Herd based scan avoidance system in a network environment

US 8,973,146 B2
Filed: 12/27/2012
Issued: 03/03/2015
Est. Priority Date: 12/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a signature for an object in a compute node in a herd of compute nodes in a network;

searching a herd cache in a memory element for the signature, wherein the herd cache is replicated across the herd of compute nodes;

responsive to determining the herd cache in the memory element does not contain the signature, scanning the object with a scan module to obtain a scan result;

updating the herd cache in the memory element with the scan result including the signature of the object and a threat level of the object; and

synchronizing the updated herd cache in the memory element of the compute node with the herd caches of one or more other compute nodes in the herd, wherein the synchronizing includes sending the scan result to the one or more other compute nodes and receiving, from at least one other compute node in the herd, one or more scan results for one or more objects to be stored in the updated herd cache of the compute node.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example embodiment includes generating a signature for an object in a compute node in a network, searching a memory element for the signature, and responsive to determining the memory element does not contain the signature, scanning the object. The method also includes updating the memory element with a scan result, and synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network. In specific embodiments, the scan result includes the signature of the object and a threat level of the object. In further embodiments, the synchronizing includes sending the scan result to one or more other compute nodes in the network. In more specific embodiments, the scan result is sent with one or more other scan results after a predetermined interval of time from a previous synchronization.

362 Citations

25 Claims

1. A method comprising:
- generating a signature for an object in a compute node in a herd of compute nodes in a network;
  
  searching a herd cache in a memory element for the signature, wherein the herd cache is replicated across the herd of compute nodes;
  
  responsive to determining the herd cache in the memory element does not contain the signature, scanning the object with a scan module to obtain a scan result;
  
  updating the herd cache in the memory element with the scan result including the signature of the object and a threat level of the object; and
  
  synchronizing the updated herd cache in the memory element of the compute node with the herd caches of one or more other compute nodes in the herd, wherein the synchronizing includes sending the scan result to the one or more other compute nodes and receiving, from at least one other compute node in the herd, one or more scan results for one or more objects to be stored in the updated herd cache of the compute node.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the threat level of the object indicates whether the object contains malicious code.
  - 3. The method of claim 1, wherein the scan result is sent with at least one other scan result to the one or more other compute nodes in the herd after a predetermined interval of time from a previous synchronization.
  - 4. The method of claim 1, wherein the synchronizing includes pulling the one or more scan results from the one or more other compute nodes in the herd.
  - 5. The method of claim 1, wherein the network includes two or more herds of compute nodes.
  - 6. The method of claim 1, wherein the herd cache in the memory element comprises a whitelist and a blacklist.

7. At least one non-transitory machine readable storage medium having instructions stored thereon, the instructions when executed by a processor cause the processor to:
- generate a signature for an object in a compute node in a herd of compute nodes in a network;
  
  search a herd cache in a memory element for the signature, wherein the herd cache is replicated across the herd of compute nodes;
  
  responsive to determining the herd cache in the memory element does not contain the signature, scan the object with a scan module to obtain a scan result;
  
  update the herd cache in the memory element with the scan result including the signature of the object and a threat level of the object; and
  
  synchronize the updated herd cache in the memory element of the compute node with the herd caches of one or more other compute nodes in the herd, wherein the synchronizing includes sending the scan result to the one or more other compute nodes and receiving, from at least one other compute node in the herd, one or more scan results for one or more objects to be stored in the updated herd cache of the compute node.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The at least one non-transitory machine readable storage medium of claim 7, wherein the threat level of the object indicates whether the object contains malicious code.
  - 9. The at least one non-transitory machine readable storage medium of claim 7, comprising further instructions that when executed by the processor cause the processor to:
    - send the scan result with at least one other scan result to the one or more other compute nodes in the herd after a predetermined interval of time from a previous synchronization.
  - 10. The at least one non-transitory machine readable storage medium of claim 7, comprising further instructions that when executed by the processor cause the processor to:
    - pull the one or more scan results from the one or more other compute nodes in the herd.
  - 11. The at least one non-transitory machine readable storage medium of claim 7, wherein the network includes two or more herds of compute nodes.
  - 12. The at least one non-transitory machine readable storage medium of claim 7, wherein the herd cache comprises a first local cache and a second local cache, the first local cache including a whitelist and the second local cache including a blacklist.

