System and method for detecting anomalous behaviors using a virtual machine environment
First Claim
1. A network device comprising:
- a memory storage device; and
a hardware controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory storage device, the hardware controller to (i) select an orchestration pattern based on a type of data received over a network for analysis, the orchestration pattern identifies at least one or more ports accessible by at least a first virtual machine of the one or more virtual machines during processing of the data and coordinates network activities by the one or more virtual machines based on the selected orchestration pattern, (ii) monitor behaviors of at least the first virtual machine of the one or more virtual machines processing data received over the network, (iii) identify at least one anomalous behavior that includes either a communication anomaly or an execution anomaly, and (iv) detect, based on the identified at least one anomalous behavior, a presence of malware in the first virtual machine in response to identifying the at least one anomalous behavior that includes one or more accesses of a port other than the one or more ports identified by the orchestration pattern.
5 Assignments
0 Petitions
Accused Products
Abstract
A network device for detecting malware is described. The network device features a memory storage device and a controller. The controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory storage device. The controller is configured to (i) monitor behaviors of at least a first virtual machine of the one or more virtual machines processing data received over a network, (ii) identify at least one anomalous behavior that includes either a communication anomaly or an execution anomaly, and (iii) detect, based on the identified at least one anomalous behavior, a presence of malware in the first virtual machine in response to identifying the at least one anomalous behavior.
708 Citations
26 Claims
-
1. A network device comprising:
-
a memory storage device; and a hardware controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory storage device, the hardware controller to (i) select an orchestration pattern based on a type of data received over a network for analysis, the orchestration pattern identifies at least one or more ports accessible by at least a first virtual machine of the one or more virtual machines during processing of the data and coordinates network activities by the one or more virtual machines based on the selected orchestration pattern, (ii) monitor behaviors of at least the first virtual machine of the one or more virtual machines processing data received over the network, (iii) identify at least one anomalous behavior that includes either a communication anomaly or an execution anomaly, and (iv) detect, based on the identified at least one anomalous behavior, a presence of malware in the first virtual machine in response to identifying the at least one anomalous behavior that includes one or more accesses of a port other than the one or more ports identified by the orchestration pattern. - View Dependent Claims (2, 3, 4, 5, 6, 7, 16)
-
-
8. A system comprising:
-
a traffic analysis device configured to receive data over a communication network and identify a type of data received over the communication network; and a network device in communication with the traffic analysis device, the network device comprises a memory, and a controller being one or more software modules contained in the memory and, when executed, operates in cooperation with one or more virtual machines that are based on software modules stored within the memory, the controller to (i) select an orchestration pattern, based on the type of data identified by the traffic analysis device, that identifies at least one or more ports accessible by the one or more virtual machines during processing of the data and coordinates network activities by the one or more virtual machines based on the selected orchestration pattern, (ii) monitor behaviors of at least a first virtual machine of the one or more virtual machines processing the data received from the traffic analysis device, (iii) identify at least one anomalous behavior that includes either a communication anomaly or an execution anomaly, and (iv) detect, based on the identified at least one anomalous behavior, a presence of malware in the first virtual machine in response to identifying the at least one anomalous behavior that includes one or more accesses of a port other than the one or more ports identified by the orchestration pattern. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
17. A system comprising:
-
a hardware traffic analysis device configured to receive data over a communication network and to selectively filter the data and output a first portion of the data received over the communication network; and a network device in communication with the hardware traffic analysis device, the network device comprises a memory storage device, and a hardware controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory storage device, the hardware controller to (i) select an orchestration pattern that is based on a type of the data received over the communication network and identifies at least one or more ports accessible by at least a first virtual machine of the one or more virtual machines during processing of the data and coordinates network activities by the one or more virtual machines based on the selected orchestration pattern, (ii) monitor behaviors of at least the first virtual machine of the one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, (iii) identify at least one anomalous behavior that is part of the monitored behaviors as either a communication anomaly or an execution anomaly, and (iv) detect, based on the identified at least one anomalous behavior, a presence of malware in the first virtual machine in response to identifying the at least one anomalous behavior that includes one or more accesses of a port other than the one or more ports identified by the orchestration pattern. - View Dependent Claims (18, 19)
-
-
20. A network device comprising:
-
a memory including one or more virtual machines; and a controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory, the controller to (i) select an orchestration pattern based on a type of data received over a network for analysis, the orchestration pattern identifies at least one or more ports accessible by at least a first virtual machine of the one or more virtual machines during processing of the data and coordinates network activities by the one or more virtual machines based on the selected orchestration pattern, (ii) monitor behaviors of at least the first virtual machine of the one or more virtual machines processing data received over the network, (iii) identify at least one anomalous behavior that includes either a communication anomaly or an execution anomaly, and (iv) detect, based on the identified at least one anomalous behavior, a presence of malware in the first virtual machine in response to identifying the at least one anomalous behavior that includes one or more accesses of a port other than the one or more ports identified by the orchestration pattern. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
Specification