System and method for separated packet processing and static analysis

Information

  • Patent Grant
  • 10454953
  • Patent Number
    10,454,953
  • Date Filed
    Monday, October 9, 2017
    7 years ago
  • Date Issued
    Tuesday, October 22, 2019
    5 years ago
Abstract
According to one embodiment, a system features a network security device and a cloud computing service. The network security device is configured to determine whether an object includes one or more characteristics associated with a malicious attack. The cloud computing service, communicatively coupled to and remotely located from the network security device, includes virtual execution logic that, upon execution by a processing unit deployed as part of the cloud computing service and after the network security device determining that the object includes the one or more characteristics associated with the malicious attack, processes the object and monitors for behaviors of at least the object suggesting the object is associated with a malicious attack.
Description
1. FIELD

Embodiments of the disclosure relate to the field of network security. More specifically, embodiments of the disclosure relates to a system, apparatus and method for conducting packet processing and/or static analysis of objects by a traffic analysis controller being logic different from a host in order to offload packet processing and/or static analysis from the host.


2. GENERAL BACKGROUND

Over the last decade, malicious software has become a pervasive problem for Internet users as most networked resources include software vulnerabilities that are subject to attack. For instance, over the past few years, more and more vulnerabilities are being discovered in software that is loaded onto computers, such as vulnerabilities within operating systems for example. While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network resources continue to be targeted by exploits.


In general, an exploit is information that attempts to take advantage of a vulnerability by adversely influencing or attacking normal operations of a targeted computer. As an illustrative example, a Portable Execution Format (PDF) file may be infected with an exploit that is activated upon execution (opening) of the PDF file and takes advantage of a vulnerability associated with a certain type and version of a PDF Reader application.


Currently, one type of network security device widely used for detecting exploits is designed to identify packets suspected of containing known exploits, attempt to block/halt propagation of such exploits, and log/report information associated with such packets through an alert. In particular, this conventional network security device is implemented with a processor that is wholly responsible for performing packet processing, a static analysis and a dynamic analysis. This type of conventional network security device may experience certain disadvantages.


For instance, one disadvantage with conventional network security devices is that the packet processing, the static analysis and the dynamic analysis may simultaneously request limited resources of the network security device's processor. Such simultaneous need for the processor's resources inherently leads to one or more processes waiting on others to finish and subsequently relinquish the processor's resources. This dilemma limits the speed, efficiency and detection efficacy at which the network security device may analyze received network traffic, especially when the network traffic is being received at a high rate.





BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:



FIG. 1 is an illustration of an exemplary block diagram of a flow of network traffic within a networking system.



FIG. 2 is an illustration of an exemplary block diagram of a plurality of network security devices communicatively coupled to a management system via a network.



FIG. 3 is an illustration of an exemplary block diagram of logic associated with the traffic analysis controller (TAC) of a network security device.



FIG. 4 is an illustration of an exemplary block diagram of logic associated with the threat detection and prevention (TDP) logic of the host included within a network security device.



FIG. 5 is an exemplary diagram of a flowchart illustrating operations of a network security device.



FIG. 6 is an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by a communication protocol analysis engine subsystem.



FIG. 7 is an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by a binary traffic subsystem



FIG. 8 is an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by a DNS traffic subsystem.



FIG. 9 is an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by a call-back traffic subsystem.



FIG. 10 is an illustration of a second exemplary block diagram of a plurality of network security devices communicatively coupled to a management system via a network.





DETAILED DESCRIPTION

Various embodiments of the disclosure relate to an electronic device with network connectivity, such as a network security device for example, where the electronic device comprises a traffic analysis controller (TAC) and threat detection and prevention (TDP) logic. According to one embodiment of the disclosure, the traffic analysis controller comprises a packet capture framework (PCF) which captures packets or objects from received network traffic. The PCF passes the captured objects to a set of pre-filters which comprises logic to determine whether an object is “of interest,” namely whether the object is of or contains a particular type of network traffic. In one embodiment, an object that is determined to be “of interest” is passed to either a static analysis engine operating on the traffic analysis controller and/or a dynamic analysis engine operating separate from the traffic analysis controller but within the network security device (e.g., part of the TDP logic).


For instance, as illustrated embodiments, the network security device may be implemented as a network appliance with a chassis housing, where both the traffic analysis controller and the TDP logic are implemented and contained within the same chassis housing. Where the network security device is implemented as a rack of blade servers, it is contemplated that the traffic analysis controller may be deployed within a first blade server while the TDP logic is deployed within the first blade server or a different (second) blade server that is communicatively coupled to the first blade server.


According to this embodiment of the disclosure, the static analysis engine comprises at least one subsystem that conducts a static analysis on incoming objects, where the analysis of the objects is conducted without certain types of processing (e.g., opening an object, running the object, etc.). The static analysis may include signature matching (e.g., exploit signature checks, vulnerability checks), heuristic analysis (e.g., statistical analysis), source reputation checking, blacklist or whitelist checking, or the like. For instance, the static analysis engine subsystem(s) associated with signature matching may comprise logic that conducts exploit signature checks and/or vulnerability signature checks on objects of at least a first traffic-type (e.g., domain name system “DNS”) to identify whether characteristics of any of these objects indicate that the object is associated with a malicious attack (e.g., indicative of an exploit). Furthermore, another static analysis engine subsystem may be associated with heuristics that examines the metadata or attributes of the object to determine whether a certain portion of the object has characteristics that suggest the object is an exploit and/or is associated with a malicious attack.


Furthermore, the dynamic analysis engine also comprises one or more dynamic analysis engine subsystems. For instance, a dynamic analysis engine subsystem may comprise virtual execution logic to automatically analyze, without user assistance, content within objects of at least a second traffic-type (e.g., “Hypertext Transfer Protocol “HTTP”) in order to determine whether any of these objects is an exploit. Such objects or packets are provided to the dynamic analysis engine from the traffic analysis controller automatically and without user assistance.


Therefore, by compartmentalizing the packet processing and the virtual machine (VM)-based processing, the amount of network traffic that the network security device may process over a given time period is now scalable. Furthermore, using a network processing unit (NPU) on the traffic analysis controller for packet processing allows for an increased processing speed due to hardware acceleration, as much of the packet processing is done within the hardware and/or firmware of the NPU.


I. Terminology

In the following description, certain terminology is used to describe features of the invention. For example, in certain situations, both terms “logic” and “engine” are representative of hardware, firmware and/or software that is configured to perform one or more functions. As hardware, logic (or engine) may include circuitry having data processing or storage functionality. Examples of such circuitry may include, but are not limited or restricted to a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.


Logic (or engine) may be software in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library/dynamic load library, or one or more instructions. These software modules may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device. As firmware, the executable code is stored in persistent storage.


Herein, the term “traffic analysis controller” (TAC) may be construed as logic that conducts packet processing and/or some static analysis of received objects to determine (1) whether further in-depth processing of the object is needed to determine whether the object is “malicious” (e.g., associated with a malicious attack) or benign and/or (2) whether an alert or other warning scheme is needed to advise an administrator of the results from the static analysis. According to one embodiment of the disclosure, the traffic analysis controller comprises a processor having access to on-chip or off-chip memory and being implemented on a substrate. The substrate may be one of several form factors including, but not limited or restricted to, a network interface card, an expansion card, a circuit board, a semiconductor component, or a plug-in module. In one embodiment, the traffic analysis controller may be a network interface card that comprises a network processing unit communicatively coupled to a non-volatile memory, where the memory includes several software modules that, when executed, conducts packet processing and static analysis of objects as described below.


A “processing unit” may be construed as any type of logic with data processing capability, including a general purpose processor, a processor core, a micro-controller, an application specific integrated circuit (ASIC), a network processor, a digital signal processor, a virtual processor, a field-programmable gate array (FPGA), or the like.


Herein, the term “object” generally refers to a collection of data, whether in transit (e.g., over a network) or at rest (e.g., stored), often having a logical structure or organization that enables it to be classified for purposes of analysis. During static analysis, for example, the object may exhibit a set of expected characteristics and, during processing, a set of expected behaviors. The object may also exhibit a set of unexpected characteristics and a set of unexpected behaviors that may be evidence of an exploit and potentially allow the object to be classified as an exploit.


Examples of objects may include one or more flows or a self-contained element within a flow itself. A “flow” generally refers to related packets that are received, transmitted, or exchanged during a communication session and multiple flows are related packets that are received, transmitted or exchanged during related communication sessions. For convenience, a “packet” is broadly referred to as a series of bits or bytes having a prescribed format, which may include all types of network packets, frames, or cells.


As an illustrative example, an object may include a set of (one or more) flows such as (1) a sequence of transmissions in accordance with a particular communication protocol (e.g., User Datagram Protocol (UDP); Transmission Control Protocol (TCP); or HTTP; etc.), or (2) inter-process communications (e.g. Remote Procedure Call “RPC” or analogous processes, etc.). Similarly, as another illustrative example, the object may be a self-contained element, where different types of such objects may include a non-executable file (such as a document or a dynamically link library), a Portable Document Format (PDF) file, a JavaScript file, Zip file, a Flash file, a document (for example, a Microsoft Office® document), an electronic mail (email), downloaded web page, an instant messaging element in accordance with Session Initiation Protocol (SIP) or another messaging protocol, or the like.


An “exploit” may be construed as information (e.g., executable code, data, command(s), etc.) that is associated with a malicious attack on an electronic device, namely an attempt, normally unbeknownst to its user, to (1) alter control of the electronic device where the change in control is unwanted or unintended by the user and/or (2) gain access to stored information or information that is available to the user. According to one embodiment, an exploit attempts to take advantage of a vulnerability. Typically, a “vulnerability” is a coding error or artifact of software (e.g., computer program) that allows an attacker to alter legitimate control flow during processing of the software (computer program) by an electronic device, and thus, causes the electronic device to experience undesirable or unexpected behaviors. The undesired or unexpected behaviors may include a communication-based anomaly or an execution-based anomaly, which, for example, could (1) alter the functionality of an electronic device executing application software in a malicious manner; (2) alter the functionality of the electronic device executing that application software without any malicious intent; and/or (3) provide unwanted functionality which may be generally acceptable in another context. To illustrate, a computer program may be considered as a state machine, where all valid states (and transitions between states) are managed and defined by the program, in which case an exploit may be viewed as seeking to alter one or more of the states (or transitions) from those defined by the program.


