System and method of detecting malicious content

US 9,838,416 B1
Filed: 09/30/2013
Issued: 12/05/2017
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A system in communication with a communication network, the system comprising:

one or more virtual computing systems; and

a controller in communication with the one or more virtual computing systems, the controller to (i) configure a software profile of a first virtual computing system of the one or more virtual computing systems to correspond to a software profile of a network device of the communication network, (ii) initiate operations of the first virtual computing system of the one or more virtual computing systems associated with content received over the communication network, (iii) monitor for behaviors of the first virtual computing system that include an attempted emission of a plurality of packets from the first virtual computing system, (iv) determine whether a monitored behavior of the monitored behaviors of the first virtual computing system corresponds to an anomalous behavior based on the packets involved in the attempted emission, and (v) determine an identifier characterizing at least the anomalous behavior including the attempted emission that represents an attack involving the content, the content being deemed malicious content; and

a malicious content blocking system to receive the identifier and use the identifier to block propagation of other content corresponding to the content involved in the attack.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.

Citations

30 Claims

1. A system in communication with a communication network, the system comprising:
- one or more virtual computing systems; and
  
  a controller in communication with the one or more virtual computing systems, the controller to (i) configure a software profile of a first virtual computing system of the one or more virtual computing systems to correspond to a software profile of a network device of the communication network, (ii) initiate operations of the first virtual computing system of the one or more virtual computing systems associated with content received over the communication network, (iii) monitor for behaviors of the first virtual computing system that include an attempted emission of a plurality of packets from the first virtual computing system, (iv) determine whether a monitored behavior of the monitored behaviors of the first virtual computing system corresponds to an anomalous behavior based on the packets involved in the attempted emission, and (v) determine an identifier characterizing at least the anomalous behavior including the attempted emission that represents an attack involving the content, the content being deemed malicious content; and
  
  a malicious content blocking system to receive the identifier and use the identifier to block propagation of other content corresponding to the content involved in the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1 further comprising a traffic analysis device configured to monitor communications over the communication network and to identify at least a portion of the communications that includes a characteristic of a computer worm and to provide the portion of the communications comprising the content to the controller.
  - 3. The system of claim 1, wherein the operations initiated by the controller generate a pattern of network activities, the pattern of network activities comprising the behaviors.
  - 4. The system of claim 1, wherein the plurality of packets involved in the attempted emission includes a sequence of data packets and the anomalous behavior includes unexpected data packets in the sequence of data packets.
  - 5. The system of claim 1, wherein the anomalous behavior includes either one or more communication anomalies or one or more execution anomalies.
  - 6. The system of claim 1, wherein the controller compares the monitored behaviors to a plurality of expected behaviors by comparing the data propagating over the communication network that includes packet headers and data portions of data packets in network communications in the communication network with data packets that are expected to be propagated.
  - 7. The system of claim 1 further comprising a traffic analysis device configured to monitor communications over the communication network and to identify at least a portion of the communications that includes a characteristic of malware operating as the malicious content and to provide the portion of the communications to the controller comprising the content.
  - 8. The system of claim 1, wherein the malicious content blocking system includes a blocking device integrated within a computing service of the communication network.
  - 9. The system of claim 1, wherein the malicious content blocking system includes an Intrusion Detection and Protection system placed in-line with the communication network, and the identifier comprises a signature used by the Intrusion Detection and Protection system to block network communications.
  - 10. The system of claim 1, wherein the monitored behaviors represent an anomalous characteristic of the malicious content when the anomalous behavior indicates an unusual byte sequence.
  - 11. The system of claim 1, wherein the malicious content is executable malicious code.
  - 12. The system of claim 1, wherein the malicious content is a passive computer worm attached to data received by the communication network.
  - 13. The system of claim 1, wherein each of the one or more virtual computing systems is implemented as a virtual machine.
  - 14. The system of claim 1, wherein the identifier includes a signature that includes information based on a Uniform Resource Locator (URL) or destination port associated with the malicious content.
  - 15. The system of claim 14, wherein the malicious content includes a passively propagating computer worm.
  - 16. The system of claim 1, wherein the operations of the first virtual computing system comprises a sequence of network communications that includes a repeating pattern of network communications.
  - 17. The system of claim 1, wherein the controller to update the software profile of the first virtual computing system automatically without user intervention.
  - 18. The system of claim 1, wherein the controller to update the software profile of the first virtual computing system by accessing a software component operating in a network device coupled to the communication network from a central repository of software components.
  - 19. The system of claim 1, wherein the software components within the central repository include one or more application software components.
  - 20. The system of claim 1, wherein the software components within the central repository include an operating system software component and an application software component.

21. A network device configured for operating in a communication network, comprising:
- one or more virtual machines, including a first virtual machine;
  
  a controller in communication with the one or more virtual machines, the controller to (i) configure a software profile of a first virtual computing system of the one or more virtual computing systems to correspond to a software profile of a network device of the communication network, (ii) control operations of the one or more virtual machines associated with content received over the communication network, (iii) monitor for behaviors of the first virtual machine of the one or more virtual machines that include an attempted emission of a plurality of packets from the first virtual machine, (iv) determine whether at least one monitored behavior of the monitored behaviors of the first virtual machine correspond to at least one anomalous behavior based on the packets involved in the attempted emission, (v) determine an identifier characterizing the at least one anomalous behavior based on the packets involved in the attempted emission that represents an attack involving the content, the content being deemed malicious content, and (vi) operate a recovery script that includes computer program code to initiate to subsequently disable further activity by the malicious content or to initiate to subsequently repair damage to one or more software programs or memory locations caused by the malicious content; and
  
  a system to receive the identifier and use the identifier to block the malware from propagating within the communication network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein the at least one anomalous behavior includes one or more communication anomalies.
  - 23. The system of claim 21, wherein the controller identifies the at least one anomalous behavior by comparing an original image of a file system of the first virtual machine to a current image of the file system of the first virtual machine, where a discrepancy corresponds to the at least one anomalous behavior.
  - 24. The system of claim 23, wherein the recovery script includes the computer program code that replaces infected files with corresponding original files in the original image of the file system of the first virtual machine.
  - 25. The system of claim 21, wherein the recovery script includes an operating system for the first virtual machine infected with the malicious content and repair scripts that are invoked as part of a booting process of the operating system to repair the one or more software programs or memory locations.
  - 26. The system of claim 21, wherein the identifier comprises a signature that includes information based on a Uniform Resource Locator (URL) or destination port associated with the malicious content.
  - 27. The system of claim 26, wherein the malicious content includes a passively propagating computer worm.
  - 28. The system of claim 21, wherein the operations of the first virtual machine comprises a sequence of network communications including a repeating pattern of network communications.
  - 29. The network device of claim 21, wherein the malicious content includes a passively propagating computer worm.
  - 30. The network device of claim 21, wherein the controller to control operations of the first virtual machine associated with content received over the communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar
Primary Examiner(s)
Traore, Fatoumata

Application Number

US14/042,482
Time in Patent Office

1,527 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method of detecting malicious content

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of detecting malicious content

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links