Injection of content processing delay in an endpoint

US 9,912,681 B1
Filed: 11/02/2015
Issued: 03/06/2018
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an object at an appliance coupled to a network, the object directed to an endpoint on the network;

determining whether a malware detection analysis of the object requires extensive processing at the appliance;

in response to determining that the malware detection analysis requires extensive processing;

initiating delay of execution of the object at the endpoint; and

performing the malware detection analysis at the appliance, the malware detection analysis spawning a virtual machine to encapsulate a process including the object, the virtual machine instrumented to monitor operation of the process as the process attempts to access first and second kernel resources to detect whether the process includes malware.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware detection system (MDS) appliance is configured to inject delay associated with delivery and/or processing of communication traffic directed to one or more endpoints in a network. The appliance may be positioned within the network to intercept and analyze (e.g., replay and instrument) one or more network packets of the communication traffic to detect whether an object of the packet contains malware. However, such analysis, e.g., malware detection analysis, may require extensive processing at the appliance and, thus, consume a considerable amount of time. Accordingly, the MDS appliance may inject delay into the delivery and/or processing of the object on the endpoint until the malware detection analysis completes and the malware is validated.

182 Citations

25 Claims

1. A method comprising:
- receiving an object at an appliance coupled to a network, the object directed to an endpoint on the network;
  
  determining whether a malware detection analysis of the object requires extensive processing at the appliance;
  
  in response to determining that the malware detection analysis requires extensive processing;
  
  initiating delay of execution of the object at the endpoint; and
  
  performing the malware detection analysis at the appliance, the malware detection analysis spawning a virtual machine to encapsulate a process including the object, the virtual machine instrumented to monitor operation of the process as the process attempts to access first and second kernel resources to detect whether the process includes malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein receiving the object comprises intercepting communication traffic at the appliance, the communication traffic including one or more packets containing the object.
  - 3. The method of claim 2 wherein initiating delay of execution of the object comprises initiating injection of delay associated with one of delivery and processing of the object at the endpoint.
  - 4. The method of claim 3 wherein initiating injection of delay associated with the one of delivery and processing of the object comprises injecting delay through manipulation of a transport protocol for transmitting the packet between a source of the object and the endpoint.
  - 5. The method of claim 3 wherein initiating injection of delay associated with the one of delivery and processing of the object comprises injecting delay through delayed execution of the object when the process is context switched at a virtualization module of the endpoint.
  - 6. The method of claim 2 further comprising:
    - validating the monitored operation of the process including the object as malicious activity; and
      
      notifying the endpoint that the object is malicious.
  - 7. The method of claim 6 further comprising, in response to validating the monitored operation of the process including the object as malicious activity, instructing the endpoint to terminate processing of the object.
  - 8. The method of claim 6 further comprising, in response to validating the monitored operation of the process including the object as malicious activity, delaying execution of the object until the endpoint terminates processing of the object.
  - 9. The method of claim 1 further comprising:
    - in response to determining that the malware detection analysis does not require extensive processing, instructing the endpoint to perform the malware detection analysis at the endpoint, wherein the malware detection analysis spawns a container to encapsulate the process including the object, and wherein the container is instrumented to monitor operation of the process as the process attempts to access the first and second kernel resources to detect whether the process includes the malware.
  - 10. The method of claim 1 wherein initiating delay of execution of the object at the endpoint includes initiating execution of dummy code.
  - 11. The method of claim 1 wherein delay of execution of the object at the endpoint is less than approximately 10 seconds.

12. A system comprising:
- a network interface connected to a network;
  
  a memory coupled to the network interface and configured to store an object, an operating system and a virtual machine; and
  
  a central processing unit (CPU) coupled to the memory and adapted to execute the operating system and virtual machine, wherein the operating system is configured to;
  
  intercept the object directed to an endpoint on the network;
  
  determine whether a malware detection analysis of the object requires extensive processing;
  
  in response to determining that the malware detection analysis requires extensive processing;
  
  initiate injection of delay associated with one of delivery and processing of the object at the endpoint; and
  
  perform the malware detection analysis to spawn the virtual machine to encapsulate a process including the object, the virtual machine instrumented to monitor operation of the process as the process attempts to access first and second kernel resources to detect whether the process includes malware.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12 wherein the object is contained in a packet of communication traffic directed to the endpoint.
  - 14. The system of claim 13 wherein the operating system is configured to initiate injection of delay by instructing the endpoint to manipulate a transport protocol for transmitting the packet between a source of the object and the endpoint.
  - 15. The system of claim 13 wherein the operating system is configured to initiate injection of delay through initiation of delayed execution of the object when the process is context switched at a virtualization module of the endpoint.
  - 16. The system of claim 13 wherein the operating system is further configured to:
    - validate the monitored operation of the process including the object as malicious activity; and
      
      notify the endpoint that the object is malicious.
  - 17. The system of claim 16 wherein the operating system is further configured to instruct the endpoint to terminate processing of the object.
  - 18. The system of claim 16 wherein the operating system is further configured to instruct the endpoint to initiate delay of execution of the object until the endpoint terminates processing of the object.
  - 19. The system of claim 12 wherein the operating system is further configured to, in response to determining that the malware detection analysis does not require extensive processing, instruct the endpoint to perform the malware detection analysis at the endpoint, wherein the malware detection analysis spawns a container to encapsulate the process including the object, and wherein the container is instrumented to monitor operation of the process as the process attempts to access the first and second kernel resources to detect whether the process includes the malware.

20. A method comprising:
- receiving a first instruction to delay execution of a process at an endpoint, the first instruction received from an appliance in response to detection of an indication of malware present in the process when instrumented at the appliance;
  
  injecting delay into the process by executing dummy code at the endpoint; and
  
  delaying execution of the process through execution of the dummy code for a duration specified by the appliance.
- View Dependent Claims (21, 22, 24)
- - 21. The method of claim 20 wherein delaying execution of the process comprises delaying execution of the process for a period of time that consumes a scheduled time of execution for the process.
  - 22. The method of claim 21 wherein delaying execution of the process further comprises yielding the scheduled time of execution for the process by initiating a software call to an operating system of the endpoint to re-assign the scheduled time to another process to execute.
  - 24. The method of claim 20 further comprising:
    - receiving a second instruction, the second instruction received from the appliance in response to terminating instrumentation of the process at the appliance; and
      
      resuming execution of the process at the endpoint.

23. A non-transitory computer readable medium including program instructions for execution on one or more processors, the program instructions when executed operable to:
- receive an object at an appliance coupled to a network, the object directed to an endpoint on the network;
  
  determine whether a malware detection analysis of the object requires extensive processing at the appliance;
  
  in response to determining that the malware detection analysis requires extensive processing;
  
  initiate delay of execution of the object at the endpoint by executing dummy code; and
  
  perform the malware detection analysis at the appliance, the malware detection analysis spawning a virtual machine as a container to encapsulate a process including the object, the virtual machine instrumented to monitor operation of the process as the process attempts to access first and second kernel resources to detect whether the process includes malware.
- View Dependent Claims (25)
- - 25. The computer readable medium of claim 23, wherein memory pages including the object are mapped into an address space of the process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Aziz, Ashar
Primary Examiner(s)
Song, Hosuk

Application Number

US14/929,693
Time in Patent Office

855 Days
Field of Search

726 22- 24, 713188
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

Injection of content processing delay in an endpoint

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

182 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Injection of content processing delay in an endpoint

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

182 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links