Herd based scan avoidance system in a network environment

US 10,171,611 B2
Filed: 03/02/2015
Issued: 01/01/2019
Est. Priority Date: 12/27/2012
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine readable storage medium having instructions stored thereon, the instructions when executed by at least one processor cause the at least one processor to:

generate a signature for an object in a first compute node of a first plurality of compute nodes connected to a network;

search a local cache in a memory element of the first compute node for the signature;

scan the object with a scan module to obtain a scan result if the signature is not found in the local cache;

update the local cache with the scan result including the signature of the object;

select a first subset of the first plurality of compute nodes in the network based, at least in part, on a particular attribute of each compute node in the first subset, wherein the particular attribute is associated with a certain traffic pattern;

dynamically select, by the first compute node, a second subset of a second plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node in the second subset, wherein the second plurality of compute nodes is to comprise an additional compute node that establishes a connection to the network subsequent to the selection of the first subset, the second subset to include any compute nodes of the first subset that are included in the second plurality of compute nodes and the additional compute node based on determining that an attribute of the additional compute node corresponds to the particular attribute of the compute nodes in the second subset; and

synchronize the updated local cache with one or more local caches of one or more compute nodes in the second subset, wherein synchronizing is to include;

sending, from the first compute node, the scan result to the one or more compute nodes of the second subset; and

receiving, at the first compute node, one or more scan results of one or more other objects from at least one other compute node in the second subset;

wherein the scan result indicates a threat level of the object, and wherein after the scan result is obtained, the local cache is to be updated with the threat level of the object.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example embodiment includes generating a signature for an object in a compute node in a network, searching a memory element for the signature, and responsive to determining the memory element does not contain the signature, scanning the object. The method also includes updating the memory element with a scan result, and synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network. In specific embodiments, the scan result includes the signature of the object and a threat level of the object. In further embodiments, the synchronizing includes sending the scan result to one or more other compute nodes in the network. In more specific embodiments, the scan result is sent with one or more other scan results after a predetermined interval of time from a previous synchronization.

422 Citations

20 Claims

1. At least one non-transitory machine readable storage medium having instructions stored thereon, the instructions when executed by at least one processor cause the at least one processor to:
- generate a signature for an object in a first compute node of a first plurality of compute nodes connected to a network;
  
  search a local cache in a memory element of the first compute node for the signature;
  
  scan the object with a scan module to obtain a scan result if the signature is not found in the local cache;
  
  update the local cache with the scan result including the signature of the object;
  
  select a first subset of the first plurality of compute nodes in the network based, at least in part, on a particular attribute of each compute node in the first subset, wherein the particular attribute is associated with a certain traffic pattern;
  
  dynamically select, by the first compute node, a second subset of a second plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node in the second subset, wherein the second plurality of compute nodes is to comprise an additional compute node that establishes a connection to the network subsequent to the selection of the first subset, the second subset to include any compute nodes of the first subset that are included in the second plurality of compute nodes and the additional compute node based on determining that an attribute of the additional compute node corresponds to the particular attribute of the compute nodes in the second subset; and
  
  synchronize the updated local cache with one or more local caches of one or more compute nodes in the second subset, wherein synchronizing is to include;
  
  sending, from the first compute node, the scan result to the one or more compute nodes of the second subset; and
  
  receiving, at the first compute node, one or more scan results of one or more other objects from at least one other compute node in the second subset;
  
  wherein the scan result indicates a threat level of the object, and wherein after the scan result is obtained, the local cache is to be updated with the threat level of the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The at least one non-transitory machine readable storage medium of claim 1, wherein the one or more scan results are to be stored in the updated local cache of the first compute node.
  - 3. The at least one non-transitory machine readable storage medium of claim 1, wherein the first subset is to be selected based, at least in part, on a system similarity indicated by the particular attribute of each compute node in the first subset.
  - 4. The at least one non-transitory machine readable storage medium of claim 1, wherein the particular attributes of the compute nodes in the first and second subsets are to indicate a same operating system.
  - 5. The at least one non-transitory machine readable storage medium of claim 1, wherein the instructions when executed by at least one processor cause the at least one processor to:
    - dynamically select a third subset of a third plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node of the third subset, wherein the third plurality of compute nodes lacks at least one compute node of the second subset that terminated a connection to the network subsequent to the selection of the second subset.
  - 6. The at least one non-transitory machine readable storage medium of claim 1, wherein the network includes two or more subsets of the first plurality of compute nodes, wherein each subset is associated with a respective attribute indicating a similarity between compute nodes in that subset.
  - 7. The at least one non-transitory machine readable storage medium of claim 1, wherein the local cache in the memory element of the first compute node comprises at least one of a whitelist and a blacklist.
  - 8. The computer-readable medium of claim 1, wherein the first subset includes the first compute node and one or more other compute nodes in the first plurality of compute nodes, and wherein the second subset includes the first compute node and at least the additional compute node.

