System and method for signature generation

US 9,591,020 B1
Filed: 02/25/2014
Issued: 03/07/2017
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

configuring a virtual machine with a selected software profile by establishing a software environment within the virtual machine, the software environment includes one or more operating systems and application software components associated with a destination device;

receiving a first portion of network traffic by the virtual machine that is configured to simulate operations of the destination device;

observing one or more anomalous behaviors of the virtual machine processing the first portion of the network traffic, the one or more anomalous behaviors comprises an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed; and

generating a signature that is associated with the one or more anomalous behaviors for detection of a presence of malicious code within the network traffic.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a method comprises receiving a first portion of network traffic by a virtual machine that is configured to simulate operations of a destination device. Thereafter, one or more anomalous behaviors are observed as the virtual machine processing the first portion of the network traffic. The one or more anomalous behaviors include an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed. As a result, a signature that is associated with the one or more anomalous behaviors is generated for detection of a presence of malicious code within the network traffic.

635 Citations

37 Claims

1. A method comprising:
- configuring a virtual machine with a selected software profile by establishing a software environment within the virtual machine, the software environment includes one or more operating systems and application software components associated with a destination device;
  
  receiving a first portion of network traffic by the virtual machine that is configured to simulate operations of the destination device;
  
  observing one or more anomalous behaviors of the virtual machine processing the first portion of the network traffic, the one or more anomalous behaviors comprises an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed; and
  
  generating a signature that is associated with the one or more anomalous behaviors for detection of a presence of malicious code within the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 36)
- - 2. The method of claim 1, wherein the signature being associated with the one or more anomalous behaviors for subsequent detection of the presence of the malicious code within a second portion of the network traffic that is subsequent to and different from the first portion of the network traffic.
  - 3. The method of claim 1 wherein the one or more anomalous behaviors comprises one or more of (i) crashing of the virtual machine, (ii) performing an illegal operation by the virtual machine simulating operations of the destination device, (iii) performing abnormally from expected simulated operations by the virtual machine, or (iv) allowing access by the virtual machine to data by an unauthorized computer user.
  - 4. The method of claim 1, wherein the receiving of the first portion of the network traffic comprises:
    - identifying at least the first portion of the network traffic as suspicious network traffic; and
      
      transmitting the first portion of the network traffic to the virtual machine configured with a selected software profile for observation of behavior of the virtual machine that is processing the first portion of network traffic.
  - 5. The method of claim 1 wherein the signature comprises a Uniform Resource Locator (URL) that is used for filtering the network traffic.
  - 6. The method of claim 1 being conducted by an in-line network device intercepting the network traffic.
  - 7. The method of claim 6, wherein the in-line network device produces a copy of incoming network traffic and provides the network traffic as the copy of the incoming network traffic.
  - 8. The method of claim 1 further comprising:
    - distributing the signature to another network device for use in detecting malicious code in network traffic propagating over a communication network that is different from a communication network over which the first portion of the network traffic propagates.
  - 9. The method of claim 8 wherein the distributing of the signature is performed automatically.
  - 10. The method of claim 1, wherein the configuring of the virtual machine comprises retrieving the virtual machine from among a plurality of virtual machines.
  - 11. The method of claim 10, wherein retrieving of the virtual machine comprises retrieving a first virtual machine and one of a plurality of different virtual machine configurations, and configuring the first virtual machine with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device.
  - 36. The method of claim 1, wherein the software environment within the virtual machine at least partially conducts the processing of the first portion of the network traffic.

12. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform operations for detecting malicious code, comprising:
- configuring a virtual machine with a selected software profile by establishing a software environment within the virtual machine, the software environment includes one or more operating systems and application software components associated with a destination device;
  
  receiving a first portion of network traffic by the virtual machine that is configured to simulate operations of the destination device;
  
  observing one or more anomalous behaviors of the virtual machine processing the first portion of the network traffic, the one or more anomalous behaviors comprises an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed; and
  
  generating a signature that is associated with the one or more anomalous behaviors for detection of a presence of malicious code within other portions of the network traffic that are received subsequent to the first portion of the network traffic.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 37)
- - 13. The non-transitory machine readable medium of claim 12, wherein the one or more anomalous behaviors comprises one or more of (i) crashing of the virtual machine, (ii) performing an illegal operation by the virtual machine simulating operations of the destination device, (iii) performing abnormally from expected simulated operations by the virtual machine, or (iv) allowing access by the virtual machine to data by an unauthorized computer user.
  - 14. The non-transitory machine readable medium of claim 12, wherein processor executing the executable code performs operations of receiving the first portion of the network traffic that comprise:
    - identifying at least the first portion of the network traffic as suspicious network traffic; and
      
