Network-based malware detection
First Claim
1. A network security system comprising:
- a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting at least one suspicious object associated with the network traffic and determining an identifier associated with a suspicious object of the at least one suspicious object, the security network device further uploading both (i) the identifier associated with the suspicious object and (ii) ancillary data including information that identifies a return address for analysis results to a customer; and
a detection cloud that comprisesvirtual machine provisioning logic and a scheduler being software that, when executed by hardware circuitry, customizes functionality of the detection cloud by provisioning one or more virtual machines by selecting a number of software profiles for use by the one or more virtual machines based, at least in part, on the suspicious object or at least a portion of the ancillary data, the one or more virtual machines to execute the suspicious object and determine whether the suspicious object is facilitating communications with a website that is associated with a malicious attack, andalert generation logic being software that, when executed by hardware circuitry and upon receiving a message from the virtual machine provisioning logic that a capacity for executing the at least one suspicious object by the detection cloud pursuant to a subscription level has been exceeded, generates a message to alert the customer to alter the execution capacity.
5 Assignments
0 Petitions
Accused Products
Abstract
In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Both information associated with the suspicious object and ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.
737 Citations
27 Claims
-
1. A network security system comprising:
-
a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting at least one suspicious object associated with the network traffic and determining an identifier associated with a suspicious object of the at least one suspicious object, the security network device further uploading both (i) the identifier associated with the suspicious object and (ii) ancillary data including information that identifies a return address for analysis results to a customer; and a detection cloud that comprises virtual machine provisioning logic and a scheduler being software that, when executed by hardware circuitry, customizes functionality of the detection cloud by provisioning one or more virtual machines by selecting a number of software profiles for use by the one or more virtual machines based, at least in part, on the suspicious object or at least a portion of the ancillary data, the one or more virtual machines to execute the suspicious object and determine whether the suspicious object is facilitating communications with a website that is associated with a malicious attack, and alert generation logic being software that, when executed by hardware circuitry and upon receiving a message from the virtual machine provisioning logic that a capacity for executing the at least one suspicious object by the detection cloud pursuant to a subscription level has been exceeded, generates a message to alert the customer to alter the execution capacity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A network security system comprising:
-
a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting one or more suspicious objects associated with the network traffic and determining an identifier associated with the one or more suspicious objects, the security network device further uploading both (i) the identifier and (ii) ancillary data including a customer identification that includes information identifying a customer associated with the security network device and data representative of a targeted client device; and a detection cloud including one or more virtual machines that are provisioned in accordance with at least a portion of the ancillary data to customize functionality of the detection cloud for each customer by (i) setting the one or more virtual machines to a number of virtual machines that are assigned to the customer identified by the customer identification, (ii) selecting a number of software profiles, including a type or types of software profiles, for use by the one or more virtual machines, and (iii) generating a message to alert the customer to alter its subscription to increase a capacity in executing suspicious objects by the detection cloud for the customer in response to the execution capacity assigned to the customer having been exceeded. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A system comprising:
-
a security network device to conduct an analysis on received network traffic to detect a suspicious object associated with the network traffic, determine an identifier associated with a source of the suspicious object, and upload both (i) information associated with the suspicious object and (ii) ancillary data including information that identifies a return path for analysis results to a customer; and a detection cloud including a hardware controller, alert generation logic, provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data, wherein the provisioning logic, when processed by the hardware controller, to customize functionality of the detection cloud by provisioning the one or more virtual machines that includes selecting a number of software profiles for use by the one or more virtual machines based, at least in part, on at least a portion of the ancillary data, the one or more virtual machines to process the suspicious object and determine whether the suspicious object is facilitating communications with a website that are associated with a malicious attack, and the alert generation logic, when processed by the hardware controller, generates a message to alert the customer to alter a subscription level of the customer to increase a capacity for the customer in executing suspicious objects including the suspicious object by the detection cloud in response to receiving a message from the virtual machine provisioning logic that the execution capacity has been exceeded. - View Dependent Claims (26, 27)
-
Specification