System and method for signature generation
First Claim
Patent Images
1. A method comprising:
- configuring a virtual machine with a selected software profile by establishing a software environment within the virtual machine, the software environment includes one or more operating systems and application software components associated with a destination device;
receiving a first portion of network traffic by the virtual machine that is configured to simulate operations of the destination device;
observing one or more anomalous behaviors of the virtual machine processing the first portion of the network traffic, the one or more anomalous behaviors comprises an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed; and
generating a signature that is associated with the one or more anomalous behaviors for detection of a presence of malicious code within the network traffic.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a method comprises receiving a first portion of network traffic by a virtual machine that is configured to simulate operations of a destination device. Thereafter, one or more anomalous behaviors are observed as the virtual machine processing the first portion of the network traffic. The one or more anomalous behaviors include an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed. As a result, a signature that is associated with the one or more anomalous behaviors is generated for detection of a presence of malicious code within the network traffic.
635 Citations
37 Claims
-
1. A method comprising:
-
configuring a virtual machine with a selected software profile by establishing a software environment within the virtual machine, the software environment includes one or more operating systems and application software components associated with a destination device; receiving a first portion of network traffic by the virtual machine that is configured to simulate operations of the destination device; observing one or more anomalous behaviors of the virtual machine processing the first portion of the network traffic, the one or more anomalous behaviors comprises an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed; and generating a signature that is associated with the one or more anomalous behaviors for detection of a presence of malicious code within the network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 36)
-
-
12. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform operations for detecting malicious code, comprising:
-
configuring a virtual machine with a selected software profile by establishing a software environment within the virtual machine, the software environment includes one or more operating systems and application software components associated with a destination device; receiving a first portion of network traffic by the virtual machine that is configured to simulate operations of the destination device; observing one or more anomalous behaviors of the virtual machine processing the first portion of the network traffic, the one or more anomalous behaviors comprises an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed; and generating a signature that is associated with the one or more anomalous behaviors for detection of a presence of malicious code within other portions of the network traffic that are received subsequent to the first portion of the network traffic. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 37)
-
-
22. A detection system comprising:
-
a traffic analysis device configured to receive network traffic traveling over a communication network and output network data associated with the network traffic; and a system communicatively coupled to the traffic analysis device, the system comprises a controller configured to (i) determine whether the network traffic contains malicious code by observing an anomalous behavior of a virtual machine processing the network traffic, the anomalous behavior comprises an unexpected behavior of the virtual machine while the network traffic is being processed, (ii) generate a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, and (iii) share the signature for use in detecting malicious code in network traffic traveling over a different communication network, a scheduler to control configuration of the virtual machine, and a transmitter configured to simulate transmission of the network traffic to a destination device by transmission of the network traffic to the virtual machine. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
Specification