System and method for virtual analysis of network data

US 9,912,684 B1
Filed: 06/30/2014
Issued: 03/06/2018
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more virtual machines including a first virtual machine that is configured to operate as a first device representing a first computing system processing a browser application that issues requests to access information from a web server; and

a controller being software different from the one or more virtual machines that, upon execution by at least one hardware processor, is configured to receive a portion of network data under analysis, dynamically modify the portion of the network data, and transmit the modified portion of the network data to at least the first virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized by the first device in communications with a second device,wherein the controller is further configured to create an identifier based on at least one communication anomaly or execution anomaly associated with operations performed by the one or more virtual machines, the controller to transmit the identifier for transmission over a network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided with one or more virtual machines and a replayer. The virtual machine(s) are configured to mimic operations of a first device. The replayer is configured to mimic operations of a second device. Herein, the replayer receives a portion of network data under analysis, dynamically modifies the portion of the network data, and transmits the modified portion of the network data to at least one virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized between the first device and the second device.

627 Citations

34 Claims

1. A system comprising:
- one or more virtual machines including a first virtual machine that is configured to operate as a first device representing a first computing system processing a browser application that issues requests to access information from a web server; and
  
  a controller being software different from the one or more virtual machines that, upon execution by at least one hardware processor, is configured to receive a portion of network data under analysis, dynamically modify the portion of the network data, and transmit the modified portion of the network data to at least the first virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized by the first device in communications with a second device,wherein the controller is further configured to create an identifier based on at least one communication anomaly or execution anomaly associated with operations performed by the one or more virtual machines, the controller to transmit the identifier for transmission over a network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1, wherein the controller is configured to replay the protocol sequence.
  - 3. The system of claim 1, wherein the network data includes a data flow.
  - 4. The system of claim 3, wherein the data flow comprises a plurality of packets that include a session identifier to identify a communication session associated with the network data.
  - 5. The system of claim 4 further comprising a heuristic module that, upon execution by the at least one hardware processor, is configured to determine whether network data analyzed by the heuristic module is suspicious and to provide to the controller the portion of the network data being a part of the data flow that is determined to be suspicious.
  - 6. The system of claim 3, wherein a configuration of the first virtual machine of the one or more virtual machines is based on an analysis of a packet format of the data flow being data that is transmitted from the first device.
  - 7. The system of claim 3, wherein a configuration of the first virtual machine of the one or more virtual machines is based on an analysis of a packet format of the data flow being data that is transmitted to the first device.
  - 8. The system of claim 1, wherein the one or more virtual machines is configured to mimic operations of the first device representing the first computing system processing the browser application.
  - 9. The system of claim 1, wherein the controller mimics operations of the second device representing a second computing system operating as the web server.
  - 10. The system of claim 1, wherein the controller is further configured to dynamically modify information within a response to a request initiated from a virtual machine of the one or more virtual machines to maintain the protocol sequence between the controller and the virtual machine.
  - 11. The system of claim 10, wherein the information dynamically modified by the controller includes a destination address.
  - 12. The system of claim 1 further comprising a virtual switch that simulates a communication network between the controller and the one or more virtual machines and routes data packets associated with the network data to predetermined ports of the one or more virtual machines.
  - 13. The system of claim 1, wherein a configuration of a virtual machine of the one or more virtual machines corresponds to one or more features of the second device that are affected by the network data.
  - 14. The system of claim 13, wherein the features of the second device include at least one of (i) ports that are to receive the network data or (ii) one or more device drivers that are to respond to the network data.
  - 15. The system of claim 1, wherein operations of the one or more virtual machines that process the modified portion of the network data are monitored for unauthorized activity.
  - 16. The system of claim 15, wherein the unauthorized activity is detected by comparing a sequence of activities conducted by the one or more virtual machines against a predetermined sequence of activities.
  - 17. The system of claim 16, wherein the unauthorized activity is detected when the sequence of activities conducted by the one or more virtual machines includes one or more packets in addition to a sequence of packets expected to be generated by the one or more virtual machines.
  - 18. The system of claim 16, wherein the unauthorized activity is detected when the sequence of activities conducted by the one or more virtual machines includes one or more packets that differ from a sequence of packets expected to be generated by the one or more virtual machines.
  - 19. The system of claim 1, wherein the one or more virtual machines is configured to mimic performance of an operating system of the first device.
  - 20. The system of claim 1, wherein the one or more virtual machines is configured to mimic performance of at least one of (i) a port of the first device or (ii) a driver of the first device being a destination device.
  - 21. The system of claim 1, wherein a virtual machine of the one or more virtual machines is based on a software profile of the first device that is included within the network data.