“Malware” may be construed as computer code that executes an exploit to take advantage of a vulnerability, for example, to harm or co-opt operation of an electronic device or misappropriate, modify or delete data. Conventionally, malware is often said to be designed with malicious intent. An object may constitute or contain an exploit and/or malware.


The term “object of interest” may be construed as any object of the received network traffic associated with a packet selected by a pre-filter to be routed to one or more of the subsystems of either the static analysis engine or the dynamic analysis engine. For instance, an object of interest to the communication protocol traffic subsystem may be any object of a flow such as a sequence of transmissions in accordance with a particular communication protocol (e.g., User Datagram Protocol (UDP); Transmission Control Protocol (TCP); or Hypertext Transfer Protocol (HTTP)) that is selected by the communication protocol pre-filter to be routed to the communication protocol traffic subsystem for analysis. Throughout the specification and claims, the terms “object of interest” and “object under analysis” are used interchangeably.


The term “transmission medium” is a physical or logical communication path between two or more electronic devices (e.g., any devices with data processing and network connectivity such as, for example, a security appliance, a server, a mainframe, a computer such as a desktop or laptop, netbook, tablet, firewall, smart phone, router, switch, bridge, etc.). For instance, the communication path may include wired and/or wireless segments. Examples of wired and/or wireless segments include electrical wiring, optical fiber, cable, bus trace, or a wireless channel using infrared, radio frequency (RF), or any other wired/wireless signaling mechanism.


In certain instances, the terms “detected” is used herein to represent that there is a prescribed level of confidence (or probability) on the presence of an exploit within an object under analysis. For instance, the logic of the static analysis engine “detects” a potential exploit by examining characteristics or features of an object under analysis, and, in response, determining whether the object has characteristics that suggest the object is an exploit and/or is associated with a malicious attack. This determination may be conducted through analysis as to whether there is at least a first probability that such characteristics exist. Likewise, the virtual execution logic detects the presence of an exploit by monitoring or observing unexpected or anomalous behaviors or activities of an object under analysis, and, in response, determining whether there is at least a second probability, perhaps higher than the first probability, that the object has characteristics indicative of an exploit, and thus, is associated with a malicious attack.


The term “computerized” generally represents that any corresponding operations are conducted by hardware in combination with software and/or firmware. Also, the term “comparison” generally means determining if a match (e.g., a certain level of correlation) is achieved between two items where one of the items may include a particular signature pattern.


The terms “binary” and “binaries” may be construed as executable code, commonly referred to as object or binary code. Examples of binaries may include, but are not restricted or limited to a compiled executable program.


Lastly, the terms “or” and “and/or” and “/” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” Also, “A/B” represents “any of the following: A; B; A or B; A and B.” An exception to this definition will occur only when a combination of elements or functions, are in some way inherently mutually exclusive.


As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.


II. First Embodiment—TAC Comprising Static Analysis Engine Logic

A. Communication Flow


Referring to FIG. 1, an exemplary block diagram of a flow of network traffic within a networking system is shown. Herein, some or all of the incoming objects associated with monitored network traffic are received by network security device 104. The network security device 104 is configured to receive incoming objects over a communication network 101. Thereafter, the network security device 104 is configured to detect, using at least a static analysis and a dynamic analysis, which objects are to be flagged as including characteristics that suggest the object is an exploit and/or is associated with a malicious attack.


Herein, the network security device 104 may be communicatively coupled with the communication network 101 to monitor flows in a passive or active manner. In a passive manner, the network security device 104 may be communicatively coupled so as to capture and duplicate one or more objects associated with a flow propagating over a communication path 103. The duplicated copy is then analyzed while the original flow is passed to one or more client devices 1051-105M (M≥1), where one or more client devices may be simply represented as “client device(s)”). Such a network security device 104 is sometimes referred to as a “tap” or “network tap,” which receives network traffic over communication path 103 between the communication network 101 and client device(s) 1051-105M (M≥1) and re-routes some or all of the network traffic to the network security device 104.


Alternatively, the network security device 104 may operate in an active manner with an in-line deployment, where the network traffic over the communication path 103 is directly received by the network security device 104. In other words, the network security device 104 is positioned between the communication network 101 and the client device(s) 1051-105M and analyzes objects within the original version of the network traffic. Subsequent to such analysis, for analyzed objects determined to be associated with a malicious attack, the objects may be precluded from being passed to the client device(s) 1051-105M. Rather, the objects may be quarantined and perhaps held for further forensic analysis.


B. General Architecture


Referring to FIG. 2, an exemplary block diagram of a plurality of network security devices 1041-104N (N≥1, e.g., N=3) communicatively coupled to a management system 219 via a communication network 218 is shown. Communication network 218 may be configured as an intranet operating as a private network shared by the network security devices 1041-1043 and management system 219 or communication network 218 may be configured as a public network such as the Internet for example.


In general, the management system 219 is adapted to manage network security devices 1041-1043. For instance, the management system 219 may be responsible for automatically updating one or more exploit signatures and/or vulnerability signatures used by the static analysis engine 207 within some or all of network security devices 1041-104N. Each of these signatures may represent a prior detected exploit or an uncovered software vulnerability. Such sharing may be conducted automatically or manually, e.g., uploaded by an administrator. Also, such sharing may be conducted without charge among the network security devices 1041-1043 or subject to a paid subscription basis.


Herein, according to the embodiment illustrated in FIGS. 1 and 2, a first network security device 1041 is an electronic device that is adapted to analyze information associated with network traffic routed over the communication network 101 between at least one server device 100 and at least one client device 1051. The communication network 101 may include a public network such as the Internet, in which case an optional firewall (not shown) may be interposed prior to network security device 104 (e.g., first network security device). Alternatively, the communication network 101 may be a private network such as a wireless data telecommunication network, wide area network (WAN), a type of local area network (LAN), or a combination of networks.


As shown in FIG. 2, the first network security device 1041 comprises a traffic analysis controller 200 communicatively coupled to a host 203, which may include a TDP logic 202 (hereinafter, “TDP logic 202”). The traffic analysis controller 200 comprises communication ports 204; a network processing unit (NPU) 205 communicatively coupled to logic (e.g., software modules residing in persistent storage 206) to conduct packet processing and/or certain static analysis on objects associated with the received network traffic; and a connector 212. As shown, the persistent storage maintains several software modules including static analysis engine 207, a set of pre-filters 208, a signatures rule set 209, packet capture framework (PCF) 210, and/or communication interface logic 211. As shown, the communication ports 204 may be adapted to receive network traffic via path 103 so as to connect network security device 1041 to communications networks 101 and/or 218 while connector 212 provides a communication path to a connector 213 of the TDP logic 202 over transmission medium 220.


As shown, traffic analysis controller 200 and TDP logic 202 may reside within the same chassis housing of the network security device 1041. Of course, as described above, the network security device 1041 may implemented as a group of electronic devices in close physical proximity (e.g., rack of blade servers), where the traffic analysis controller 1041 may be deployed within a first electronic device while the TDP logic 202 is deployed within a second electronic device. For this deployment, the transmission medium 220 may include Twinaxial cabling, coaxial cabling, twisted pair cabling such as Category 5/5e/6/6a, or the like.


In general, the traffic analysis controller 200 operates as a data capturing device that is configured to receive data propagating to/from the client device(s) 1051-105M and provide at least some of this data to the packet capture framework (PCF) 210 of the network security device 1041. The traffic analysis controller 200 may provide at least some of the original network traffic to the PCF 210 or duplicate at least some of the network traffic and provide the duplicated copy to the PCF 210.


According to one embodiment of the disclosure, the static analysis engine 207 may be one or more software modules executed by a first processing unit while the dynamic analysis engine 216 may be one or more software modules executed on a second processing unit. The first and second processing units may be different processing units, where each “processing unit” may be a different physical processor located within the same processor package or at different physical locations, a different core processor within the same processor package, a different virtual processor, or the like. Of course, the first and second processing units may be the same physical/core/virtual processor.


As an example, as shown in FIG. 2, the static analysis engine 207, when deployed as one or more software modules, may be executed by the network processing unit (NPU) 205 being a processing unit for the traffic analysis controller 200 while the dynamic analysis engine 216 may be executed by a central processing unit (CPU) 214 being a processing unit for the host 203. The term “host” refers to any portion of the network security device 104 not included within the traffic analysis controller 200. Of course, it is contemplated that certain functionality of the static analysis engine 207 may be conducted by the host 203, such as the TDP logic 202 for example, and executed by the CPU 214. In this embodiment, the packet processing (e.g., pre-filtering) and/or certain static analysis functionality is off-loaded from the CPU 214 to the NPU 205 as described below and illustrated in FIG. 10.


In an embodiment in which the packet processing (e.g., processing of the set of pre-filters 208) and some or all of the processing of the static analysis engine 207 is off-loaded from the CPU 214 of the host 203 to the NPU 205 of the traffic analysis controller 200, a computational advantage arises. In particular, off-loading of the packet processing and/or at least some functionality by the static analysis engine 207 allows the CPU 214 to devote most of its resources to VM-based processing and subsequent monitoring. In this implementation, it is now possible to instantiate more VMs and/or run the analyses of the VMs for a longer time period as packet processing is not simultaneously requesting the resources of the CPU 214. Therefore, this logical configuration provides an ability to scale the processing of the network security device 104 by increasing the number of VMs used during the processing as well as potentially performing deep packet inspection and/or a static analysis on a processor separate from that which is executing the VMs.


1. Traffic Analysis Controller (TAC)


Referring to FIG. 3, a block diagram of logic associated with the traffic analysis controller (TAC) 200 of the network security device 1041 is shown. As illustrated in FIGS. 2-3, the traffic analysis controller 200 comprises communication interface logic 211, packet capture framework (PCF) 210, pre-filters 208, signatures rule set 209, static analysis engine 207 and connector 212 which provides connectivity from the traffic analysis controller 200 to the threat detection and prevention (TDP) logic 203.


