System and method for offloading packet processing and static analysis operations
First Claim
1. An electronic device, comprising:
- a traffic analysis controller including a first connector, a first processing unit and a first memory communicatively couple to the first processing unit, the first memory including (1) a filtering logic configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as objects of interest, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects and (2) a static analysis logic configured to determine whether at least a first object of the second plurality of objects includes one or more characteristics associated with a malicious attack; and
a host including a second connector communicatively coupled to the first connector of the traffic analysis controller via a transmission medium, the host further includes (i) a second processing unit being different and remotely located from the first processing unit and (ii) a second memory communicatively coupled to the second processing unit, the second memory including a virtual execution logic that includes at least one virtual machine configured to process content within at least a second object of the second plurality of objects, the virtual execution logic configured to monitor for behaviors during the processing of the second object to determine whether the second object has one or more characteristics associated with a malicious attack.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a network security device configured to detect malicious content within received network traffic comprises a traffic analysis controller (TAC) is provided. The traffic analysis controller comprises a network processing unit (NPU) and is configured to perform at least packet processing on the NPU with a set of pre-filters. In addition, the network security device further comprises a central processing unit (CPU) and is configured to perform at least virtual machine (VM)-based processing. The set of pre-filters is configured to distribute objects of received network traffic such that either static analysis or dynamic analysis may be performed on an object to determine whether the object contains malicious content. The static analysis may be performed on either the NPU or the CPU while the dynamic analysis is performed on the CPU.
-
Citations
35 Claims
-
1. An electronic device, comprising:
-
a traffic analysis controller including a first connector, a first processing unit and a first memory communicatively couple to the first processing unit, the first memory including (1) a filtering logic configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as objects of interest, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects and (2) a static analysis logic configured to determine whether at least a first object of the second plurality of objects includes one or more characteristics associated with a malicious attack; and a host including a second connector communicatively coupled to the first connector of the traffic analysis controller via a transmission medium, the host further includes (i) a second processing unit being different and remotely located from the first processing unit and (ii) a second memory communicatively coupled to the second processing unit, the second memory including a virtual execution logic that includes at least one virtual machine configured to process content within at least a second object of the second plurality of objects, the virtual execution logic configured to monitor for behaviors during the processing of the second object to determine whether the second object has one or more characteristics associated with a malicious attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
9. A system, comprising:
-
a filtering logic operating in combination with a first processing unit physically residing on a traffic analysis controller, the filtering logic being configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as objects of interest, the objects of interest being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; and a virtual execution logic operating in combination with a second processing unit physically residing remotely from the traffic analysis controller, the virtual execution logic including at least one virtual machine configured to process content within at least a first object of interest, the virtual execution logic configured to monitor, during the processing of the content, for behaviors that have characteristics associated with a malicious attack. - View Dependent Claims (10, 11, 12, 13, 14, 29, 30, 31, 32, 33, 34, 35)
-
-
15. A computerized method comprising:
-
receiving a first plurality of objects by a filtering logic associated with a traffic analysis controller; filtering the first plurality of objects by the filtering logic to identify a second plurality of objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; performing a static analysis on a first subset of the second plurality of objects to determine whether any object of the first subset of the second plurality of objects has characteristics associated with a malicious attack, the first subset of the second plurality of objects being objects of a first level of interest; and performing a virtual analysis of content within a second subset of the second plurality of objects, and monitoring for behaviors during the virtual processing that are indicative of characteristics associated with an malicious attack, the second subset of the second plurality of objects being a subset of the first subset of the second plurality of objects associated with a second level of interest, the virtual analysis being conducted by logic associated with a host being separate from the traffic analysis controller. - View Dependent Claims (16)
-
-
17. A system, comprising:
-
a transmission medium; a first electronic device including a first interface, a second interface coupled to the transmission medium, a first processor communicatively coupled to the first interface and the second interface, and a memory communicatively coupled to the first processor, the memory including (1) a filtering logic configured to filter the first plurality of objects received via the first interface by identifying an object of interest, and (2) a static analysis logic configured to determine whether at least the object of interest includes one or more characteristics associated with a malicious attack by performing a static analysis on the first object; and a second electronic device including a third interface coupled to the transmission medium, a second processor communicatively coupled to the third interface, and a second memory communicatively coupled to the second processor, the second memory including dynamic analysis logic execution logic that, when executed by the second processor, processes content within the object of interest and monitors for behaviors during the processing of the object of interest to determine whether the object of interest has one or more characteristics associated with a malicious attack. - View Dependent Claims (18, 19, 20)
-
Specification