22. A system comprising:
- one or more virtual machines configured to operate as a first device; and
  
  a controller being different from the one or more virtual machines that, upon execution by at least one hardware processor, is configured to receive a portion of network data under analysis, dynamically modify the portion of the network data, and transmit the modified portion of the network data to at least first virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized by the first device in communications with a second device,wherein the controller is configured to (i) operate as the second device by dynamically modifying session variables in one or more packets of the network data to emulate a sequence of network communications from the first device, (ii) create an identifier based on at least one communication anomaly or execution anomaly associated with operations performed by the one or more virtual machines, and (iii) transmit the identifier for transmission over a network.
- View Dependent Claims (23, 24)
- - 23. The system of claim 22, wherein the session variables include a dynamically assigned port.
  - 24. The system of claim 22, wherein the session variables include a transaction identifier.

25. A non-transitory computer readable medium including software that, when executed by one or more hardware processors, performing operations comprising:
- configuring one or more virtual machines to operate as a first device, the one or more virtual machines includes a first virtual machine that is configured to operate as the first device representing a first computing system processing a browser application that issues requests to access information from a web server;
  
  configuring a controller to operate as a second device, the controller being a software separate component than any of the one or more virtual machines;
  
  receiving, by the controller, a portion of network data under analysis;
  
  dynamically modifying, by the controller, the portion of the network data;
  
  transmitting, by the controller, the modified portion of the network data to the first virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized between the first device and the second device;
  
  creating, by the controller, an identifier based on at least one communication anomaly or execution anomaly associated with operations performed by the first virtual machine; and
  
  transmitting, by the controller, the identifier over a network for use in malware detection by a computing system other than the first computing system.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The medium of claim 25, wherein network data includes a data flow.
  - 27. The medium of claim 26, wherein the data flow comprises a plurality of packets that include a session identifier to identify a communication session associated with the network data between the first device being a destination device for the network data and the second device being a source device of the network data.
  - 28. The medium of claim 26, wherein the processor further performing an operation of determining whether network data associated with the data flow is suspicious and providing the portion of the network data being a part of the data flow that is determined to be suspicious, to the controller.
  - 29. The medium of claim 25, wherein the one or more virtual machines is configured to mimic operations of the first device representing a first computing system processing a browser application that issues requests to access information from a web server.
  - 30. The medium of claim 29, wherein the controller mimics operations of the second device representing a second computing system operating as the web server.
  - 31. The medium of claim 25, wherein the controller is configured to dynamically modify information within a response to a request initiated from a virtual machine of the one or more virtual machines to maintain the protocol sequence between the controller and the virtual machine.
  - 32. The medium of claim 31, wherein the information dynamically modified by the controller includes a destination address.
  - 33. The medium of claim 25, wherein the controller is configured to mimic operations of the second device by dynamically modifying session variables in one or more packets of the network data to emulate a sequence of network communications from the first device.
  - 34. The medium of claim 33, wherein the session variables include a dynamically assigned port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Radhakrishnan, Ramesh, Ismael, Osman
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/320,201
Time in Patent Office

1,345 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

System and method for virtual analysis of network data

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

627 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

System and method for virtual analysis of network data

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

627 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others