System and method of detecting malicious content
First Claim
1. A system in communication with a communication network, the system comprising:
- one or more virtual computing systems; and
a controller in communication with the one or more virtual computing systems, the controller to (i) configure a software profile of a first virtual computing system of the one or more virtual computing systems to correspond to a software profile of a network device of the communication network, (ii) initiate operations of the first virtual computing system of the one or more virtual computing systems associated with content received over the communication network, (iii) monitor for behaviors of the first virtual computing system that include an attempted emission of a plurality of packets from the first virtual computing system, (iv) determine whether a monitored behavior of the monitored behaviors of the first virtual computing system corresponds to an anomalous behavior based on the packets involved in the attempted emission, and (v) determine an identifier characterizing at least the anomalous behavior including the attempted emission that represents an attack involving the content, the content being deemed malicious content; and
a malicious content blocking system to receive the identifier and use the identifier to block propagation of other content corresponding to the content involved in the attack.
9 Assignments
0 Petitions
Accused Products
Abstract
A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.
-
Citations
30 Claims
-
1. A system in communication with a communication network, the system comprising:
-
one or more virtual computing systems; and a controller in communication with the one or more virtual computing systems, the controller to (i) configure a software profile of a first virtual computing system of the one or more virtual computing systems to correspond to a software profile of a network device of the communication network, (ii) initiate operations of the first virtual computing system of the one or more virtual computing systems associated with content received over the communication network, (iii) monitor for behaviors of the first virtual computing system that include an attempted emission of a plurality of packets from the first virtual computing system, (iv) determine whether a monitored behavior of the monitored behaviors of the first virtual computing system corresponds to an anomalous behavior based on the packets involved in the attempted emission, and (v) determine an identifier characterizing at least the anomalous behavior including the attempted emission that represents an attack involving the content, the content being deemed malicious content; and a malicious content blocking system to receive the identifier and use the identifier to block propagation of other content corresponding to the content involved in the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A network device configured for operating in a communication network, comprising:
-
one or more virtual machines, including a first virtual machine; a controller in communication with the one or more virtual machines, the controller to (i) configure a software profile of a first virtual computing system of the one or more virtual computing systems to correspond to a software profile of a network device of the communication network, (ii) control operations of the one or more virtual machines associated with content received over the communication network, (iii) monitor for behaviors of the first virtual machine of the one or more virtual machines that include an attempted emission of a plurality of packets from the first virtual machine, (iv) determine whether at least one monitored behavior of the monitored behaviors of the first virtual machine correspond to at least one anomalous behavior based on the packets involved in the attempted emission, (v) determine an identifier characterizing the at least one anomalous behavior based on the packets involved in the attempted emission that represents an attack involving the content, the content being deemed malicious content, and (vi) operate a recovery script that includes computer program code to initiate to subsequently disable further activity by the malicious content or to initiate to subsequently repair damage to one or more software programs or memory locations caused by the malicious content; and a system to receive the identifier and use the identifier to block the malware from propagating within the communication network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification