System, device and method for detecting a malicious attack based on direct communications between remotely hosted virtual machines and malicious web servers

US 9,838,408 B1
Filed: 05/19/2017
Issued: 12/05/2017
Est. Priority Date: 06/26/2014
Status: Active Grant

First Claim

Patent Images

1. A network security system comprising:

a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting a suspicious object associated with the network traffic and determining information associated with the suspicious object, the security network device further uploading (i) the information associated with the suspicious object, and (ii) ancillary data including information that identifies a customer associated with the security network device; and

a detection cloud including (i) one or more virtual machines that are provisioned in accordance with at least a portion of the uploaded ancillary data to customize functionality of the detection cloud for analysis of the suspicious object to determine whether the suspicious object is part of a malicious attack, and (ii) alert generation logic that generates a message to request a change of a subscription to increase either a processing or storage capacity allocated for the customer upon a determination that the processing or storage capacity associated with the one or more virtual machines is approaching or has reached a maximum capacity level as provided by the subscription.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Information associated with the suspicious object and/or ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

731 Citations

55 Claims

1. A network security system comprising:
- a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting a suspicious object associated with the network traffic and determining information associated with the suspicious object, the security network device further uploading (i) the information associated with the suspicious object, and (ii) ancillary data including information that identifies a customer associated with the security network device; and
  
  a detection cloud including (i) one or more virtual machines that are provisioned in accordance with at least a portion of the uploaded ancillary data to customize functionality of the detection cloud for analysis of the suspicious object to determine whether the suspicious object is part of a malicious attack, and (ii) alert generation logic that generates a message to request a change of a subscription to increase either a processing or storage capacity allocated for the customer upon a determination that the processing or storage capacity associated with the one or more virtual machines is approaching or has reached a maximum capacity level as provided by the subscription.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The network security system of claim 1, wherein the information associated with the suspicious object includes an identifier being an Uniform Resource Locator (URL) being used to retrieve the suspicious object from an external source.
  - 3. The network security system of claim 1, wherein the ancillary data including the information that is used to identify a path for analysis results to the customer via the security network device that is part of an enterprise network.
  - 4. The network security system of claim 1, wherein the information that identifies the customer being part of the ancillary data includes a customer identification that is used to select a number of software profiles and one or more types of the software profiles for provisioning the one or more virtual machines.
  - 5. The network security system of claim 1, wherein the information that identifies the customer being part of the ancillary data includes information that indicates software profiles for provisioning the one or more virtual machines.
  - 6. The network security system of claim 1, wherein the detection cloud is customized by (i) setting the one or more virtual machines to a plurality of virtual machines less than or equal to a maximum number of simultaneous virtual machines allowed to run in the detection cloud for the customer and (ii) selecting a type or types of software profiles for use by the one or more virtual machines.
  - 7. The network security system of claim 1, wherein the detection cloud includes virtual machine provisioning logic and a scheduler that, when executed by hardware circuitry, customizes functionality of the detection cloud by provisioning the one or more virtual machines in accordance with the subscription purchased by the customer.
  - 8. The network security system of claim 1, wherein the detection cloud includes virtual machine provisioning logic and a scheduler that, based on at least the portion of ancillary data, further customizes the functionality of the detection cloud through provisioning of the one or more virtual machines by selecting a number of software profiles in accordance with a preference of the customer.
  - 9. The network security system of claim 1, wherein the alert generation logic of the detection cloud generates the message to the customer to increase the processing capacity associated with the subscription of the customer upon the determination that the processing capacity of the one or more virtual machines has been exceeded.
  - 10. The network security system of claim 1, wherein the security network device is a mobile device that includes a preliminary analysis engine that parses the network traffic and analyzes information associated with characteristics of the network traffic, the preliminary analysis engine analyzes the information by performing one or more signature checks that include comparing an object against one or more pre-stored signatures.
  - 11. The network security system of claim 1, wherein the information that identifies the customer associated with the security network device includes an Internet Protocol (IP) address of a network device being targeted by the network traffic including the suspicious object.
  - 12. The network security system of claim 1, wherein the security network device includes a preliminary analysis engine that parses the network traffic and analyzes information associated with characteristics of the network traffic, the preliminary analysis engine analyzes the information by performing an analysis of messaging practices of a communication protocol used by the network traffic to uncover deviations in the messaging practices.
  - 13. The network security system of claim 1, wherein the detection cloud is a first sub-network of an enterprise network, a second sub-network different than the first sub-network includes the security network device.
  - 14. The network security system of claim 1, wherein the security network device is deployed within an enterprise network and the detection cloud being situated at a geographic location remotely located from the enterprise network.
  - 15. The network security system of claim 1, wherein the detection cloud further includes a reputation logic that selects software profiles that are more susceptible to attack given an origin of the network traffic.
  - 16. The network security system of claim 15, wherein the reputation logic is further configured to detect, using blacklists, whether the suspicious object are malicious or, using whitelists, whether the suspicious object is not malicious.
  - 17. The network security system of claim 1, wherein the information that identifies the customer comprises at least one of a customer identifier and a device address of the customer.
  - 18. The network security system of claim 1 further comprising a customer portal, via which the customer associated with the security network device is able to select a configuration of the one or more software profiles for the one or more virtual machines, including one or more types or versions of operating systems and applications supported by and available to execution logic.
  - 19. The network security system of claim 1, wherein the detection cloud further comprises execration logic responsive to customer selected configurations via a customer portal to provision the one or more virtual machines with types or versions of operating systems and applications.
  - 20. The network security system of claim 1, wherein the detection cloud further comprises execution logic to process the suspicious object and capture behaviors during processing of the suspicious object to determine whether the suspicious object is associated with a malicious attack, and cause a result of the determination of a malicious attack to be sent as an alert message to the customer.
  - 21. The network security system of claim 20, wherein the alert message is sent to the customer via the network security device.
  - 22. The network security system of claim 1, wherein the processing or storage capacity comprises a capacity of the one or more virtual machines.
  - 23. The network security system of claim 22, wherein the capacity of the one or more virtual machines comprises a number of virtual machines of the one or more virtual machines operating at the same time.