The PCF 210 controls the flow of the network traffic received by the network security device 1041. Specifically, the PCF 210 confirms that the network security device 1041 is operating properly according to the deployment scenario of the network security device 104. For instance, if the network security device 1041 is deployed off-line, or in a passive mode, the PCF 210 may be configured to ensure that the network security device 1041 receives a copy of the received network traffic and passes the copy of the received network traffic to the set of pre-filters 208 while the network traffic proceeds to one or more of the client device(s) 1051, . . . and/or 105M. In the off-line deployment scenario, the network security device 1041 does not block or delay the network traffic from reaching a client device (e.g., client device 1051) while the static and/or dynamic analysis is being performed. Alternatively, if the network security device 1041 is deployed in-line, the PCF 210 does not permit (blocks/halts) the received network traffic to pass through the network security device 104 to the client device 1051 until the network security device 104 has determined the received network security traffic does not contain malicious content once processing and analysis are complete. In the in-line deployment scenario, the PCF 210 ensures that the received network traffic passes to the client device 1051, after processing and analysis are complete, e.g., the network traffic does not contain malicious content.


The PCF 210 of the traffic analysis controller 200 is capable of receiving and routing objects associated with network traffic to the set of pre-filters 208. According to one embodiment of the disclosure, the set of pre-filters 208 comprise two or more filtering modules that perform an initial inspection of objects of received network traffic to determine the object type (e.g., the type of traffic associated with the object). In such an embodiment, one pre-filter is associated with objects to be routed to the static analysis engine 207 and another pre-filter may be associated with objects to be routed to the dynamic analysis engine 216 of FIG. 2.


Furthermore, each pre-filter is associated with a subsystem of either the static analysis engine 207 or the dynamic analysis engine 216 corresponding to the type of traffic for which the pre-filter is searching. For example, a pre-filter searching for communication protocol traffic may be associated with a communication protocol traffic subsystem deployed within the dynamic analysis engine 216. When a pre-filter determines that an object of the received network traffic is an object type of traffic for which the pre-filter is searching, the object is considered an “object of interest” and is routed from the pre-filter to the analysis engine subsystem with which the pre-filter is associated. When no pre-filter determines that the object is an object of interest, the object is permitted to pass to the client device 1051 without being routed to either the static analysis engine 207 or the dynamic analysis engine 216.


The set of pre-filters 208, located on the traffic analysis controller 200, may route an object of interest to a subsystem of the static analysis engine 207 located on the traffic analysis controller 200. Additionally or in the alternative, the set of pre-filters 208 may route objects of interest to a subsystem of the dynamic analysis engine 216 in the TDP logic 202 located within the host 203. The pre-filter that determines an object is of interest may provide the entire object or certain content within the object, for example, one or more objects that are part of one or more flows, packet payloads, or the like, to the corresponding analysis engine subsystem.


In some embodiments, an object of interest may be provided to the static analysis engine 207 and once the static analysis engine 207 has finished its analysis, a determination is made as to whether the object of interest may contain malicious content. Thereafter, the object of interest may not be provided to a subsystem within the dynamic analysis engine 216 for further in-depth analysis, but rather, information is provided to logic within the host 203 to initiate an alert message to a network administrator, user, or another entity regarding presence of a detected object having characteristics associated with a malicious attack. For instance, a call-back traffic subsystem 315 of FIG. 3 may perform such operations upon detecting a call-back condition. Alternatively, in other embodiments, an object of interest may be provided to the static analysis engine 207, analyzed and then provided to the dynamic analysis engine 216 for further analysis prior to the network security device 104 making a determination as to whether the object of interest has characteristics that suggest the object is an exploit and/or is associated with a malicious attack. For instance, a domain name system (DNS) subsystem 305 of FIG. 3 may perform such operations.


In one embodiment of the disclosure, as illustrated in FIGS. 3-4, the set of pre-filters 208 may comprise four pre-filters searching for four types of traffic, including: (1) DNS traffic; (2) traffic containing call-back activity; (3) communication protocol traffic; and (4) traffic containing at least one binary. In such an embodiment, the four pre-filters correspond to the following subsystems of the static analysis engine 207 or the dynamic analysis engine 216: (1) DNS traffic subsystem 305, (2) call-back traffic subsystem 315, (3) communication protocol traffic subsystem 400, and/or (4) binary traffic subsystem 420. Furthermore, the set of pre-filters 208 are located on the traffic analysis controller 200 along with the static analysis engine 207.


In the embodiment, the static analysis engine 207 comprises the DNS traffic subsystem 305 and the call-back traffic subsystem 315. The dynamic analysis engine 216, located on the host 203, comprises the communication protocol traffic subsystem 400 and the binary traffic subsystem 420 as shown in FIG. 4.


In an alternative embodiment, the functions of the communication protocol traffic subsystem 400 and the binary traffic subsystem 420 may be incorporated into a single subsystem on the dynamic analysis engine 216 while the functions of the DNS traffic subsystem 305 and the call-back traffic subsystem 315 are incorporated into a single subsystem on the static analysis engine 207.


Referring to FIGS. 2 and 3, the DNS traffic subsystem 305 and the call-back traffic subsystem 315, when executed on one or more processors, may be configured to perform static analysis on a particular object, such as exploit signature checks and/or vulnerability signature checks by exploit matching logic 312/322 and/or vulnerability matching logic 310/320 for example. Such signature check operations may involve accessing pre-stored signatures from signature rules set 209 stored on one or more non-transitory storage mediums such as persistent storage 206.


In general, the DNS traffic subsystem 305 and the call-back traffic subsystem 315 of the static analysis engine 207 are communicatively coupled to receive one or more objects within network traffic which may be related or unrelated to each other. For instance, one object may be a series of packets containing one or more requests to a DNS server operating as a flow routed over communication network 101. The subsystems of the static analysis engine 207 comprise logic which analyzes each of the objects for known exploits using exploit signatures and, for the protocol activity, using vulnerability signatures. For instance, the exploit matching logic 312/322 within the DNS traffic subsystem 305 and the call-back traffic subsystem 315 performs exploit signature checks, which may involve a comparison of one or more pre-stored exploit signatures (pre-configured and predetermined attack patterns against the object of interest) from signatures rule set 209.


Additionally, the DNS traffic subsystem 305 and the call-back traffic subsystem 315 of the static analysis engine 207 may comprise heuristic logic 314/324 which analyzes each of the objects using metadata or attributes of the object of interest to determine whether a certain portion of the object has characteristics that suggest the object is an exploit and/or is associated with a malicious attack. For instance, the heuristic logic 314/324 may analyze the object of interest to determine whether certain portions of the object corresponds to one or more “malicious identifiers,” which may include, but are not limited or restricted to a particular source or destination address (e.g., URLs, IP addresses, MAC addresses, etc.) that is associated with known exploits; exploit patterns; or even shell code patterns.


Upon detecting a match during the exploit signature check, vulnerability signature check and/or the heuristic check (an object under analysis has characteristics that suggest the object is an exploit and/or is associated with a malicious attack), the static analysis engine 207 may be adapted to upload the static analysis results for storage in results database 221. These results may include, but are not limited or restricted to (i) an exploit identifier such as a particular name/family of the suspected exploit (if known); (ii) source address (e.g., Uniform Resource Locator “URL”, Internet Protocol “IP” address, etc.) of a source of the suspect object; (iii) time of analysis; and/or (iv) information associated with anomalous characteristics pertaining to the object of interest.


According to another embodiment of the disclosure, the PCF 210 may be further configured to capture metadata from network traffic intended for client device 1051. According to one embodiment, the metadata may be used, at least in part, by the heuristic logic 314/324 and/or to determine protocols, application types and other information that may be used by logic within the network security device 1041 to determine particular software profile(s). The software profile(s) are used for selecting and/or configuring a run-time environment in one or more virtual machines selected or configured as part of the dynamic analysis engine 216, as described below. These software profile(s) may be directed to different versions of the same software application for fetching corresponding software image(s) from profile software rule set 217.


Furthermore, according to one embodiment of the disclosure, packet processing and static analysis operations are off-loaded to the traffic analysis controller 200 while VM-based processing remains on the host 203. Herein, the VM-based analysis normally requires significantly more computing resources, including both CPU and memory, which may be best provided by the host 203 (e.g., main system) than within a NIC deployment of the traffic analysis controller 200. Hence, the static analysis engine 207 may be adapted to route information that is used by the scheduler 213, dynamic analysis engine 216 and/or reporting logic (not shown) to conduct further analysis as to whether the suspect object is associated with a malicious attack (e.g., an exploit). This information may include, but is not limited or restricted to (1) the suspect object, (2) anomalous characteristics of the suspect object, based on signature matching, heuristics and other static analysis, that may indicate the presence of an exploit; (3) a score generated to classify a threat level of the suspect object being a possible exploit


2. Threat Detection and Prevention (TDP) Logic


Referring to FIG. 4, a block diagram of logic associated with the threat detection and prevention (TDP) logic of the host (hereinafter, “TDP logic 202”) included within the network security device 1041 is shown. As illustrated, the TDP logic 202 comprises dynamic analysis engine 216, software profile rule set 217, a scheduler 223 and a second connector 213. The second connector 213 enables the TDP logic 202 to exchange data with the traffic analysis controller 200 over transmission medium 220. The communication protocol traffic subsystem 400 and the binary traffic subsystem 420 of the dynamic analysis engine 216 include virtual execution environments 405/425, score determination logic 410/430 and monitoring logic 415/435. The virtual execution environments 405/425 is comprised of one or more virtual machines (VMs) 4401-440K (K≥1) and 4451-445L (L≥1).


In general, at least one pre-filter of the set of pre-filters 208 located on the traffic analysis controller 200 provides the objects of interest to the dynamic analysis engine 216 for in-depth dynamic analysis using virtual machines (VMs) 4401-440K or 4451-445L. For instance, the communication protocol traffic subsystem 400 may simulate transmission and/or receipt by a destination device comprising the virtual machine.


According to one embodiment, one or more VMs 4401-440K or 4451-445L within the virtual execution environments 405/425 may be configured with all of the software profiles corresponding to the software images stored within software profile rule set 217. Alternatively, the VMs 4401-440K or 4451-445L may be configured according to a prevalent software configuration, software configuration used by an electronic device within a particular enterprise network (e.g., client device 1051), or an environment that is required for the object to be processed, including software such as a web browser application, PDF reader application, or the like. However, for a known or recognized vulnerability, the VMs 4401-440K or 4451-445L may be more narrowly configured to software profiles associated with vulnerable software.


