Network-based malware detection

US 9,661,009 B1
Filed: 07/18/2016
Issued: 05/23/2017
Est. Priority Date: 06/26/2014
Status: Active Grant

First Claim

Patent Images

1. A network security system comprising:

a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting at least one suspicious object associated with the network traffic and determining an identifier associated with a suspicious object of the at least one suspicious object, the security network device further uploading both (i) the identifier associated with the suspicious object and (ii) ancillary data including information that identifies a return address for analysis results to a customer; and

a detection cloud that comprisesvirtual machine provisioning logic and a scheduler being software that, when executed by hardware circuitry, customizes functionality of the detection cloud by provisioning one or more virtual machines by selecting a number of software profiles for use by the one or more virtual machines based, at least in part, on the suspicious object or at least a portion of the ancillary data, the one or more virtual machines to execute the suspicious object and determine whether the suspicious object is facilitating communications with a website that is associated with a malicious attack, andalert generation logic being software that, when executed by hardware circuitry and upon receiving a message from the virtual machine provisioning logic that a capacity for executing the at least one suspicious object by the detection cloud pursuant to a subscription level has been exceeded, generates a message to alert the customer to alter the execution capacity.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Both information associated with the suspicious object and ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

737 Citations

27 Claims

1. A network security system comprising:
- a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting at least one suspicious object associated with the network traffic and determining an identifier associated with a suspicious object of the at least one suspicious object, the security network device further uploading both (i) the identifier associated with the suspicious object and (ii) ancillary data including information that identifies a return address for analysis results to a customer; and
  
  a detection cloud that comprisesvirtual machine provisioning logic and a scheduler being software that, when executed by hardware circuitry, customizes functionality of the detection cloud by provisioning one or more virtual machines by selecting a number of software profiles for use by the one or more virtual machines based, at least in part, on the suspicious object or at least a portion of the ancillary data, the one or more virtual machines to execute the suspicious object and determine whether the suspicious object is facilitating communications with a website that is associated with a malicious attack, andalert generation logic being software that, when executed by hardware circuitry and upon receiving a message from the virtual machine provisioning logic that a capacity for executing the at least one suspicious object by the detection cloud pursuant to a subscription level has been exceeded, generates a message to alert the customer to alter the execution capacity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The network security system of claim 1, wherein the identifier is an Uniform Resource Locator (URL) being used to retrieve the object from an external source.
  - 3. The network security system of claim 1, wherein the ancillary data including the information that identifies the return path for analysis results to the customer via the security network device that is part of an enterprise network.
  - 4. The network security system of claim 1, wherein the ancillary data includes a customer identification that is used to select the types and number of software profiles for provisioning the one or more virtual machines.
  - 5. The network security system of claim 1, wherein the ancillary data includes information that indicates software profiles for provisioning the one or more virtual machines.
  - 6. The network security system of claim 1, wherein the detection cloud is customized by (i) setting the one or more virtual machines to a number of virtual machines and (ii) selecting a type or types of software profiles for use by the one or more virtual machines based on processing and storage constraints of the network security system.
  - 7. The network security system of claim 1, wherein the execution capacity is based, at least in part, on the selected number of software profiles provisioned to concurrently run on the one or more virtual machines.
  - 8. The network security system of claim 1, wherein the security network device includes a preliminary analysis engine that parses the network traffic and analyzes information associated with characteristics of the network traffic, the preliminary analysis engine analyzes the information by performing one or more exploit signature checks that include comparing an object against one or more pre-stored exploit signatures.
  - 9. The network security system of claim 8, wherein the security network device is a mobile device that includes the preliminary analysis engine.
  - 10. The network security system of claim 1, wherein the information that identifies the return path includes an Internet Protocol (IP) address of a source of the suspicious object.
  - 11. The network security system of claim 1, wherein the security network device includes a preliminary analysis engine that parses the network traffic and analyzes information associated with characteristics of the network traffic, the preliminary analysis engine analyzes the information by performing one or more vulnerability signature checks that include an analysis of messaging practices of a communication protocol used by the network traffic to uncover deviations in the messaging practices.
  - 12. The network security system of claim 1, wherein the detection cloud is a first sub-network of an enterprise network, a second sub-network different than the first sub-network includes the security network device.
  - 13. The network security system of claim 1, wherein the security network device is deployed within an enterprise network and the detection cloud being completely external from the enterprise network.
  - 14. The network security system of claim 1, wherein the detection cloud further includes a reputation logic that selects software profiles that are more susceptible to attack given an origin of the network traffic.
  - 15. The network security system of claim 14, wherein the reputation logic is further configured to detect, using blacklists or whitelists, whether the suspicious object are malicious.