24. A network security system comprising:
- a security network device to conduct an analysis on network traffic, the analysis on the network traffic includes detecting one or more suspicious objects associated with the network traffic and determining an identifier associated with the one or more suspicious objects, the security network device further uploading (i) the identifier and (ii) ancillary data including a customer identification that includes information identifying a customer associated with the security network device and data representative of a targeted client device; and
  
  a detection cloud including one or more virtual machines that are provisioned in accordance with at least a portion of the uploaded ancillary data to customize functionality of the detection cloud for each customer by (i) setting the one or more virtual machines to a number of virtual machines that are assigned to the customer identified by the customer identification and (ii) selecting a type or types of software profiles for use by the one or more virtual machines,wherein the detection cloud further comprises alert generation logic that generates a message to request a change of a subscription to increase either a processing capacity or a storage capacity allocated for the customer by the one or more virtual machines upon a determination that the processing or storage capacity associated with the one or more virtual machines is approaching or has reached a maximum capacity level as provided by the subscription.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 25. The network security system of claim 24, wherein the identifier is an Uniform Resource Locator (URL) being used to retrieve the one or more suspicious objects from an external source.
  - 26. The network security system of claim 24, wherein the detection cloud includes virtual machine provisioning logic and a scheduler that, when executed by hardware circuitry, customizes functionality of the detection cloud by provisioning the one or more virtual machines in accordance with the subscription as paid by the customer.
  - 27. The network security system of claim 26, wherein the virtual machine provisioning logic and the scheduler, based on at least the portion of uploaded ancillary data, further customizes the functionality of the detection cloud through provisioning of the one or more virtual machines by selecting a number of software profiles in accordance with a preference of the customer for use by the one or more virtual machines.
  - 28. The network security system of claim 24, wherein the security network device includes a preliminary analysis engine that parses the network traffic and analyzes information associated with characteristics of the network traffic, the preliminary analysis engine analyzes the information by performing one or more signature checks that include comparing an object against one or more pre-stored signatures.
  - 29. The network security system of claim 24, wherein the customer information includes an Internet Protocol (IP) address of network device being targeted by the network traffic including the one or more suspicious objects.
  - 30. The network security system of claim 24, wherein the data representative of the targeted client device includes a hash value of an Internet Protocol (IP) address of the targeted client device.
  - 31. The network security system of claim 24, wherein the detection cloud is a first sub-network of an enterprise network, a second sub-network different than the first sub-network includes the security network device.
  - 32. The network security system of claim 24, wherein the security network device is deployed within an enterprise network and the detection cloud being situated at a geographic location remotely located from the enterprise network.
  - 33. The network security system of claim 24 further comprising a customer portal, via which the customer associated with the security network device is able to select a configuration of one or more software profiles for the one or more virtual machines, including one or more types or versions of operating systems and applications supported by and available to execution logic operating within the detection cloud.
  - 34. The network security system of claim 24, wherein the detection cloud further comprises execution logic responsive to customer selected configurations via a customer portal to provision the one or more virtual machines with types or versions of operating systems and applications.
  - 35. The network security system of claim 24, wherein the detection cloud further comprises execution logic to process the suspicious object and capture behaviors during processing of the suspicious object to determine whether the suspicious object is associated with a malicious attack, and cause a result of the determination of a malicious attack to be sent as an alert message to the customer.
  - 36. The network security system of claim 35, wherein the alert message is sent to the customer via the network security device.
  - 37. The network security system of claim 24, wherein the processing capacity or the storage capacity comprises a capacity of the one or more virtual machines.

