further configured to identify a first subset of the second plurality of objects that comprise characteristics indicative of a network communication protocol.
  - 4. The electronic device of claim 1, wherein the first processing unit corresponds to a network processing unit and the second processing unit corresponds to a central processing unit that is a different component than the network processing unit.
  - 5. The electronic device of claim 1, wherein the filtering logic is further configured to identify a second subset of the second plurality of objects that comprise characteristics indicative of a presence of a binary or a third subset of the second plurality of objects that comprise characteristics indicative of a presence of domain name system (DNS) traffic.
  - 6. The electronic device of claim 5, wherein the filtering logic is further configured to identify a fourth subset of the second plurality of objects that comprise call-back characteristics indicative of a presence of a call to an external server.
  - 7. The electronic device of claim 1, wherein the traffic analysis controller includes a network interface card that comprises a substrate that communicatively couples the first processing unit to the first memory.
  - 8. The electronic device of claim 1, wherein the traffic analysis controller blocks propagation of at least the first object of the second plurality of objects upon determining that the first object has one or more characteristics associated with the malicious attack.
  - 21. The electronic device of claim 1 further comprising a housing that contains the traffic analysis controller and the host.
  - 22. The electronic device of claim 1, wherein the first processing unit includes a first physical processor and the second processing unit includes a second physical processor positioned at a different location than the first physical processor.
  - 23. The electronic device of claim 1, wherein the filtering logic of the traffic analysis controller to filter the first plurality of objects by identifying the second plurality of objects being the subset of the first plurality of objects and being lesser in number than the first plurality of objects.
  - 24. The electronic device of claim 1, wherein each of the second plurality of objects is an object that is part of a particular type of network traffic targeted for subsequent analysis by the static analysis logic that conducts a signature matching operation of content without processing of the object.
  - 25. The electronic device of claim 1, wherein each of the second plurality of objects is an object that contains a particular type of content that corresponds to a malicious identifier.
  - 26. The electronic device of claim 1, wherein the traffic analysis controller is communicatively coupled to a network to receive data propagating over the network and retrieve the first plurality of objects from the data.
  - 27. The electronic device of claim 26, wherein the first plurality of objects corresponding to data associated with a plurality of packets routed over the internet.
  - 28. The electronic device of claim 1, wherein the static analysis logic includes one or more software modules executed by the first processing unit that are different from one or more software modules of the filtering logic.

9. A system, comprising:
- a filtering logic operating in combination with a first processing unit physically residing on a traffic analysis controller, the filtering logic being configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as objects of interest, the objects of interest being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; and
  
  a virtual execution logic operating in combination with a second processing unit physically residing remotely from the traffic analysis controller, the virtual execution logic including at least one virtual machine configured to process content within at least a first object of interest, the virtual execution logic configured to monitor, during the processing of the content, for behaviors that have characteristics associated with a malicious attack.
- View Dependent Claims (10, 11, 12, 13, 14, 29, 30, 31, 32, 33, 34, 35)
- - 10. The system of claim 9 further comprising:
    - a static analysis logic operating in combination with the first processing unit physically residing on the traffic analysis controller, the static analysis engine being configured to determine whether at least a second object of interest is an exploit by performing a static analysis on the second object of interest.
  - 11. The system of claim 10 further comprising:
    - a second static analysis logic operating in combination with the second processing unit physically residing remotely from the traffic analysis controller, the second static analysis logic being configured to determine whether at least the second object of interest is an exploit by performing a static analysis on the second object of interest.
  - 12. The system of claim 9, wherein the traffic analysis controller includes a network interface card that comprises a substrate that communicatively couples the first processing unit to the first memory.
  - 13. The system of claim 9 further comprising a transmission medium that interconnects a connector of a first electronic device that is implemented with the traffic analysis controller and includes the first processing unit to a connector of a second electronic device that is remotely located from the first electronic device and includes the virtual execution logic operating in combination with the second processing unit.
  - 14. The system of claim 13, wherein the transmission medium includes any type of communication cable, including a Category type cabling, a twinaxial cabling, a coaxial cabling, or a twisted pair cabling.
  - 29. The system of claim 9, wherein the filtering logic is deployed within a first electronic device including a first connector and the virtual execution logic is deployed within a second electronic device including a second connector communicatively coupled to the first connector of the first electronic device.
  - 30. The system of claim 29, wherein the filtering logic filters the first plurality of objects by at least identifying the second plurality of objects in which each corresponding object of the second plurality of objects being transmitted over a network in accordance with a particular network communication protocol.
  - 31. The system of claim 29, wherein the filtering logic filters the first plurality of objects by at least identifying the second plurality of objects in which each corresponding object of the second plurality of objects includes characteristics indicating that the corresponding object includes a binary.
  - 32. The system of claim 29, wherein the filtering logic filters the first plurality of objects by at least identifying the second plurality of objects in which each corresponding object of the second plurality of objects includes characteristics indicating that the corresponding object is part of a transmission over a network from a particular domain name system (DNS) server.
  - 33. The system of claim 29, wherein the filtering logic filters the first plurality of objects by at least identifying the second plurality of objects in which each corresponding object of the first plurality of objects includes characteristics indicating that the corresponding object is associated with a call to an external server.
  - 34. The system of claim 9 further comprising a first interface to receive network traffic including the first plurality of objects over a communication network.
  - 35. The system of claim 34, wherein the first interface includes one or more communication ports that provide communicatively coupling to the communication network to receive the network traffic routed over the internet.

