Subscriber based protection system

US 9,838,411 B1
Filed: 12/05/2016
Issued: 12/05/2017
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more network devices including a first network device configured to receive a portion of network traffic, the first network device comprises one or more virtual machines that, based on a subscribed protection level, performs operations in response to a processing of the received portion of the analyzed network traffic, the first network device being further configured to (i) monitor behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (ii) detect whether at least a behavior of the behaviors is anomalous, and (iii) generate an identifier for malware being part of the portion of the analyzed network in response to at least the detected behavior; and

a management system communicatively coupled to the one or more network devices, the management system to control a setting of the subscribed protection level for the first network device that controls a frequency of receipt of identifiers associated with analyzed network traffic from a second network device of the one or more network devices by the first network device, the second network device being different from the first network device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system features one or more network devices communicatively coupled to a management system. Configured to receive a portion of the network traffic, a first network device features one or more virtual machines that, based on a subscribed protection level, (i) perform network activities in response to a processing of the received portion of the analyzed network traffic, (ii) monitor behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (iii) determine whether the behaviors are anomalous, and (iv) generate an identifier for the portion of the analyzed network traffic associated with monitored behaviors being anomalous. The management system controls a setting of the protection level for the first network device to alter a frequency of receipt of identifiers associated with analyzed network traffic from a second network device of the one or more network devices different from the first network device.

747 Citations

21 Claims

1. A system comprising:
- one or more network devices including a first network device configured to receive a portion of network traffic, the first network device comprises one or more virtual machines that, based on a subscribed protection level, performs operations in response to a processing of the received portion of the analyzed network traffic, the first network device being further configured to (i) monitor behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (ii) detect whether at least a behavior of the behaviors is anomalous, and (iii) generate an identifier for malware being part of the portion of the analyzed network in response to at least the detected behavior; and
  
  a management system communicatively coupled to the one or more network devices, the management system to control a setting of the subscribed protection level for the first network device that controls a frequency of receipt of identifiers associated with analyzed network traffic from a second network device of the one or more network devices by the first network device, the second network device being different from the first network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the detected behavior corresponds to one of (i) a communication anomaly, including an unexpected network communication performed by the first network device or (ii) an execution anomaly, including an unexpected execution of computer program code.
  - 3. The system of claim 1, wherein the identifier includes a signature of the malware.
  - 4. The system of claim 1, wherein the management system to distribute the identifiers to the first network device in accordance with a first distribution scheme when the first network device is set to a first subscribed protection level and to distribute the identifiers to the first network device in accordance with a second distribution scheme when the first network device is set to a second subscribed protection level, the second subscribed protection level being a lower level than the first subscribed protection level.
  - 5. The system of claim 4, wherein the first distribution scheme includes a distribution of the identifiers once the management system becomes aware of the identifiers while the second distribution scheme is a distribution slower than the distribution of the identifiers once the management system becomes aware of the identifiers.
  - 6. The system of claim 5, wherein the second distribution scheme includes the distribution that is periodic on a temporal basis.
  - 7. The system of claim 1, wherein the management system to control the setting of the subscribed protection level for the first network device to (i) receive the identifiers originating from at least the second network device of the one or more network devices in accordance with a first distribution scheme in response to payment of a first subscription rate or (ii) receive the identifiers originating from at least the second network device of the one or more network devices in accordance with a second distribution scheme in response to payment of a second subscription rate, the first distribution scheme occurring at a faster response time than the second distribution scheme and the first subscription rate being a greater amount of payment than the second subscription rate.
  - 8. The system of claim 1, wherein the management system to control the setting of the subscribed protection level for the first network device by deactivating the first network device in response to a failure to pay a subscription fee or activating the first network device in response to payment of the subscription fee.
  - 9. The system of claim 8, wherein the management system to apply credits to the subscription fee in response to receipt of the identifier originating from the first network device and to subsequently transmit the identifier to another network device of the one or more network devices.
  - 10. The system of claim 1, wherein the management system to receive the identifier from the first network device and distribute the identifier to a computer system for use in disabling operations of malware residing within the computer system.
  - 11. The system of claim 1, wherein the management system to receive one or more repair scripts from the first network device and distribute the one or more repair scripts to a computer system for use in repairing software infected by malware residing in the computer system.

12. A network device adapted for communicative coupling with a management system, the network device comprising:
- one or more virtual machines configured to perform operations in response to a processing of a portion of received network traffic; and
  
  a controller device communicatively coupled to the one or more virtual machines, the controller device to (i) monitor behaviors of the one or more virtual machines during processing of the portion of the received network traffic and (ii) determine, based on the monitored behaviors, whether a first computer system communicatively coupled to the network device is subject to an attack,wherein a level of service provided by the network device in protecting a network including at least the first computer system against the attack is set by the management system based on a selected subscription rate for the network device, the selected subscription rate controls a frequency in receipt of identifiers associated with malware detected by a second network device different than the network device.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The network device of claim 12, wherein the selected subscription rate is based on a size of the network being protected by the network device, the size being determined based on a number of computer systems including the first computer system within the network.
  - 14. The network device of claim 13, the management system being configured to allow a subscriber of a plurality of subscribers to obtain different levels of service in protecting computer systems associated with the subscriber, each of the plurality of subscribers having a subscriber account managed by the management system.
  - 15. The network device of claim 12, wherein the management system to control a setting of the level of service for the network device that alters the frequency of receipt of identifiers, each of the identifiers includes a signature or a vector associated with a detected malware.
  - 16. The network device of claim 15, wherein the controller to further generate one or more identifiers for transmission to the management system, the one or more identifiers being distributed by the management system to the second network device.
  - 17. The network device of claim 12, wherein the controller to generate one or more repair scripts for transmission to the management system that initiates a repair of software infected by malware residing in the first computer system.
  - 18. The network device of claim 12, wherein the controller to generate an identifier for the portion of the received network traffic associated with the monitored behaviors that identify that the first computer system communicatively coupled to the network device is subject to the attack.

19. A system for detecting and blocking malware, comprising:
- a network that comprises a plurality of computer systems including a first computer system;
  
  a network device including one or more virtual machines configured to perform operations during processing of a portion of received network traffic and a controller, communicatively coupled to the one or more virtual machines, to (i) monitor behaviors of the one or more virtual machines during processing of the portion of the received network traffic and (ii) determine, based on the monitored behaviors, whether the first computer system that is part of the network is subject to an attack; and
  
  a management system communicatively coupled to the network device, the management system to continue to provide a level of protection that includes continued activation of the network device in processing a second portion of the received network traffic received subsequent to the portion of the received network traffic based on a receipt of a payment of a subscription fee, the subscription fee being based, at least in part, on a size of the subscriber network.
- View Dependent Claims (20, 21)
- - 20. The system of claim 19, wherein the size of the subscriber network is determined based, at least in part, on a number of the plurality of computer systems including the first computer system within the subscriber network.
  - 21. The system of claim 19, wherein the controller of the network device to generate one or more repair scripts for transmission to the management system that initiates a repair of software infected by malware residing in the first computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar
Primary Examiner(s)
Chen, Eric

Application Number

US15/369,714
Time in Patent Office

365 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06Q 20/10   specially adapted for elect...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491 : using deception as counterm...

H04L 63/20 : for managing network securi...

View All

Subscriber based protection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

747 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Subscriber based protection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

747 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links