38. A system comprising:
- a security network device to conduct an analysis on received network traffic to detect a suspicious object associated with the network traffic, determine an identifier associated with a source of the suspicious object, and upload (i) information associated with the suspicious object, and (ii) ancillary data including information that identifies a customer associated with the security network device; and
  
  a detection cloud including provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the uploaded ancillary data, the provisioning logic to customize functionality of the detection cloud for a specific customer for analysis of the suspicious object to determine whether the suspicious object is part of a malicious attack, the detection cloud further comprises alert generation logic that generates a message to the customer to increase processing capacity associated with a subscription of the customer upon a determination that a processing capacity associated with the one or more virtual machines is approaching or has reached a maximum capacity level as provided by the subscription.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 39. The network security system of claim 38, wherein the information associated with the suspicious object includes an identifier being an Uniform Resource Locator (URL) being used to retrieve the suspicious object from an external source.
  - 40. The network security system of claim 38, wherein the uploaded ancillary data including a hash value for an address of a client device targeted by the network traffic including the suspicious object.
  - 41. The network security system of claim 40, wherein the address is an Internet Protocol (IP) address of the client device.
  - 42. The network security system of claim 38, wherein the provisioning logic provisions the one or more virtual machines by selecting types and a prescribed number of software profiles based on a preference of the customer identified by the uploaded ancillary data.
  - 43. The network security system of claim 38, wherein the uploaded ancillary data includes information that indicates software profiles for provisioning the one or more virtual machines.
  - 44. The network security system of claim 38, wherein the detection cloud is customized by (i) setting the one or more virtual machines to a plurality of virtual machines less than or equal to a maximum number of simultaneous virtual machines allowed to run in the detection cloud for the customer and (ii) selecting a type or types of software profiles for use by the one or more virtual machines.
  - 45. The network security system of claim 38, wherein the security network device is a mobile device that includes a preliminary analysis engine that parses the network traffic and analyzes information associated with characteristics of the network traffic, the preliminary analysis engine analyzes the information by performing one or more signature checks that include comparing an object against one or more pre-stored signatures.
  - 46. The network security system of claim 38, wherein the security network device includes a preliminary analysis engine that parses the network traffic and analyzes information associated with characteristics of the network traffic, the preliminary analysis engine analyzes the information by performing an analysis of messaging practices of a communication protocol used by the network traffic to uncover deviations in the messaging practices.
  - 47. The network security system of claim 38, wherein the detection cloud is a first sub-network of an enterprise network, a second sub-network different than the first sub-network includes the security network device.
  - 48. The network security system of claim 38, wherein the security network device is deployed within an enterprise network and the detection cloud is geographically located remotely from the enterprise network operating as a private network.
  - 49. The network security system of claim 38, wherein the detection cloud further includes a scheduler and reputation logic that collectively operate to selects software profiles that are more susceptible to attack given an origin of the network traffic.
  - 50. The network security system of claim 38, wherein the processing capacity comprises a capacity of the one or more virtual machines.
  - 51. The network security system of claim 38, wherein the processing capacity comprises an analysis capacity of the detection cloud.
  - 52. The network security system of claim 38 further comprising a customer portal, via which the customer associated with the security network device is able to select a configuration of the one or more software profiles for the one or more virtual machines, including one or more types or versions of operating systems and applications supported by and available to logic within the detection cloud.
  - 53. The network security system of claim 52, wherein the provisioning logic further comprises execution logic responsive to the customer selected configurations to provision the one or more virtual machines with types or versions of operating systems and applications.
  - 54. The network security system of claim 38, wherein the detection cloud further comprises execution logic to process the suspicious object and capture behaviors during processing of the suspicious object to determine whether the suspicious object is associated with a malicious attack, and cause a result of the determination of a malicious attack to be sent as an alert message to the customer.
  - 55. The network security system of claim 54, wherein the alert message is sent to the customer via the network security device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Karandikar, Shrikrishna, Amin, Muhammad, Deshpande, Shivani, Khalid, Yasir
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/600,320
Time in Patent Office

200 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

System, device and method for detecting a malicious attack based on direct communications between remotely hosted virtual machines and malicious web servers

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

731 Citations

55 Claims

Specification

Use Cases

Quick Links

Others

System, device and method for detecting a malicious attack based on direct communications between remotely hosted virtual machines and malicious web servers

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

731 Citations

55 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others