As previously stated and shown in FIGS. 3-4, one embodiment of the set of pre-filters comprises four pre-filters 208 searching for four types of traffic, including: (1) DNS traffic; (2) traffic containing call-back activity; (3) communication protocol traffic; and (4) traffic containing at least one binary. These four pre-filters 208 also correspond to the following analysis engine subsystems: (1) DNS traffic subsystem 305, (2) call-back traffic subsystem 315, (3) communication protocol traffic subsystem 400, and (2) binary traffic subsystem 420. Furthermore, the dynamic analysis engine 216, located on the TDP logic 202 of the host 203, comprises the communication protocol traffic subsystem 400 and the binary traffic subsystem 420.


Upon receiving an object of interest from pre-filters 208, the scheduler 223 may determine which software image(s) are associated with software having the vulnerability. In one embodiment, the determination may be based on the static analysis conducted by the static analysis engine 207. Thereafter, the software profile(s) are selected by the scheduler 223 to fetch these software image(s) for configuration of VM 4401 or 4451. This tailored selection scheme avoids VM configuration for software that does not feature the matched software vulnerability.


As a second illustrative example, the scheduler 223 may be adapted to configure the multiple VMs 4401-440K for concurrent virtual execution of a variety of different versions of the software in efforts to determine whether the object of interest identified by the communication protocol traffic subsystem 400 and the binary traffic subsystem 420 is an exploit.


Of course, it is contemplated that the VM configuration described above may be handled by logic other than the scheduler 223. For instance, although not shown, the dynamic analysis engine 216 may include configuration logic that is adapted to determine which software image(s) are associated with software having the vulnerability. The vulnerability may be uncovered by the static analysis engine 207. This configuration logic may transmit the VM configuration information to the scheduler 223 to handle VM configuration as described above; alternatively, the dynamic analysis engine 216 may exclusively handle the VM configuration.


According to one embodiment of the disclosure, the communication protocol traffic subsystem 400 is adapted with the virtual execution environment 405 to execute one or more VMs 4401-440K that, operating in combination with a protocol sequence replayer (replay logic) 442, simulates the receipt and execution of an object of interest within a run-time environment as expected for the type of object. Similarly, the binary traffic subsystem 420 is adapted with the virtual execution environment 425 to execute one or more VMs 4451-445L that, operating in combination with a protocol sequence replayer (replay logic) 447, simulates the receipt and execution of an object of interest within a run-time environment as expected for objects including binaries.


As an illustrative example, the communication protocol traffic subsystem 400 may conduct virtual processing of an object of interest (e.g., a HTTP communication session) and provide the object of interest to the VM(s) 4401, . . . , and/or 440K. The replay logic 442 within the communication protocol traffic subsystem 400 may be adapted to provide, and sometimes modify (e.g. modify IP address) packets associated with the objects of interest containing one or more objects containing Internet traffic and synchronize any return network traffic generated by the virtual execution environment 405 in response to the packets. Hence, the communication protocol traffic subsystem 400 may suppress (e.g., discard) the return network traffic such that the return network traffic is not transmitted to the communication network 101. For instance, for a particular suspect object being a flow such as a TCP or UDP sequence, the replay logic 442 may replay the data packets by sending packets to the virtual execution environment 405 via a TCP connection or UDP session. Furthermore, the replay logic 442 may synchronize return network traffic by terminating the TCP connection or UDP session.


As another illustrative example, the binary traffic subsystem 420 may conduct virtual processing of an object of interest (e.g., a binary extracted from network traffic) and provide the object of interest to the VM(s) 4451, . . . , and/or 445L. The replay logic 447 within the binary traffic subsystem 420 may be adapted to return information to the VM(s) 4451, . . . , and/or 445L in the event that the binary requests information from remote sources.


As further shown in FIG. 4, the monitoring logic 415/435 within the dynamic analysis engine 216 may be configured to monitor behavior of the object being processed by one or more VMs 4401, . . . , and/or 440K or 4451, . . . , and/or 445L, for detecting anomalous or unexpected activity indicative of an exploit. If so, the object may be determined as being associated with malicious activity, and thereafter, monitoring logic 415/435 operating with score determination logic 410/430 may route the VM-based results (e.g., computed score, information associated with the detected anomalous behaviors, and other information associated with the detected malicious activity by the suspect object) to results database 221 of FIG. 2.


According to one embodiment of the disclosure, the score determination logic 410/430 comprises one or more software modules that are used to determine a probability (or level of confidence) that the object of interest is an exploit. Score determination logic 410/430 is configured to generate a value (referred to as a “score”) that classifies the threat of the possible exploit. Of course, a score may be assigned to the suspect object as a whole by mathematically combining the scores determined by analysis of different content associated with the same object of interest to obtain an overall score for that object of interest.


When the static analysis results or the VM-based results indicate that the object of interest under analysis contains malicious content, as shown in FIG. 1, the object may be held within the network security device 1041 and not permitted to pass to one or more of the client devices 1051, . . . and/or 105M. Alternatively, the object may be permitted to pass to one or more of the client devices 1051, . . . and/or 105M, where further monitoring of the object may take place. Furthermore, in either case, an administrator may be alerted to the presence of an object containing malicious content. Such an alert may be issued (e.g., by email or text message) to security administrators for example, communicating the urgency in handling one or more objects containing at least characteristics that suggest the object is an exploit and/or is associated with a malicious attack. An issued alert may also provide a designation of a selected threat level of the one or more objects containing at least characteristics indicative of malicious content.


Of course, in lieu of or in addition to static scanning operations being conducted by network security devices 1041-1043, it is contemplated that cloud computing services 102 may be implemented with static analysis engine 207 to perform the exploit and/or vulnerability signature checks and/or with dynamic analysis engine 216 to conduct virtual execution on content within the object of interest, as described herein. In accordance with this embodiment, network security device 1041 may be adapted to establish secured communications with cloud computing services 102 of FIG. 1 for exchanging information.


C. Flow of Objects Through TAC, Pre-Filters and Analysis Engine Subsystems


Referring to FIG. 5, an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by an analysis engine subsystem is shown. The traffic analysis controller (TAC) 200 of the network security device 1041 of FIG. 2 receives network traffic (block 500). Thereafter, a set of pre-filters operating on the traffic analysis controller perform an initial inspection of an object within the received network traffic to determine whether the object is an object of interest (block 505). This may be conducted through analysis of the object type.


If none of the pre-filters within the set of pre-filters finds the object to be an object of interest (e.g., the type of object under analysis is not recognized by the pre-filters), the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device without further analysis (NO at block 505). However, if a pre-filter finds the object to be an object of interest, such as the object contains traffic of the type for which the pre-filter is searching for example (YES at block 505), the object of interest may be routed to the appropriate analysis engine subsystem for further processing (block 510).


Upon receiving the object of interest, the appropriate analysis engine subsystem performs processing to determine whether the object of interest includes malicious content so as to constitute an exploit (block 515). If the appropriate analysis engine subsystem determines that the object of interest does not have characteristics associated with a malicious attack (e.g., not an exploit), the network security device may allow the object (e.g., associated packet(s) or flows) to pass to the client device (NO at block 515). However, if the appropriate analysis engine subsystem determines that the object has characteristics associated with a malicious attack (YES at block 515), the network security device may (1) conduct further in-depth analysis (e.g., DNS subsystem determines object is suspicious and further analysis by the dynamic analysis engine is warranted); (2) optionally alert the appropriate administer or security technician of the presence of malicious content, (3) prevent the transmission of the object, and possibly any packets or flows associated with the object, or (4) allow transmission of the object and perform further monitoring (block 520).


Referring to FIG. 6, an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by a communication protocol traffic subsystem is shown. The network security device receives network traffic via the traffic analysis controller (block 600). Thereafter, a packet capture framework (PCF) captures packets of the received network traffic (block 605).


The PCF then sends objects of the received network traffic to the communication protocol pre-filter and the communication protocol pre-filter determines whether the object is a communication protocol-based object (block 610). For instance, the communication protocol pre-filter may inspect an object searching for an Internet Protocol (IP) packet comprising a header and a payload. In one embodiment, if an object inspected by the communication protocol pre-filter is determined to contain an IPv4 or an IPv6 packet, the communication protocol pre-filter will designate the object as an object of interest and forward the object, and possibly any associated packets or flows, to the communication protocol analysis engine subsystem. As another example, the communication protocol pre-filter may designate as objects of interest any object containing packets or data transferred using various communication protocols such as, but not limited or restricted to, transmission control protocol (TCP), user datagram protocol (UDP), dynamic host configuration protocol (DHCP), hypertext transfer protocol (HTTP) or file transfer protocol (FTP).


If the object is not determined to be a communication protocol based object, the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device (NO at block 615). However, if the object is determined to be a communication protocol based object, i.e., an object of interest to the communication protocol pre-filter, (YES at block 615), the object is routed from the communication protocol pre-filter to the communication protocol traffic subsystem (of the dynamic analysis engine 216) for processing (block 620).


In one embodiment, as the communication protocol traffic subsystem is located within the dynamic analysis engine, the processing of the communication protocol traffic subsystem includes VM-based processing of the objects of interest. Such dynamic analysis may include virtual execution of the content of the object of interest. In particular, one or more VMs of the virtual execution environment of the communication protocol traffic subsystem may simulate loading of packets within an object of interest. The monitoring logic monitors what particular content is loaded and/or requested by the object of interest. For instance, the VM(s) may simulate the loading of an object of interest while the monitoring logic monitors for anomalous behavior such as repeated attempts to load the same HTTP address.


If, based on the processing by the communication protocol analysis engine, the object of interest is not determined to have characteristics that suggest the object is an exploit and/or is associated with a malicious attack, the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device (NO at block 625). However, if the object of interest is determined to have characteristics that suggest the object is an exploit and/or is associated with a malicious attack (YES at block 625), the network security device may optionally alert the appropriate administer or security technician of the presence of malicious content (block 630), prevent the transmission of the object, and possibly any packets or flows associated with the object, or allow transmission of the object and perform further monitoring.


Referring to FIG. 7, an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by a binary traffic subsystem is shown. The network security device receives network traffic via the traffic analysis controller (block 700). Thereafter, a packet capturing framework (PCF) captures packets of the received network traffic (block 705).