13. An apparatus, comprising:
- a processor;
  
  a scan module executing on the processor, the scan module configured to;
  
  generate a signature for an object in a compute node in a herd of compute nodes in a network;
  
  search a herd cache in a memory element for the signature, wherein the herd cache is replicated across the herd of compute nodes;
  
  responsive to determining the herd cache in the memory element does not contain the signature, scan the object to obtain a scan result;
  
  update the herd cache in the memory element with the scan result including the signature of the object and a threat level of the object; and
  
  a synchronization module executing on the processor, the synchronization module configured to synchronize the updated herd cache in the memory element of the compute node with the herd caches of one or more other compute nodes in the herd, wherein the synchronizing includes sending the scan result to the one or more other compute nodes and receiving, from at least one other compute node in the herd, one or more scan results for one or more objects to be stored in the updated herd cache of the compute node.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, wherein the threat level of the object indicates whether the object contains malicious code.
  - 15. The apparatus of claim 13, wherein the synchronization module is configured to:
    - send the scan result with at least one other scan result to the one or more other compute nodes in the herd after a predetermined interval of time from a previous synchronization.
  - 16. The apparatus of claim 13, wherein the synchronization module is further configured to:
    - pull the one or more scan results from the one or more other compute nodes in the herd.
  - 17. The apparatus of claim 16, wherein the one or more scan results are pulled after a predetermined interval of time from a previous synchronization.
  - 18. The apparatus of claim 13, wherein the network includes two or more herds of compute nodes.

19. At least one non-transitory machine readable storage medium having instructions stored thereon, the instructions when executed by a processor cause the processor to:
- generate a signature for an object received from an external source by a compute node in a herd of compute nodes in a network;
  
  search a herd cache in a local memory element of the compute node for the signature;
  
  responsive to determining the herd cache in the local memory element does not contain the signature, send a request to a central server for a threat level associated with the signature;
  
  responsive to receiving a response indicating that the signature is not found, scan the object with a scan module in the compute node to obtain a scan result;
  
  update the herd cache in the local memory element with the scan result including the signature of the object and the threat level of the object; and
  
  synchronize the updated herd cache in the memory element of the compute node with a central cache in the central server containing object signatures and corresponding threat levels, wherein the synchronizing includes sending the scan result to the central server.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The at least one non-transitory machine readable storage medium of claim 19, wherein the threat level of the object indicates whether the object contains malicious code.
  - 21. The at least one non-transitory machine readable storage medium of claim 19, comprising further instructions that when executed by the processor cause the processor to:
    - responsive to the request being redirected to a second compute node in the network, retrieve the threat level associated with the signature from the second compute node.
  - 22. The at least one non-transitory machine readable storage medium of claim 19, wherein the central server is to update a signature mapping database based on the scan result.
  - 23. The at least one non-transitory machine readable storage medium of claim 19, comprising further instructions that when executed by the processor cause the processor to:
    - send the scan result to the central server with one or more other scan results associated with one or more other objects after a predetermined number of scans have been performed.
  - 24. The at least one non-transitory machine readable storage medium of claim 19, wherein the central cache includes scan results associated with two or more scan results from two or more compute nodes in the herd, wherein the compute node is one of the two or more compute nodes.
  - 25. The at least one machine readable storage medium of claim 24, wherein the network includes two or more herds of compute nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ramanan, Venkata, Hunt, Simon
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US13/728,705
Publication Number

US 20140189859A1
Time in Patent Office

796 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

G06F 2221/2115   Third party

H04L 63/145   the attack involving the pr...

H04L 67/1095   Replication or mirroring of...

H04L 67/568   Storing data temporarily at...

Herd based scan avoidance system in a network environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

362 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Herd based scan avoidance system in a network environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

362 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links