Injection of content processing delay in an endpoint
First Claim
1. A method comprising:
- receiving an object at an appliance coupled to a network, the object directed to an endpoint on the network;
determining whether a malware detection analysis of the object requires extensive processing at the appliance;
in response to determining that the malware detection analysis requires extensive processing;
initiating delay of execution of the object at the endpoint; and
performing the malware detection analysis at the appliance, the malware detection analysis spawning a virtual machine to encapsulate a process including the object, the virtual machine instrumented to monitor operation of the process as the process attempts to access first and second kernel resources to detect whether the process includes malware.
5 Assignments
0 Petitions
Accused Products
Abstract
A malware detection system (MDS) appliance is configured to inject delay associated with delivery and/or processing of communication traffic directed to one or more endpoints in a network. The appliance may be positioned within the network to intercept and analyze (e.g., replay and instrument) one or more network packets of the communication traffic to detect whether an object of the packet contains malware. However, such analysis, e.g., malware detection analysis, may require extensive processing at the appliance and, thus, consume a considerable amount of time. Accordingly, the MDS appliance may inject delay into the delivery and/or processing of the object on the endpoint until the malware detection analysis completes and the malware is validated.
182 Citations
25 Claims
-
1. A method comprising:
-
receiving an object at an appliance coupled to a network, the object directed to an endpoint on the network; determining whether a malware detection analysis of the object requires extensive processing at the appliance; in response to determining that the malware detection analysis requires extensive processing; initiating delay of execution of the object at the endpoint; and performing the malware detection analysis at the appliance, the malware detection analysis spawning a virtual machine to encapsulate a process including the object, the virtual machine instrumented to monitor operation of the process as the process attempts to access first and second kernel resources to detect whether the process includes malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a network interface connected to a network; a memory coupled to the network interface and configured to store an object, an operating system and a virtual machine; and a central processing unit (CPU) coupled to the memory and adapted to execute the operating system and virtual machine, wherein the operating system is configured to; intercept the object directed to an endpoint on the network; determine whether a malware detection analysis of the object requires extensive processing; in response to determining that the malware detection analysis requires extensive processing; initiate injection of delay associated with one of delivery and processing of the object at the endpoint; and perform the malware detection analysis to spawn the virtual machine to encapsulate a process including the object, the virtual machine instrumented to monitor operation of the process as the process attempts to access first and second kernel resources to detect whether the process includes malware. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A method comprising:
-
receiving a first instruction to delay execution of a process at an endpoint, the first instruction received from an appliance in response to detection of an indication of malware present in the process when instrumented at the appliance; injecting delay into the process by executing dummy code at the endpoint; and delaying execution of the process through execution of the dummy code for a duration specified by the appliance. - View Dependent Claims (21, 22, 24)
-
-
23. A non-transitory computer readable medium including program instructions for execution on one or more processors, the program instructions when executed operable to:
-
receive an object at an appliance coupled to a network, the object directed to an endpoint on the network; determine whether a malware detection analysis of the object requires extensive processing at the appliance; in response to determining that the malware detection analysis requires extensive processing; initiate delay of execution of the object at the endpoint by executing dummy code; and perform the malware detection analysis at the appliance, the malware detection analysis spawning a virtual machine as a container to encapsulate a process including the object, the virtual machine instrumented to monitor operation of the process as the process attempts to access first and second kernel resources to detect whether the process includes malware. - View Dependent Claims (25)
-
Specification