The PCF then routes objects of the received network traffic to the binary traffic pre-filter and the binary traffic pre-filter determines whether the object is an object containing a binary (block 710). For instance, the binary traffic pre-filter may inspect an object searching for one or more packets indicating the presence of a binary within the object or flow. In particular, the binary traffic pre-filter may inspect the payload of a network packet to determine whether particular data is present in the payload. Alternatively, the binary traffic pre-filter may determine the presence of particular data in the payload through inspection of the header of a network packet.


If the object is not determined to be an object containing a binary, the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device (NO at block 715). However, if the object is determined to be an object containing a binary, such as an object of interest to the binary traffic pre-filter, (YES at block 715), the object of interest is routed, from the binary traffic pre-filter, to the binary traffic subsystem (of the dynamic analysis engine 216) for processing (block 720).


In one embodiment, as the binary traffic subsystem is located within the dynamic analysis engine, the processing of the binary traffic subsystem includes VM-based processing of the objects of interest. Such dynamic analysis may include virtual execution of the content of the object of interest. In particular, one or more VMs of the virtual execution environment of the binary traffic subsystem may simulate loading of packets within an object of interest. The monitoring logic monitors what particular content is loaded and/or requested by the object of interest. For instance, VM may simulate the execution or loading of a file, such as a PDF file, located within an object of interest while monitoring logic monitors for anomalous behavior that deviates from expected behavior present when executing or loading such a file.


If, based on the processing by the binary traffic subsystem 420, the object of interest is not determined to have characteristics that suggest the object is an exploit and/or is associated with a malicious attack, the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device (NO at block 725). However, if the object of interest is determined to have characteristics that suggest the object is an exploit and/or is associated with a malicious attack (YES at block 725), the network security device may optionally alert the appropriate administer or security technician of the presence of malicious content (block 730), prevent the transmission of the object, and possibly any packets or flows associated with the object, or allow transmission of the object and perform further monitoring.


Referring to FIG. 8, an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by a DNS traffic subsystem is shown. The network security device receives network traffic via the traffic analysis controller 200 (block 800). Thereafter, a packet capture framework (PCF) captures packets of the received network traffic (block 805). In particular, the DNS traffic pre-filter may designate an object containing a DNS query as an object of interest.


The PCF then routes objects of the received network traffic to the communication protocol pre-filter and the DNS traffic pre-filter determines whether the object is an object containing DNS traffic (block 810). For instance, the DNS traffic pre-filter may inspect an object that contains data structures and communication exchanges adhering to the DNS protocol which is a protocol typically used with exchanges over the Internet.


If the object is not determined to be an object containing DNS traffic, the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device (NO at block 815). However, if the object is determined to be an object containing DNS traffic, i.e., an object of interest to the DNS traffic pre-filter, (YES at block 815), the object of interest is routed, from the DNS traffic pre-filter, to the DNS traffic subsystem (of the static analysis engine 207) for processing (block 820).


In one embodiment, as the DNS traffic subsystem is located within the static analysis engine, the processing of the DNS traffic subsystem includes deep-packet inspection (DPI) and/or performance of a static analysis using at least exploit signature checks, vulnerability signature checks and/or heuristic checks on the objects of interest. In particular, the exploit matching logic within DNS traffic subsystem may perform a comparison of one or more pre-stored exploit signatures from signatures rule set with the object of interest. In particular, the DNS traffic subsystem may perform a heuristic analysis to determine whether the object of interest contains anomalous content such as repeated queries to a DNS server.


If, based on the processing by the DNS traffic subsystem, the object of interest is not determined to have characteristics that suggest the object is an exploit and/or is associated with a malicious attack, the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device (NO at block 825). However, if the object of interest is determined to have characteristics that suggest the object is an exploit and/or is associated with a malicious attack (YES at block 825), the network security device may optionally alert the appropriate administer or security technician of the presence of malicious content (block 830), prevent the transmission of the object, and possibly any packets or flows associated with the object, or allow transmission of the object and perform further processing such as VM-based processing within the dynamic analysis engine.


Referring to FIG. 9, an exemplary diagram of a flowchart illustrating operations of a network security device determining whether an object of received network traffic requires analysis by a call-back traffic subsystem is shown. The network security device receives network traffic via the traffic analysis controller (block 900). Thereafter, a packet capture framework (PCF) captures packets of the received network traffic (block 905).


The PCF then routes objects of the received network traffic to the call-back traffic pre-filter and the call-back traffic pre-filter determines whether the object is an object containing call-back traffic (block 910). For instance, the call-back traffic pre-filter may inspect an object searching for content containing a call or query to a specific IP address.


In one embodiment, the call-back traffic pre-filter may pass a number of the first packets of every object or flow to the call-back traffic subsystem. In such an embodiment, the call-back traffic subsystem determines whether a call-back will be made by the object or flow from the first few packets of the object or flow. The number of first packets of an object or flow passed to the call-back traffic subsystem is a variable number and may be, for instance, the first five or ten packets of every object or flow within the received network traffic.


If the object is not determined to be an object containing call-back traffic, the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device (NO at block 915). However, if the object is determined to be an object containing call-back traffic, such as an object of interest to the call-back traffic pre-filter, (YES at block 915), the object of interest is routed, from the call-back traffic pre-filter, to the call-back traffic subsystem (of the static analysis engine 207) for processing (block 920).


In one embodiment, as the call-back traffic subsystem is located within the static analysis engine, the processing of the call-back traffic subsystem includes deep-packet inspection (DPI) and/or performance of a static analysis using at least exploit signature checks and/or vulnerability signature checks on the objects of interest. In particular, the exploit matching logic within call-back traffic subsystem may perform a comparison of one or more pre-stored exploit signatures from signatures rule set with the object of interest. In particular, the call-back traffic subsystem may perform a heuristic analysis to determine whether the object of interest contains queries to one or more particular IP addresses present on a list of IP addresses known to contain malicious content or simply prohibited by the administer or security technician associated with the client device.


If, based on the processing by the call-back traffic analysis engine, the object of interest is not determined to have characteristics that suggest the object is an exploit and/or is associated with a malicious attack, the network security device may allow the object, and associated packets or flows if applicable, to pass to the client device (NO at block 925). However, if the object of interest is determined to have characteristics that suggest the object is an exploit and/or is associated with a malicious attack (YES at block 925), the network security device may optionally alert the appropriate administer or security technician of the presence of malicious content (block 930), prevent the transmission of the object, and possibly any packets or flows associated with the object, or allow transmission of the object and perform further processing such as VM-based processing within the dynamic analysis engine.


III. Second Embodiment—Host Comprising Subsystems Supporting Dynamic Analysis and Limited Static Analysis Subsystems

A. General Architecture


Referring to FIG. 10, a second exemplary block diagram of a plurality of network security devices 1041-104N (N≥1, e.g., N=3) communicatively coupled to a management system 219 via the communication network 218 is shown. In general, as discussed above, management system 219 is adapted to manage network security devices 1041-1043. For instance, management system 219 is responsible for automatically updating one or more exploit signatures and/or vulnerability signatures used by the static analysis engine 207 within some or all of network security devices 1041-104N. Each of these signatures may represent a prior detected exploit or an uncovered software vulnerability. Such sharing may be conducted automatically or manually uploaded by an administrator. Also, such sharing may be conducted freely among the network security devices 1041-1043 or subject to a subscription basis.


More specifically, according to this embodiment of the disclosure, the TDP logic 202 comprises both the static analysis engine 207 and the dynamic analysis engine 216, while the traffic analysis controller (TAC) 200 comprises the packet capture framework (PCF) 210 and a set of pre-filters 208.


A. Traffic Analysis Controller


Still referring to FIG. 10, the traffic analysis controller 200 comprises communication ports 204, a network processing unit (NPU) 205, connector 212 and persistent storage 206. The persistent storage maintains several software modules including a first stage of static analysis engine 1000, packet capture framework (PCF) 210, the set of pre-filters 208 and the signatures rule set 209. The communication ports 204 connect the network security device 1041 to communications networks 101 and/or 218 while connector 212 connects the traffic analysis controller 200 to the TDP logic 202.


In this embodiment, as shown in FIGS. 1 and 10, the PCF 210 controls the flow of the network traffic received by the network security device 104 (e.g., network security device 1041). Specifically, the PCF 210 confirms that the network security device 1041 is operating properly according to the deployment scenario of the network security device 1041. For instance, if the network security device 1041 is deployed off-line (passive mode), the PCF 210 ensures that the network security device 1041 receives a copy of the received network traffic and passes the copy of the received network traffic to the pre-filters 208 while the network traffic is provided to one or more of the client device 105i, . . . and/or 105M. In the off-line deployment scenario, the network security device 1041 does not block the network traffic from reaching the client device(s) 1051, . . . and/or 105M while the static or dynamic analysis is being performed. The traffic analysis controller 200 may provide at least some of the original network traffic to the PCF 210 or duplicate at least some of the network traffic and provide the duplicated copy to the PCF 210.


Alternatively, if the network security device 1041 is deployed in-line, the PCF 210 does not permit the received network traffic to pass through the network security device 1041 to the client device(s) 105i, . . . , or 105M until the network security device 1041 has determined the received network security traffic does not contain malicious content. In the in-line deployment scenario, the PCF 210 ensures that the received network traffic passes to one or more of the client device 105i, . . . and/or 105M, after processing, unless it contains malicious content, in which case, at least some of the network traffic may be blocked from reaching its intended destination and an alert may be issued.


As described above, the pre-filters 208 may comprise four pre-filters searching for four types of traffic including: (1) DNS traffic, (2) traffic containing call-back activity, (3) communication protocol traffic, and (4) traffic containing at least one binary. In such an embodiment, the four pre-filters correspond to the following subsystems of the dynamic analysis engine 216, namely the communication protocol traffic subsystem and the binary traffic subsystem, or the static analysis engine 207, namely the DNS traffic subsystem and the call-back traffic subsystem. It should be noted that the set of pre-filters 208 may be located on the traffic analysis controller 200 while the static analysis engine 207 and the dynamic analysis engine 216 are located in the TDP logic 202.


The first stage of static engine 1000 performs certain functionality, such as signature matching for example, which is off-loaded from the TDP logic 202 to be handed at the traffic analysis controller 200. A second stage of static engine 1010 performs other functionality, such as heuristic analysis for example, is continued to be handled at the TDP logic 202. It is contemplated that first stage of static engine 1000 may perform heuristic analysis while the second stage of static engine 1010 performs other functionality such as signature matching. The goal is to off-load a portion of the static analysis to the traffic analysis controller 200.


