System and method for offloading packet processing and static analysis operations

US 9,787,700 B1
Filed: 03/06/2017
Issued: 10/10/2017
Est. Priority Date: 03/28/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

analysis circuitry including a first processing unit and a first memory communicatively coupled to the first processing unit, the first memory including a filtering logic configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as objects of interest, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; and

detection circuitry communicatively coupled to and remotely located from the analysis circuitry, the detection circuitry includes (i) a second processing unit being different from the first processing unit and (ii) a second memory communicatively coupled to the second processing unit, the second memory including a virtual execution logic to process content within at least a first object of the second plurality of objects, the virtual execution logic being further configured to monitor for behaviors, during the processing of the first object, and determine whether any of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system features analysis circuitry and detection circuitry. The analysis circuitry features a first processing unit and a first memory that includes a filtering logic configured to produce a second plurality of objects from a received first plurality of objects. The second plurality of objects is a subset of the first plurality of objects. The detection circuitry is communicatively coupled to and remotely located from the analysis circuitry. The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content within at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.

Citations

22 Claims

1. A system, comprising:
- analysis circuitry including a first processing unit and a first memory communicatively coupled to the first processing unit, the first memory including a filtering logic configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as objects of interest, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; and
  
  detection circuitry communicatively coupled to and remotely located from the analysis circuitry, the detection circuitry includes (i) a second processing unit being different from the first processing unit and (ii) a second memory communicatively coupled to the second processing unit, the second memory including a virtual execution logic to process content within at least a first object of the second plurality of objects, the virtual execution logic being further configured to monitor for behaviors, during the processing of the first object, and determine whether any of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the second memory further comprising reporting logic that, when executed by the second processing unit, transmits an alert message to a network administrator, user, or another entity in response to detection of the first object being associated with a malicious attack.
  - 3. The system of claim 1, wherein the analysis circuitry and the detection circuitry are implemented within a single electronic device.
  - 4. The system of claim 1, wherein the first memory of the analysis circuitry further includes a static analysis logic configured to determine, when executed by the first processing unit, whether at least the first object of the second plurality of objects includes one or more characteristics associated with a malicious attack.
  - 5. The system of claim 4, wherein the static analysis logic to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to content of the first object.
  - 6. The system of claim 4, wherein the static analysis logic to perform an heuristic analysis that analyzes the first object using metadata or attributes of the first object to determine whether a certain portion of the first object has characteristics that suggest the first object is associated with a malicious attack.
  - 7. The system of claim 1, wherein the filtering logic is further configured to identify a first subset of the second plurality of objects that comprise characteristics indicative of a network communication protocol.
  - 8. The system of claim 1, wherein the filtering logic is further configured to identify a second subset of the second plurality of objects that comprise characteristics indicative of a presence of a binary or a third subset of the second plurality of objects that comprise characteristics indicative of a presence of domain name system (DNS) traffic or a fourth subset of the second plurality of objects that comprise call-back characteristics indicative of a presence of a call to an external server.
  - 9. The system of claim 1, wherein the analysis circuitry includes a network interface card that comprises a substrate that communicatively couples the first processing unit to the first memory.
  - 10. The system of claim 1, wherein the virtual execution logic includes at least one virtual machine that is configured to process the content within at least the first object of the second plurality of objects.

11. A system, comprising:
- analysis circuitry including a first processing unit and a first memory communicatively couple to the first processing unit, the first memory including a static analysis logic that, when executed by the first processing unit, determines whether at least the first object of a plurality of objects includes one or more characteristics associated with a malicious attack; and
  
  detection circuitry communicatively coupled to and remotely located from the analysis circuitry, the detection circuitry includes a second processing unit being different from the first processing unit and a second memory communicatively coupled to the second processing unit, the second memory including a virtual execution logic that, when executed by the second processing unit, processes at least the first object of the plurality of objects and monitors for behaviors during the processing of the first object that suggests the first object is associated with a malicious attack.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the second memory further comprising reporting logic that, when executed by the second processing unit, transmits an alert message to a network administrator, user, or another entity in response to detection of the first object being associated with a malicious attack.
  - 13. The system of claim 11, wherein the static analysis logic to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to content of the first object.
  - 14. The system of claim 11, wherein the static analysis logic to perform an heuristic analysis that analyzes the first object using metadata or attributes of the first object to determine whether a certain portion of the first object has characteristics that suggest the first object is associated with a malicious attack.
  - 15. The system of claim 11, wherein the analysis circuitry and the detection circuitry are implemented within a single electronic device.
  - 16. The system of claim 11, wherein the first memory of the analysis circuitry further includes a filtering logic that, when executed by the first processing unit, filters a second plurality of objects by identifying the plurality of objects as objects of interest, the plurality of objects being a subset of the second plurality of objects and being lesser or equal in number to the second plurality of objects.
  - 17. The system of claim 16, wherein the filtering logic is further configured to identify a first subset of the plurality of objects that comprise characteristics indicative of a network communication protocol.
  - 18. The system of claim 16, wherein the filtering logic is further configured to identify a second subset of the plurality of objects that comprise characteristics indicative of a presence of a binary or a third subset of the plurality of objects that comprise characteristics indicative of a presence of domain name system (DNS) traffic or a fourth subset of the plurality of objects that comprise call-back characteristics indicative of a presence of a call to an external server.
  - 19. The system of claim 11, wherein the virtual execution logic includes at least one virtual machine that is configured to process the first object of the plurality of objects.

20. A computerized method comprising:
- receiving network traffic by analysis circuitry that extracts one or more objects from the network traffic;
  
  performing an analysis, by the analysis circuitry, on each of the one or more objects to determine whether at least a first object of the one or more objects has characteristics associated with a malicious attack;
  
  transmitting information associated with the object to detection circuitry remotely located from the analysis circuitry via a transmission medium; and
  
  subsequent to the transmitting of the information associated with the object to the detection circuitry, performing a virtual analysis of the information associated with the object by the detection circuitry, the virtual analysis includes monitoring for behaviors during execution of the object that identify the object is associated with a malicious attack, the virtual analysis being conducted by the detection circuitry being separate from the analysis circuitry.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein the performing of the analysis by the analysis circuitry includes (i) performing one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to content of the object or (ii) performing an heuristic analysis that analyzes the object using metadata or attributes of the object to determine whether a certain portion of the object has characteristics that suggest the object is associated with a malicious attack.
  - 22. The method of claim 20, wherein the performing of the virtual analysis is conducted by at least one virtual machine executed by a processing unit being part of the detection circuitry, the at least one virtual machine being configured with a software profile based on meta information that is part of the information associated with the object that is transmitted from the analysis circuitry to the detection circuitry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Amin, Muhammad, Mehmood, Masood, Ramaswamy, Ramaswamy, Challa, Madhusudan, Karandikar, Shrikrishna
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/451,243
Time in Patent Office

218 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/01   Protocols

System and method for offloading packet processing and static analysis operations

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for offloading packet processing and static analysis operations

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links