      transmitting the first portion of the network traffic to the virtual machine configured with a selected software profile for observation of behavior of the virtual machine that is processing the first portion of network traffic.
  - 15. The non-transitory machine readable medium of claim 12 wherein the signature comprises a Uniform Resource Locator (URL) that is used for filtering the network traffic.
  - 16. The non-transitory machine readable medium of claim 12 being conducted by an in-line network device intercepting the network traffic.
  - 17. The non-transitory machine readable medium of claim 16, wherein the in-line network device produces a copy of incoming network traffic and provides the network traffic as the copy of the incoming network traffic.
  - 18. The non-transitory machine readable medium of claim 12, wherein processor executing the executable code performs operations further comprising:
    - distributing the signature to another network device for use in detecting malicious code in network traffic propagating over a communication network that is different from a communication network over which the first portion of the network traffic propagates.
  - 19. The non-transitory machine readable medium of claim 18 wherein the distributing of the signature is performed automatically.
  - 20. The non-transitory machine readable medium of claim 12, wherein the processor executing the executable code to configure the virtual machine with the selected software profile by at least retrieving the virtual machine from among a plurality of virtual machines.
  - 21. The non-transitory machine readable medium of claim 20, wherein the processor executing the executable code for retrieving of the virtual machine comprises retrieving a first virtual machine and one of a plurality of different virtual machine configurations, and configuring the first virtual machine with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device.
  - 37. The non-transitory machine readable medium of claim 12, wherein the software environment within the virtual machine at least partially conducts the processing of the first portion of the network traffic.

22. A detection system comprising:
- a traffic analysis device configured to receive network traffic traveling over a communication network and output network data associated with the network traffic; and
  
  a system communicatively coupled to the traffic analysis device, the system comprisesa controller configured to (i) determine whether the network traffic contains malicious code by observing an anomalous behavior of a virtual machine processing the network traffic, the anomalous behavior comprises an unexpected behavior of the virtual machine while the network traffic is being processed, (ii) generate a signature that is associated with the observed anomalous behavior for detection of the presence of the malicious code, and (iii) share the signature for use in detecting malicious code in network traffic traveling over a different communication network,a scheduler to control configuration of the virtual machine, anda transmitter configured to simulate transmission of the network traffic to a destination device by transmission of the network traffic to the virtual machine.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 23. The detection system of claim 22, wherein the traffic analysis device is further configured to identify at least a portion of the network traffic as potentially containing malicious content, and transmit the identified portion of the network traffic to the virtual machine for observation of behavior of the virtual machine processing the portion of the network traffic.
  - 24. The detection system of claim 22, wherein the controller is further configured to generate the signature based at least in part on a Uniform Resource Locator (URL).
  - 25. The detection system of claim 22, wherein the traffic analysis device is further configured to filter the network traffic based at least in part on a heuristic that identifies suspicious network traffic and directs the suspicious network traffic to the virtual machine within a software profile.
  - 26. The detection system of claim 25, wherein the controller of the system reporting less false positive detections of anomalous behaviors than a number of false positive detections of suspicious network traffic by the traffic analysis device.
  - 27. The detection system of claim 22, wherein the observed anomalous behavior comprises one or more of (i) crashing of the virtual machine, (ii) performing an illegal operation by the virtual machine simulating operations of the destination device, (iii) performing abnormally from expected simulated operations by the virtual machine, or (iv) allowing access by the virtual machine to data by an unauthorized computer user.
  - 28. The detection system of claim 22, wherein the controller further configured to distribute the signature to another network device for use in detecting malicious code in network traffic propagating over a communication network that is different from a communication network over which the first portion of the network traffic propagates.
  - 29. The detection system of claim 28, wherein the system is configured to distribute the signature automatically.
  - 30. The detection system of claim 22, wherein the system, prior to determining whether the network traffic contains malicious code by observing the anomalous behavior, is configured to retrieve the virtual machine from among a plurality of virtual machines.
  - 31. The detection system of claim 30, wherein system is configured to retrieve the virtual machine by retrieving a first virtual machine and one of a plurality of different virtual machine configurations, and configuring the first virtual machine with the one of the plurality of different virtual machine configurations to simulate one or more performance characteristics of the destination device.
  - 32. The detection system of claim 30, wherein the system is configured to retrieve the virtual machine by creating the virtual machine configured with a selected software profile.
  - 33. The detection system of claim 32, wherein the system is configured to create the virtual machine by establishing a software environment within the virtual machine with the selected software profile, wherein the software environment includes one or more operating systems and application software components associated with the destination device.
  - 34. The detection system of claim 22, wherein the traffic analysis device is further configured to identify at least a portion of the network traffic as potentially containing malicious content, and transmit the identified portion of the network traffic to the virtual machine for observation of behavior of the virtual machine processing the portion of the network traffic.
  - 35. The detection system of claim 22, wherein the controller of the system automatically generates the signature that is based, at least in part, on the observed anomalous behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar
Primary Examiner(s)
Dada, Beemnet

Application Number

US14/189,932
Time in Patent Office

1,106 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06Q 20/10   specially adapted for elect...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491 : using deception as counterm...

H04L 63/20 : for managing network securi...

View All

System and method for signature generation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

635 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for signature generation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

635 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links