B. TDP Logic


Still referring to FIG. 10, in communication with traffic analysis controller 202 via transmission medium 220, the TDP logic 202 comprises the second connector 213, the CPU 214 and the persistent storage 215. The second connector 213 enables the TDP logic 202 to communicate with the traffic analysis controller 200. The persistent storage 215 comprises software modules including the static analysis engine 207, the scheduler 223, the dynamic analysis engine 216 and the software profile rule set 217.


As described above, the static analysis engine 207 may comprise the DNS traffic subsystem and the call-back traffic subsystem, but signature matching associated with these subsystems is handled at the traffic analysis controller 200. The dynamic analysis engine 216, located on the host 203, comprises the communication protocol traffic subsystem and the binary traffic subsystem. However, in this embodiment, the TDP logic 202 include portions of the DNS and call-back traffic subsystems, which are executed on the CPU 214 associated with the TDP logic 202.


In general, the static analysis engine 207 and the dynamic analysis engine 216 perform in a similar manner as described above in the first embodiment, however in this embodiment, both engines, including all subsystems, are executed on the CPU 214 of the threat detection and prevention logic 203.


In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims.

Claims
  • 1. A server, comprising: a first blade server including a first processing unit and a filtering logic that, when executed by the first processing unit, is configured to receive a first plurality of objects and identify, without execution of any object of the first plurality of objects, at least a first object of the first plurality of objects having characteristics associated with a malicious attack; anda second blade server communicatively coupled to the first blade server, the second blade server includes a second processing unit being different from the first processing unit, the second processing unit to (i) process at least the first object provided from the first blade server when the first object includes characteristics associated with a malicious attack, (ii) monitor at least behaviors of the first object during processing, and (iii) determine whether any of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.
  • 2. The server of claim 1, wherein the second blade server further comprising reporting logic that, when executed by the second processing unit, issues an alert message identifying at least the first object being associated with a malicious attack.
  • 3. The server of claim 2, wherein the alert message includes a text message.
  • 4. The server of claim 1, wherein the second blade server being implemented as part of a cloud computing service.
  • 5. The server of claim 1, wherein the first blade server to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to content of the first object.
  • 6. The server of claim 1, wherein the first blade server to perform an heuristic analysis that analyzes the first object using metadata or attributes of the first object to determine whether a certain portion of the first object has characteristics that suggest the first object is associated with a malicious attack.
  • 7. The server of claim 1, wherein the second blade server includes at least one virtual machine that is configured to process the content within at least the first object.
  • 8. The server of claim 1, wherein the one or more characteristics further comprise a particular source address that is associated with a known exploit.
  • 9. The server of claim 1, wherein the one or more characteristics further comprise a particular destination address that is associated with a known exploit.
  • 10. A system, comprising: a network security device configured to determine whether an object includes one or more characteristics associated with a malicious attack without execution of the object, the one or more characteristics include at least a Uniform Resource Locator (URL) that suggests the object is associated with a known exploit; anda cloud computing service communicatively coupled to and remotely located from the network security device, the cloud computing service including a virtual execution logic that, upon execution of the object by a processing unit deployed as part of the cloud computing service and, after the network security device determining that content of the object includes the one or more characteristics associated with the malicious attack, monitors for behaviors of the object suggesting the object is associated with a malicious attack.
  • 11. The system of claim 10, wherein the cloud computing service further comprising reporting logic that, when executed by the processing unit, transmits an alert message to a network administrator, user, or another entity upon identifying at least the object being associated with a malicious attack.
  • 12. The system of claim 10, wherein the network security device to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to the content of the object.
  • 13. The system of claim 10, wherein the network security device to perform an heuristic analysis that analyzes the object using metadata or attributes of the object to determine whether a certain portion of the object has characteristics that suggest the object is associated with a malicious attack.
  • 14. The system of claim 10, wherein the virtual execution logic that, upon execution by the processing unit, includes at least one virtual machine that is configured to process the object.
  • 15. The system of claim 10, wherein the virtual execution logic is deployed within a dynamic analysis engine implemented within the cloud computing service.
  • 16. The system of claim 15, wherein the dynamic analysis engine includes one or more software modules being executed by the processing unit within the cloud computing service that are configured to process the object and monitor for the behaviors of the object.
  • 17. The system of claim 16, wherein the processing unit is a virtual processor.
  • 18. A system, comprising: a network security device configured to determine whether an object includes one or more characteristics associated with a malicious attack without execution of the object, the one or more characteristics include a particular source address that suggests the object is associated with a known exploit; anda cloud computing service communicatively coupled to and remotely located from the network security device, the cloud computing service including a virtual execution logic that, upon execution of the object by a processing unit deployed as part of the cloud computing service and, after the network security device determining that content of the object includes the one or more characteristics associated with the malicious attack, monitors for behaviors of the object suggesting the object is associated with a malicious attack.
  • 19. The system of claim 18, wherein the cloud computing service further comprising reporting logic that, when executed by the processing unit, transmits an alert message to a network administrator, user, or another entity upon identifying at least the object being associated with a malicious attack.
  • 20. The system of claim 18, wherein the network security device to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to the content of the object.
  • 21. The system of claim 18, wherein the network security device to perform an heuristic analysis that analyzes the object using metadata or attributes of the object to determine whether a certain portion of the object has characteristics that suggest the object is associated with a malicious attack.
  • 22. The system of claim 18, wherein the virtual execution logic that, upon execution by the processing unit, includes at least one virtual machine that is configured to process the object.
  • 23. The system of claim 18, wherein the virtual execution logic is deployed within a dynamic analysis engine implemented within the cloud computing service.
  • 24. The system of claim 23, wherein the dynamic analysis engine includes one or more software modules being executed by the processing unit within the cloud computing service that are configured to process the object and monitor for the behaviors of the object.
  • 25. The system of claim 24, wherein the processing unit is a virtual processor.
  • 26. A system, comprising: a network security device configured to determine whether an object includes one or more characteristics associated with a malicious attack without execution of the object, the one or more characteristics include a particular destination address that suggests the object is associated with a known exploit; anda cloud computing service communicatively coupled to and remotely located from the network security device, the cloud computing service including a virtual execution logic that, upon execution of the object by a processing unit deployed as part of the cloud computing service and, after the network security device determining that content of the object includes the one or more characteristics associated with the malicious attack, monitors for behaviors of the object suggesting the object is associated with a malicious attack.
  • 27. The system of claim 26, wherein the cloud computing service further comprising reporting logic that, when executed by the processing unit, transmits an alert message to a network administrator, user, or another entity upon identifying at least the object being associated with a malicious attack.
  • 28. The system of claim 26, wherein the network security device to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to the content of the object.
  • 29. The system of claim 26, wherein the network security device to perform an heuristic analysis that analyzes the object using metadata or attributes of the object to determine whether a certain portion of the object has characteristics that suggest the object is associated with a malicious attack.
  • 30. The system of claim 20, wherein the virtual execution logic that, upon execution by the processing unit, includes at least one virtual machine that is configured to process the object.
  • 31. The system of claim 26, wherein the virtual execution logic is deployed within a dynamic analysis engine implemented within the cloud computing service.
  • 32. The system of claim 31, wherein the dynamic analysis engine includes one or more software modules being executed by the processing unit within the cloud computing service that are configured to process the object and monitor for the behaviors of the object.
  • 33. The system of claim 32, wherein the processing unit is a virtual processor.
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No. 15/451,243, filed on Mar. 6, 2017 (U.S. Pat. No. 9,787,700), which is a continuation of U.S. application Ser. No. 14/229,541, filed on Mar. 28, 2014 (U.S. Pat. No. 9,591,015), the entire contents of both of these applications are incorporated by reference herein.

US Referenced Citations (780)
Number Name Date Kind
4292580 Ott et al. Sep 1981 A
5175732 Hendel et al. Dec 1992 A
5278901 Shieh et al. Jan 1994 A
5319776 Hile et al. Jun 1994 A
5440723 Arnold et al. Aug 1995 A
5452442 Kephart Sep 1995 A
5490249 Miller Feb 1996 A
5657473 Killean et al. Aug 1997 A
5802277 Cowlard Sep 1998 A
5842002 Schnurer et al. Nov 1998 A
5889973 Moyer Mar 1999 A
5960170 Chen et al. Sep 1999 A
5978917 Chi Nov 1999 A
5983348 Ji Nov 1999 A
6088803 Tso et al. Jul 2000 A
6092194 Touboul Jul 2000 A
6094677 Capek et al. Jul 2000 A
6108799 Boulay et al. Aug 2000 A
6118382 Hibbs et al. Sep 2000 A
6154844 Touboul et al. Nov 2000 A
6269330 Cidon et al. Jul 2001 B1
6272641 Ji Aug 2001 B1
6279113 Vaidya Aug 2001 B1
6298445 Shostack et al. Oct 2001 B1
6357008 Nachenberg Mar 2002 B1
6417774 Hibbs et al. Jul 2002 B1
6424627 Sørhaug et al. Jul 2002 B1
6442696 Wray et al. Aug 2002 B1
6484315 Ziese Nov 2002 B1
6487666 Shanklin et al. Nov 2002 B1
6493756 O'Brien et al. Dec 2002 B1
6550012 Villa et al. Apr 2003 B1
6700497 Hibbs et al. Mar 2004 B2
6775657 Baker Aug 2004 B1
6831893 Ben Nun et al. Dec 2004 B1
6832367 Choi et al. Dec 2004 B1
6895550 Kanchirayappa et al. May 2005 B2
6898632 Gordy et al. May 2005 B2
6907396 Muttik et al. Jun 2005 B1
6941348 Petry et al. Sep 2005 B2
6971097 Wallman Nov 2005 B1
6981279 Arnold et al. Dec 2005 B1
6995665 Appelt et al. Feb 2006 B2
7007107 Ivchenko et al. Feb 2006 B1
7028179 Anderson et al. Apr 2006 B2
7043757 Hoefelmeyer et al. May 2006 B2
7058822 Edery et al. Jun 2006 B2
7069316 Gryaznov Jun 2006 B1
7080407 Zhao et al. Jul 2006 B1
7080408 Pak et al. Jul 2006 B1
7093002 Wolff et al. Aug 2006 B2
7093239 van der Made Aug 2006 B1
7096498 Judge Aug 2006 B2
7100201 Izatt Aug 2006 B2
7107617 Hursey et al. Sep 2006 B2
7159149 Spiegel et al. Jan 2007 B2
7213260 Judge May 2007 B2
7231667 Jordan Jun 2007 B2
7240364 Branscomb et al. Jul 2007 B1
7240368 Roesch et al. Jul 2007 B1
7243371 Kasper et al. Jul 2007 B1
7249175 Donaldson Jul 2007 B1
7287278 Liang Oct 2007 B2
7308716 Danford et al. Dec 2007 B2
7328453 Merkle, Jr. et al. Feb 2008 B2
7346486 Ivancic et al. Mar 2008 B2
7356736 Natvig Apr 2008 B2
7386888 Liang et al. Jun 2008 B2
7392542 Bucher Jun 2008 B2
7418729 Szor Aug 2008 B2
7428300 Drew et al. Sep 2008 B1
7441272 Durham et al. Oct 2008 B2
7448084 Apap et al. Nov 2008 B1
7458098 Judge et al. Nov 2008 B2
7464404 Carpenter et al. Dec 2008 B2
7464407 Nakae et al. Dec 2008 B2
7467408 O'Toole, Jr. Dec 2008 B1
7478428 Thomlinson Jan 2009 B1
7480773 Reed Jan 2009 B1
7487543 Arnold et al. Feb 2009 B2
7496960 Chen et al. Feb 2009 B1
7496961 Zimmer et al. Feb 2009 B2
7519990 Xie Apr 2009 B1
7523493 Liang et al. Apr 2009 B2
7530104 Thrower et al. May 2009 B1
7540025 Tzadikario May 2009 B2
7546638 Anderson et al. Jun 2009 B2
7565550 Liang et al. Jul 2009 B2
7568233 Szor et al. Jul 2009 B1
7584455 Ball Sep 2009 B2
7603715 Costa et al. Oct 2009 B2
7607171 Marsden et al. Oct 2009 B1
7639714 Stolfo et al. Dec 2009 B2
7644441 Schmid et al. Jan 2010 B2
7657419 van der Made Feb 2010 B2
7676841 Sobchuk et al. Mar 2010 B2
7698548 Shelest et al. Apr 2010 B2
7707633 Danford et al. Apr 2010 B2
7712136 Sprosts et al. May 2010 B2
7730011 Deninger et al. Jun 2010 B1
7739740 Nachenberg et al. Jun 2010 B1
7779463 Stolfo et al. Aug 2010 B2
7784097 Stolfo et al. Aug 2010 B1
7818800 Lemley, III et al. Oct 2010 B1
7832008 Kraemer Nov 2010 B1
7836502 Zhao et al. Nov 2010 B1
7849506 Dansey et al. Dec 2010 B1
7854007 Sprosts et al. Dec 2010 B2
7869073 Oshima Jan 2011 B2
7877803 Enstone et al. Jan 2011 B2
7904959 Sidiroglou et al. Mar 2011 B2
7908660 Bahl Mar 2011 B2
7930738 Petersen Apr 2011 B1
7937387 Frazier et al. May 2011 B2
7937761 Bennett May 2011 B1
7949849 Lowe et al. May 2011 B2
7996556 Raghavan et al. Aug 2011 B2
7996836 McCorkendale et al. Aug 2011 B1
7996904 Chiueh et al. Aug 2011 B1
7996905 Arnold et al. Aug 2011 B2
8006305 Aziz Aug 2011 B2
8010667 Zhang et al. Aug 2011 B2
8020206 Hubbard et al. Sep 2011 B2
8028338 Schneider et al. Sep 2011 B1
8042184 Batenin Oct 2011 B1
8045094 Teragawa Oct 2011 B2
8045458 Alperovitch et al. Oct 2011 B2
8069484 McMillan et al. Nov 2011 B2
8087086 Lai et al. Dec 2011 B1
8171553 Aziz et al. May 2012 B2
8176049 Deninger et al. May 2012 B2
8176480 Spertus May 2012 B1
8201072 Matulic Jun 2012 B2
8201246 Wu et al. Jun 2012 B1
8204984 Aziz et al. Jun 2012 B1
8214905 Doukhvalov et al. Jul 2012 B1
8220055 Kennedy Jul 2012 B1
8225288 Miller et al. Jul 2012 B2
8225373 Kraemer Jul 2012 B2
8233882 Rogel Jul 2012 B2
8234640 Fitzgerald et al. Jul 2012 B1
8234709 Viljoen et al. Jul 2012 B2
8239944 Nachenberg et al. Aug 2012 B1
8260914 Ranjan Sep 2012 B1
8266091 Gubin et al. Sep 2012 B1
8286251 Eker et al. Oct 2012 B2
8291198 Mott et al. Oct 2012 B2
8291499 Aziz et al. Oct 2012 B2
8307435 Mann et al. Nov 2012 B1
8307443 Wang et al. Nov 2012 B2
8312545 Tuvell et al. Nov 2012 B2
8321240 Lorsch Nov 2012 B2
8321936 Green et al. Nov 2012 B1
8321941 Tuvell et al. Nov 2012 B2
8332571 Edwards, Sr. Dec 2012 B1
8365286 Poston Jan 2013 B2
8365297 Parshin et al. Jan 2013 B1
8370938 Daswani et al. Feb 2013 B1
8370939 Zaitsev et al. Feb 2013 B2
8375444 Aziz et al. Feb 2013 B2
8381299 Stolfo et al. Feb 2013 B2
8402529 Green et al. Mar 2013 B1
8464340 Ahn et al. Jun 2013 B2
8468604 Claudatos et al. Jun 2013 B2
8479174 Chiriac Jul 2013 B2
8479276 Vaystikh et al. Jul 2013 B1
8479291 Bodke Jul 2013 B1
8510827 Leake et al. Aug 2013 B1
8510828 Guo et al. Aug 2013 B1
8510842 Amit et al. Aug 2013 B2
8516478 Edwards et al. Aug 2013 B1
8516590 Ranadive et al. Aug 2013 B1
8516593 Aziz Aug 2013 B2
8522348 Chen et al. Aug 2013 B2
8528086 Aziz Sep 2013 B1
8533824 Hutton et al. Sep 2013 B2
8539582 Aziz et al. Sep 2013 B1
8549638 Aziz Oct 2013 B2
8555391 Demir et al. Oct 2013 B1
8561177 Aziz et al. Oct 2013 B1
8566476 Shiffer et al. Oct 2013 B2
8566946 Aziz et al. Oct 2013 B1
8584094 Dadhia et al. Nov 2013 B2
8584234 Sobel et al. Nov 2013 B1
8584239 Aziz et al. Nov 2013 B2
8595834 Xie et al. Nov 2013 B2
8627476 Satish et al. Jan 2014 B1
8635696 Aziz Jan 2014 B1
8682054 Xue et al. Mar 2014 B2
8682812 Ranjan Mar 2014 B1
8689333 Aziz Apr 2014 B2
8695096 Zhang Apr 2014 B1
8695097 Mathes et al. Apr 2014 B1
8707437 Ming-Chang et al. Apr 2014 B1
8713631 Pavlyushchik Apr 2014 B1
8713681 Silberman et al. Apr 2014 B2
8726392 McCorkendale et al. May 2014 B1
8739280 Chess et al. May 2014 B2
8769692 Muttik Jul 2014 B1
8776229 Aziz Jul 2014 B1
8782792 Bodke Jul 2014 B1
8789172 Stolfo et al. Jul 2014 B2
8789178 Kejriwal et al. Jul 2014 B2
8793278 Frazier et al. Jul 2014 B2
8793787 Ismael et al. Jul 2014 B2
8805947 Kuzkin et al. Aug 2014 B1
8806647 Daswani et al. Aug 2014 B1
8832829 Manni et al. Sep 2014 B2
8850570 Ramzan Sep 2014 B1
8850571 Staniford et al. Sep 2014 B2
8869144 Pratt et al. Oct 2014 B2
8879558 Rijsman Nov 2014 B1
8881234 Narasimhan et al. Nov 2014 B2
8881271 Butler, II Nov 2014 B2
8881282 Aziz et al. Nov 2014 B1
8898788 Aziz et al. Nov 2014 B1
8935779 Manni et al. Jan 2015 B2
8949257 Shiffer et al. Feb 2015 B2
8959428 Majidian Feb 2015 B2
8984638 Aziz et al. Mar 2015 B1
8990939 Staniford et al. Mar 2015 B2
8990944 Singh et al. Mar 2015 B1
8997219 Staniford et al. Mar 2015 B2
9009822 Ismael et al. Apr 2015 B1
9009823 Ismael et al. Apr 2015 B1
9009834 Ren et al. Apr 2015 B1
9015814 Zakorzhevsky et al. Apr 2015 B1
9027135 Aziz May 2015 B1
9071638 Aziz et al. Jun 2015 B1
9092625 Kashyap et al. Jul 2015 B1
9104814 Mompoint et al. Aug 2015 B1
9104867 Thioux et al. Aug 2015 B1
9106630 Frazier et al. Aug 2015 B2
9106694 Aziz et al. Aug 2015 B2
9118715 Staniford et al. Aug 2015 B2
9159035 Ismael et al. Oct 2015 B1
