System and method for virtual analysis of network data
First Claim
Patent Images
1. A system comprising:
- one or more virtual machines including a first virtual machine that is configured to operate as a first device representing a first computing system processing a browser application that issues requests to access information from a web server; and
a controller being software different from the one or more virtual machines that, upon execution by at least one hardware processor, is configured to receive a portion of network data under analysis, dynamically modify the portion of the network data, and transmit the modified portion of the network data to at least the first virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized by the first device in communications with a second device,wherein the controller is further configured to create an identifier based on at least one communication anomaly or execution anomaly associated with operations performed by the one or more virtual machines, the controller to transmit the identifier for transmission over a network.
5 Assignments
0 Petitions
Accused Products
Abstract
A system is provided with one or more virtual machines and a replayer. The virtual machine(s) are configured to mimic operations of a first device. The replayer is configured to mimic operations of a second device. Herein, the replayer receives a portion of network data under analysis, dynamically modifies the portion of the network data, and transmits the modified portion of the network data to at least one virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized between the first device and the second device.
627 Citations
34 Claims
-
1. A system comprising:
-
one or more virtual machines including a first virtual machine that is configured to operate as a first device representing a first computing system processing a browser application that issues requests to access information from a web server; and a controller being software different from the one or more virtual machines that, upon execution by at least one hardware processor, is configured to receive a portion of network data under analysis, dynamically modify the portion of the network data, and transmit the modified portion of the network data to at least the first virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized by the first device in communications with a second device, wherein the controller is further configured to create an identifier based on at least one communication anomaly or execution anomaly associated with operations performed by the one or more virtual machines, the controller to transmit the identifier for transmission over a network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
one or more virtual machines configured to operate as a first device; and a controller being different from the one or more virtual machines that, upon execution by at least one hardware processor, is configured to receive a portion of network data under analysis, dynamically modify the portion of the network data, and transmit the modified portion of the network data to at least first virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized by the first device in communications with a second device, wherein the controller is configured to (i) operate as the second device by dynamically modifying session variables in one or more packets of the network data to emulate a sequence of network communications from the first device, (ii) create an identifier based on at least one communication anomaly or execution anomaly associated with operations performed by the one or more virtual machines, and (iii) transmit the identifier for transmission over a network. - View Dependent Claims (23, 24)
-
-
25. A non-transitory computer readable medium including software that, when executed by one or more hardware processors, performing operations comprising:
-
configuring one or more virtual machines to operate as a first device, the one or more virtual machines includes a first virtual machine that is configured to operate as the first device representing a first computing system processing a browser application that issues requests to access information from a web server; configuring a controller to operate as a second device, the controller being a software separate component than any of the one or more virtual machines; receiving, by the controller, a portion of network data under analysis; dynamically modifying, by the controller, the portion of the network data; transmitting, by the controller, the modified portion of the network data to the first virtual machine of the one or more virtual machines in accordance with a protocol sequence utilized between the first device and the second device; creating, by the controller, an identifier based on at least one communication anomaly or execution anomaly associated with operations performed by the first virtual machine; and transmitting, by the controller, the identifier over a network for use in malware detection by a computing system other than the first computing system. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification