Modular architecture for analysis database

US 9,787,706 B1
Filed: 09/01/2016
Issued: 10/10/2017
Est. Priority Date: 12/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

configuring an analysis database managed by a processor of a node to store object metadata relating to an object received from a network coupled to the node;

organizing the analysis database into a plurality of stages of data structures configured to store the object metadata to perform one of sequential and parallel processing of the stages; and

using queue structures to store action requests configured to invoke actions performed by the stages of the analysis database when one or more dependencies of the stages are satisfied.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A modularized architecture using vertical partitioning of a database is configured to store object metadata and processing results of one or more objects analyzed by a state machine, such as an analysis engine of a malware detection system. The database may include data structures, such as one or more master blocks, state sub-blocks, and state co-tables, as well as state transition queues. The modularized architecture may organize the database as one or more stages of the state machine, such that each stage corresponds to a module of the state machine, wherein the module generates results that are stored in its associated state co-table, which then provides information for a next stage. Each next stage may have a dependency on the one or more prior stages that provide input for execution of the next stage module. Dependency logic associated with each stage may determine whether the dependency is satisfied and, if so, may insert an action request into the state transition queue for the next stage to invoke an action associated with that stage.

138 Citations

20 Claims

1. A method comprising:
- configuring an analysis database managed by a processor of a node to store object metadata relating to an object received from a network coupled to the node;
  
  organizing the analysis database into a plurality of stages of data structures configured to store the object metadata to perform one of sequential and parallel processing of the stages; and
  
  using queue structures to store action requests configured to invoke actions performed by the stages of the analysis database when one or more dependencies of the stages are satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the actions invoked by the action requests comprise processing of the object by modules of an analysis engine, and wherein each module of the analysis engine corresponds to a stage of the analysis database.
  - 3. The method of claim 2 wherein processing of the object comprises using the object metadata stored in one or more data structures of the stage corresponding to the module of the analysis engine to perform an action on the object in response to an action request stored in a queue structure of the stage.
  - 4. The method claim 3 further comprising recording the object metadata in a sub-block structure and a co-table structure of the stage, wherein the object metadata includes constant information that is initially stored in a memory of the node and thereafter persistently stored on storage devices coupled to the node.
  - 5. The method of claim 1 wherein using the queue structures further comprises storing in the queue structures the object metadata having information that is temporarily stored and thereafter deleted.
  - 6. The method of claim 5 wherein the information includes updates that overwrite the object metadata.
  - 7. The method of claim 1 wherein organizing the analysis database further comprises organizing the analysis database for sequential processing of a first stage and a second stage via dependency logic configured to insert an action request into a queue structure of the second stage upon completion of the processing of the first stage.
  - 8. The method of claim 1 wherein organizing the analysis database further comprises organizing the analysis database for parallel processing of a first stage and a second stage via dependency logic configured to insert one or more action requests into a third stage upon completion of the processing of the first stage and second stage.

9. A system comprising:
- a memory of a node coupled to a network, the memory configured to store an analysis database and one or more processes;
  
  a processor coupled to the memory and adapted to execute the one or more processes, the one or more processes configured to;
  
  configure the analysis database to store object metadata relating to an object received from the network;
  
  organize the analysis database into a plurality of stages of data structures configured to store the object metadata to perform one of sequential and parallel processing of the stages; and
  
  use queue structures to store action requests configured to invoke actions performed by the stages of the analysis database when one or more dependencies of the stages are satisfied.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9 wherein the one or more processes comprise modules of an analysis engine configured to process the object and wherein each module of the analysis engine corresponds to a stage of the analysis database.
  - 11. The system of claim 10 wherein the object metadata is stored in one or more data structures of the stage corresponding to the module of the analysis engine and wherein the corresponding module is configured to perform an action on the object in response to an action request stored in a queue structure of the stage.
  - 12. The system of claim 11 wherein the object metadata is recorded in a sub-block structure and a co-table structure of the stage and, wherein the object metadata includes constant information that is initially stored in the memory and thereafter persistently stored on storage devices coupled to the node.
  - 13. The system of claim 9 wherein the queue structures are further used to store the object metadata having information that is temporarily stored and thereafter deleted.
  - 14. The system of claim 13 wherein the information includes updates that overwrite the object metadata.
  - 15. The system of claim 9 wherein the analysis database is further organized for sequential processing of a first stage and a second stage via dependency logic configured to insert an action request into a queue structure of the second stage upon completion of the processing of the first stage.
  - 16. The system of claim 9 wherein the analysis database is further organized for parallel processing of a first stage and a second stage via dependency logic configured to insert one or more action requests into a third stage upon completion of the processing of the first stage and second stage.

17. A non-transitory computer readable medium having instructions for execution on a central processing unit (CPU) of a node, the program instructions configured to:
- configure an analysis database managed by the CPU of the node to store object metadata relating to an object received from a network coupled to the node;
  
  organize the analysis database into a plurality of stages of data structures configured to store the object metadata to perform one of sequential and parallel processing of the stages; and
  
  use queue structures to store action requests configured to invoke actions performed by the stages of the analysis database when one or more dependencies of the stages are satisfied.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable medium of claim 17 wherein the program instructions configured to invoke actions by the action requests include program instructions configured to process the object by modules of an analysis engine, and wherein each module of the analysis engine corresponds to a stage of the analysis database.
  - 19. The non-transitory computer readable medium of claim 17 wherein the program instructions to organize the analysis database further comprises program instructions to organize the analysis database for sequential processing of a first stage and a second stage via dependency logic configured to insert an action request into a queue structure of the second stage upon completion of the processing of the first stage.
  - 20. The non-transitory computer readable medium of claim 17 wherein the program instructions to organize the analysis database further comprises program instructions to organize the analysis database for parallel processing of a first stage and a second stage via dependency logic configured to insert one or more action requests into a third stage upon completion of the processing of the first stage and second stage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Otvagin, Alexander, Kumar, Vineet, Movsesyan, Arsen
Primary Examiner(s)
McNally, Michael S

Application Number

US15/254,902
Time in Patent Office

404 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 16/245   Query processing

G06F 21/00   Security arrangements for p...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Modular architecture for analysis database

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

138 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Modular architecture for analysis database

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others