9. An apparatus, comprising:
- a hardware processor;
  
  a scan module configured to be executed by the hardware processor to;
  
  generate a signature for an object in a first compute node of a first plurality of compute nodes connected to a network;
  
  search a local cache in a memory element of the first compute node for the signature;
  
  scan the object to obtain a scan result if the signature is not found in the local cache; and
  
  update the local cache with the scan result including the signature of the object; and
  
  a synchronization module configured to be executed by the hardware processor to;
  
  select a first subset of the first plurality of compute nodes in the network based, at least in part, on a particular attribute of each compute node in the first subset, wherein the particular attribute is associated with a certain traffic pattern;
  
  dynamically select, by the first compute node, a second subset of a second plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node in the second subset, wherein the second plurality of compute nodes is to comprise an additional compute node that establishes a connection to the network subsequent to the selection of the first subset, the second subset to include any compute nodes of the first subset that are included in the second plurality of compute nodes and the additional compute node based on determining that an attribute of the additional compute node corresponds to the particular attribute of the compute nodes in the second subset; and
  
  synchronize the updated local cache with one or more local caches of one or more compute nodes in the second subset, wherein synchronizing is to include;
  
  sending, from the first compute node, the scan result to the one or more compute nodes of the second subset; and
  
  receiving, at the first compute node, one or more scan results of one or more other objects from at least one other compute node in the second subset;
  
  wherein the scan result indicates a threat level of the object, and wherein after the scan result is obtained, the local cache is to be updated with the threat level of the object.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The apparatus of claim 9, wherein the one or more scan results are to be stored in the local cache of the first compute node.
  - 11. The apparatus of claim 9, wherein the particular attributes of the compute nodes in the first and second subsets are to indicate a same operating system.
  - 12. The apparatus of claim 9, wherein the network includes two or more subsets of the first plurality of compute nodes, wherein each subset is associated with a respective attribute indicating a similarity between compute nodes in that subset.
  - 13. The apparatus of claim 9, wherein the first subset is to be selected based, in part, on a traffic pattern indicated by the particular attribute of each compute node of the first subset.
  - 14. The apparatus of claim 9, wherein the synchronization module is configured to be executed by the hardware processor further to:
    - dynamically select a third subset of a third plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node of the third subset, wherein the third plurality of compute nodes lacks at least one compute node of the second subset that terminated a connection to the network subsequent to the selection of the second subset.
  - 15. The apparatus of claim 9, wherein the first subset includes the first compute node and one or more other compute nodes in the first plurality of compute nodes, and wherein the second subset includes the first compute node and at least the additional compute node.
  - 16. The apparatus of claim 9, wherein the one or more scan results are to be stored in the updated local cache of the first compute node.
  - 17. The apparatus of claim 9, wherein the local cache in the memory element of the first compute node comprises at least one of a whitelist and a blacklist.

18. A method comprising:
- generating a signature for an object in a first compute node of a first plurality of compute nodes connected to a network;
  
  searching a local cache in a memory element of the first compute node for the signature;
  
  scanning the object with a scan module to obtain a scan result if the signature is not found in the local cache;
  
  updating the local cache with the scan result including the signature of the object;
  
  selecting a first subset of the first plurality of compute nodes in the network based, at least in part, on a particular attribute of each compute node in the first subset, wherein the particular attribute is associated with a certain traffic pattern;
  
  dynamically selecting, by the first compute node, a second subset of a second plurality of compute nodes connected to the network based, at least in part, on the particular attribute being associated with each compute node in the second subset, wherein the second plurality of compute nodes is to comprise an additional compute node that establishes a connection to the network subsequent to the selection of the first subset, the second subset to include any compute nodes of the first subset that are included in the second plurality of compute nodes and the additional compute node based on determining that an attribute of the additional compute node corresponds to the particular attribute of the compute nodes in the second subset; and
  
  synchronizing the updated local cache with one or more local caches of one or more compute nodes in the second subset, wherein the synchronizing includes;
  
  sending, from the first compute node, the scan result to the one or more compute nodes of the second subset; and
  
  receiving, at the first compute node, one or more scan results of one or more other objects from at least one other compute node in the second subset;
  
  wherein the scan result indicates a threat level of the object, and wherein after the scan result is obtained, the local cache is to be updated with the threat level of the object.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the one or more scan results are stored in the updated local cache of the first compute node.
  - 20. The method of claim 18, wherein the network includes two or more subsets of the first plurality of compute nodes, wherein each subset is associated with a respective attribute indicating a similarity between compute nodes in that subset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Ramanan, Venkata, Hunt, Simon
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US14/635,096
Publication Number

US 20150180997A1
Time in Patent Office

1,401 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

G06F 2221/2115   Third party

H04L 63/145   the attack involving the pr...

H04L 67/1095   Replication or mirroring of...

H04L 67/568   Storing data temporarily at...

Herd based scan avoidance system in a network environment

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

422 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Herd based scan avoidance system in a network environment

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

422 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others