15. A computerized method comprising:
- receiving a first plurality of objects by a filtering logic associated with a traffic analysis controller;
  
  filtering the first plurality of objects by the filtering logic to identify a second plurality of objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects;
  
  performing a static analysis on a first subset of the second plurality of objects to determine whether any object of the first subset of the second plurality of objects has characteristics associated with a malicious attack, the first subset of the second plurality of objects being objects of a first level of interest; and
  
  performing a virtual analysis of content within a second subset of the second plurality of objects, and monitoring for behaviors during the virtual processing that are indicative of characteristics associated with an malicious attack, the second subset of the second plurality of objects being a subset of the first subset of the second plurality of objects associated with a second level of interest, the virtual analysis being conducted by logic associated with a host being separate from the traffic analysis controller.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein the traffic analysis controller includes a network interface card that comprises a substrate that communicatively couples the first processing unit to the first memory.

17. A system, comprising:
- a transmission medium;
  
  a first electronic device includinga first interface,a second interface coupled to the transmission medium,a first processor communicatively coupled to the first interface and the second interface, anda memory communicatively coupled to the first processor, the memory including (1) a filtering logic configured to filter the first plurality of objects received via the first interface by identifying an object of interest, and (2) a static analysis logic configured to determine whether at least the object of interest includes one or more characteristics associated with a malicious attack by performing a static analysis on the first object; and
  
  a second electronic device includinga third interface coupled to the transmission medium,a second processor communicatively coupled to the third interface, anda second memory communicatively coupled to the second processor, the second memory including dynamic analysis logic execution logic that, when executed by the second processor, processes content within the object of interest and monitors for behaviors during the processing of the object of interest to determine whether the object of interest has one or more characteristics associated with a malicious attack.
- View Dependent Claims (18, 19, 20)
- - 18. The traffic analysis controller of claim 17, wherein the transmission medium includes a type of communication cable, including a Category type cabling, a twinaxial cabling, a coaxial cabling, or a twisted pair cabling.
  - 19. The system of claim 17, wherein the static analysis logic, when executed by the first processor, further performs an operation that comprises comparing one or more signatures that represent prior detected exploits to content of the object of interest.
  - 20. The traffic analysis controller of claim 17, wherein the static analysis logic when executed by the first processor, further performs an operation that comprises conducting heuristics by analyzing the metadata or attributes of the object of interest to determine whether a certain portion of the object of interest has characteristics that suggest the object of interest is associated with the malicious attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Mehmood, Masood, Ramaswamy, Ramaswamy, Challa, Madhusudan, Amin, Muhammad, Karandikar, Shrikrishna
Primary Examiner(s)
Smithers, Matthew

Application Number

US14/229,541
Time in Patent Office

1,075 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/01   Protocols

System and method for offloading packet processing and static analysis operations

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for offloading packet processing and static analysis operations

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links