16. A network security system comprising:
- a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting one or more suspicious objects associated with the network traffic and determining an identifier associated with the one or more suspicious objects, the security network device further uploading both (i) the identifier and (ii) ancillary data including a customer identification that includes information identifying a customer associated with the security network device and data representative of a targeted client device; and
  
  a detection cloud including one or more virtual machines that are provisioned in accordance with at least a portion of the ancillary data to customize functionality of the detection cloud for each customer by (i) setting the one or more virtual machines to a number of virtual machines that are assigned to the customer identified by the customer identification, (ii) selecting a number of software profiles, including a type or types of software profiles, for use by the one or more virtual machines, and (iii) generating a message to alert the customer to alter its subscription to increase a capacity in executing suspicious objects by the detection cloud for the customer in response to the execution capacity assigned to the customer having been exceeded.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The network security system of claim 16, wherein the identifier is an Uniform Resource Locator (URL) being used to retrieve the object from an external source.
  - 18. The network security system of claim 16, wherein the detection cloud includes virtual machine provisioning logic and a scheduler that, when executed by hardware circuitry, customizes functionality of the detection cloud by provisioning the one or more virtual machines in accordance with the at least the portion of the ancillary data.
  - 19. The network security system of claim 16, wherein the execution capacity is based, at least in part, on the selected number of software profiles provisioned to concurrently run on the one or more virtual machines.
  - 20. The network security system of claim 16, wherein the security network device includes a preliminary analysis engine that parses the network traffic and analyzes information associated with characteristics of the network traffic, the preliminary analysis engine analyzes the information by performing one or more exploit signature checks that include comparing an object against one or more pre-stored exploit signatures.
  - 21. The network security system of claim 16, wherein the customer information includes an Internet Protocol (IP) address of a source of the one or more suspicious objects.
  - 22. The network security system of claim 21, wherein the data representative of the targeted client device includes a hash value of an Internet Protocol (IP) address of the targeted client device.
  - 23. The network security system of claim 16, wherein the detection cloud is a first sub-network of an enterprise network, a second sub-network different than the first sub-network includes the security network device.
  - 24. The network security system of claim 16, wherein the security network device is deployed within an enterprise network and the detection cloud being completely external from the enterprise network.

25. A system comprising:
- a security network device to conduct an analysis on received network traffic to detect a suspicious object associated with the network traffic, determine an identifier associated with a source of the suspicious object, and upload both (i) information associated with the suspicious object and (ii) ancillary data including information that identifies a return path for analysis results to a customer; and
  
  a detection cloud including a hardware controller, alert generation logic, provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data, whereinthe provisioning logic, when processed by the hardware controller, to customize functionality of the detection cloud by provisioning the one or more virtual machines that includes selecting a number of software profiles for use by the one or more virtual machines based, at least in part, on at least a portion of the ancillary data, the one or more virtual machines to process the suspicious object and determine whether the suspicious object is facilitating communications with a website that are associated with a malicious attack, andthe alert generation logic, when processed by the hardware controller, generates a message to alert the customer to alter a subscription level of the customer to increase a capacity for the customer in executing suspicious objects including the suspicious object by the detection cloud in response to receiving a message from the virtual machine provisioning logic that the execution capacity has been exceeded.
- View Dependent Claims (26, 27)
- - 26. The system of claim 25, wherein the execution capacity is based, at least in part, on the selected number of software profiles provisioned to concurrently run on the one or more virtual machines.
  - 27. The system of claim 25, wherein the hardware controller is circuitry having data processing functionality.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Karandikar, Shrikrishna, Deshpande, Shivani, Khalid, Yasir, Amin, Muhammad
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US15/213,306
Time in Patent Office

309 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Network-based malware detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

737 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Network-based malware detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

737 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links