9165142 Sanders Oct 2015 B1
9171157 Flores et al. Oct 2015 B2
9171160 Vincent et al. Oct 2015 B2
9176843 Ismael et al. Nov 2015 B1
9189627 Islam Nov 2015 B1
9195829 Goradia et al. Nov 2015 B1
9197664 Aziz et al. Nov 2015 B1
9223972 Vincent et al. Dec 2015 B1
9225740 Ismael et al. Dec 2015 B1
9241010 Bennett et al. Jan 2016 B1
9251343 Vincent et al. Feb 2016 B1
9262635 Paithane et al. Feb 2016 B2
9268936 Butler Feb 2016 B2
9275229 LeMasters Mar 2016 B2
9282109 Aziz et al. Mar 2016 B1
9292686 Ismael et al. Mar 2016 B2
9294501 Mesdaq et al. Mar 2016 B2
9300686 Pidathala et al. Mar 2016 B2
9306960 Aziz Apr 2016 B1
9306974 Aziz et al. Apr 2016 B1
9311479 Manni et al. Apr 2016 B1
9355246 Wan et al. May 2016 B1
9355247 Thioux et al. May 2016 B1
9356944 Aziz May 2016 B1
9363280 Rivlin et al. Jun 2016 B1
9367681 Ismael et al. Jun 2016 B1
9398028 Karandikar Jul 2016 B1
9413781 Cunningham et al. Aug 2016 B2
9426071 Caldejon et al. Aug 2016 B1
9430646 Mushtaq et al. Aug 2016 B1
9432389 Khalid et al. Aug 2016 B1
9438613 Paithane et al. Sep 2016 B1
9438622 Staniford et al. Sep 2016 B1
9438623 Thioux et al. Sep 2016 B1
9459901 Jung et al. Oct 2016 B2
9467460 Otvagin et al. Oct 2016 B1
9483644 Paithane et al. Nov 2016 B1
9495180 Ismael Nov 2016 B2
9497213 Thompson et al. Nov 2016 B2
9507935 Ismael et al. Nov 2016 B2
9516057 Aziz Dec 2016 B2
9519782 Aziz et al. Dec 2016 B2
9536091 Paithane et al. Jan 2017 B2
9537972 Edwards et al. Jan 2017 B1
9560059 Islam Jan 2017 B1
9565202 Kindlund et al. Feb 2017 B1
9591015 Amin Mar 2017 B1
9591020 Aziz Mar 2017 B1
9594904 Jain et al. Mar 2017 B1
9594905 Ismael et al. Mar 2017 B1
9594912 Thioux et al. Mar 2017 B1
9609007 Rivlin et al. Mar 2017 B1
9626509 Khalid et al. Apr 2017 B1
9628498 Aziz et al. Apr 2017 B1
9628507 Haq et al. Apr 2017 B2
9633134 Ross Apr 2017 B2
9635039 Islam et al. Apr 2017 B1
9641546 Manni et al. May 2017 B1
9654485 Neumann May 2017 B1
9661009 Karandikar et al. May 2017 B1
9661018 Aziz May 2017 B1
9674298 Edwards et al. Jun 2017 B1
9680862 Ismael et al. Jun 2017 B2
9690606 Ha et al. Jun 2017 B1
9690933 Singh et al. Jun 2017 B1
9690935 Shiffer et al. Jun 2017 B2
9690936 Malik et al. Jun 2017 B1
9736179 Ismael Aug 2017 B2
9740857 Ismael et al. Aug 2017 B2
9747446 Pidathala et al. Aug 2017 B1
9756074 Aziz et al. Sep 2017 B2
9773112 Rathor et al. Sep 2017 B1
9773240 McCauley Sep 2017 B1
9781144 Otvagin et al. Oct 2017 B1
9787700 Amin Oct 2017 B1
9787706 Otvagin et al. Oct 2017 B1
9792196 Ismael et al. Oct 2017 B1
9804948 Kolberg et al. Oct 2017 B2
9824209 Ismael et al. Nov 2017 B1
9824211 Wilson Nov 2017 B2
9824216 Khalid et al. Nov 2017 B1
9825976 Gomez et al. Nov 2017 B1
9825989 Mehra et al. Nov 2017 B1
9838408 Karandikar et al. Dec 2017 B1
9838411 Aziz Dec 2017 B1
9838416 Aziz Dec 2017 B1
9838417 Khalid et al. Dec 2017 B1
9846776 Paithane et al. Dec 2017 B1
9876701 Caldejon et al. Jan 2018 B1
9888016 Amin et al. Feb 2018 B1
9888019 Pidathala et al. Feb 2018 B1
9910988 Vincent et al. Mar 2018 B1
9912644 Cunningham Mar 2018 B2
9912681 Ismael et al. Mar 2018 B1
9912684 Aziz et al. Mar 2018 B1
9912691 Mesdaq et al. Mar 2018 B2
9912698 Thioux et al. Mar 2018 B1
9916440 Paithane et al. Mar 2018 B1
9921860 Banga et al. Mar 2018 B1
9921978 Chan et al. Mar 2018 B1
9934376 Ismael Apr 2018 B1
9934381 Kindlund et al. Apr 2018 B1
9946568 Ismael et al. Apr 2018 B1
9954890 Staniford et al. Apr 2018 B1
9973531 Thioux May 2018 B1
10002252 Ismael et al. Jun 2018 B2
10019338 Goradia et al. Jul 2018 B1
10019573 Silberman et al. Jul 2018 B2
10025691 Ismael et al. Jul 2018 B1
10025927 Khalid et al. Jul 2018 B1
10027689 Rathor et al. Jul 2018 B1
10027690 Aziz et al. Jul 2018 B2
10027696 Rivlin et al. Jul 2018 B1
10033747 Paithane et al. Jul 2018 B1
10033748 Cunningham et al. Jul 2018 B1
10033753 Islam et al. Jul 2018 B1
10033759 Kabra et al. Jul 2018 B1
10050998 Singh Aug 2018 B1
10068091 Aziz et al. Sep 2018 B1
10075455 Zafar et al. Sep 2018 B2
10083302 Paithane et al. Sep 2018 B1
10084813 Eyada Sep 2018 B2
10089461 Ha et al. Oct 2018 B1
10097573 Aziz Oct 2018 B1
10104102 Neumann Oct 2018 B1
10108446 Steinberg et al. Oct 2018 B1
10121000 Rivlin et al. Nov 2018 B1
10122746 Manni et al. Nov 2018 B1
10133863 Bu et al. Nov 2018 B2
10133866 Kumar et al. Nov 2018 B1
10146810 Shiffer et al. Dec 2018 B2
10148693 Singh et al. Dec 2018 B2
10165000 Aziz et al. Dec 2018 B1
10169585 Pilipenko et al. Jan 2019 B1
10176321 Abbasi et al. Jan 2019 B2
10181029 Ismael et al. Jan 2019 B1
10191861 Steinberg et al. Jan 2019 B1
10192052 Singh et al. Jan 2019 B1
10198574 Thioux et al. Feb 2019 B1
10200384 Mushtaq et al. Feb 2019 B1
10210329 Malik et al. Feb 2019 B1
10216927 Steinberg Feb 2019 B1
10218740 Mesdaq et al. Feb 2019 B1
10242185 Goradia Mar 2019 B1
10265627 Ghanchi Apr 2019 B2
10366231 Singh et al. Jul 2019 B1
20010005889 Albrecht Jun 2001 A1
20010047326 Broadbent et al. Nov 2001 A1
20020018903 Kokubo et al. Feb 2002 A1
20020038430 Edwards et al. Mar 2002 A1
20020091819 Melchione et al. Jul 2002 A1
20020095607 Lin-Hendel Jul 2002 A1
20020116627 Tarbotton et al. Aug 2002 A1
20020144156 Copeland Oct 2002 A1
20020162015 Tang Oct 2002 A1
20020166063 Lachman et al. Nov 2002 A1
20020169952 DiSanto et al. Nov 2002 A1
20020184528 Shevenell et al. Dec 2002 A1
20020188887 Largman et al. Dec 2002 A1
20020194490 Halperin et al. Dec 2002 A1
20030021728 Sharpe et al. Jan 2003 A1
20030051168 King Mar 2003 A1
20030074578 Ford et al. Apr 2003 A1
20030084318 Schertz May 2003 A1
20030101381 Mateev et al. May 2003 A1
20030115483 Liang Jun 2003 A1
20030188190 Aaron et al. Oct 2003 A1
20030191957 Hypponen et al. Oct 2003 A1
20030200460 Morota et al. Oct 2003 A1
20030212902 van der Made Nov 2003 A1
20030229801 Kouznetsov et al. Dec 2003 A1
20030237000 Denton et al. Dec 2003 A1
20040003323 Bennett et al. Jan 2004 A1
20040006473 Mills et al. Jan 2004 A1
20040015712 Szor Jan 2004 A1
20040019832 Arnold et al. Jan 2004 A1
20040047356 Bauer Mar 2004 A1
20040083408 Spiegel et al. Apr 2004 A1
20040088581 Brawn et al. May 2004 A1
20040093513 Cantrell et al. May 2004 A1
20040111531 Staniford et al. Jun 2004 A1
20040117478 Triulzi et al. Jun 2004 A1
20040117624 Brandt et al. Jun 2004 A1
20040128355 Chao et al. Jul 2004 A1
20040165588 Pandya Aug 2004 A1
20040199569 Kalkunte Oct 2004 A1
20040236963 Danford et al. Nov 2004 A1
20040243349 Greifeneder et al. Dec 2004 A1
20040249911 Alkhatib et al. Dec 2004 A1
20040255161 Cavanaugh Dec 2004 A1
20040268147 Wiederin et al. Dec 2004 A1
20050005159 Oliphant Jan 2005 A1
20050021740 Bar et al. Jan 2005 A1
20050022018 Szor Jan 2005 A1
20050033960 Vialen et al. Feb 2005 A1
20050033989 Poletto et al. Feb 2005 A1
20050050148 Mohammadioun et al. Mar 2005 A1
20050086523 Zimmer et al. Apr 2005 A1
20050091513 Mitomo et al. Apr 2005 A1
20050091533 Omote et al. Apr 2005 A1
20050091652 Ross et al. Apr 2005 A1
20050108562 Khazan et al. May 2005 A1
20050114663 Cornell et al. May 2005 A1
20050125195 Brendel Jun 2005 A1
20050149726 Joshi et al. Jul 2005 A1
20050157662 Bingham et al. Jul 2005 A1
20050183143 Anderholm et al. Aug 2005 A1
20050201297 Peikari Sep 2005 A1
20050210533 Copeland et al. Sep 2005 A1
20050238005 Chen et al. Oct 2005 A1
20050240781 Gassoway Oct 2005 A1
20050262562 Gassoway Nov 2005 A1
20050265331 Stolfo Dec 2005 A1
20050283839 Cowburn Dec 2005 A1
20060010495 Cohen et al. Jan 2006 A1
20060015416 Hoffman et al. Jan 2006 A1
20060015715 Anderson Jan 2006 A1
20060015747 Van de Ven Jan 2006 A1
20060021029 Brickell et al. Jan 2006 A1
20060021054 Costa et al. Jan 2006 A1
20060031476 Mathes et al. Feb 2006 A1
20060047665 Neil Mar 2006 A1
20060070130 Costea et al. Mar 2006 A1
20060075496 Carpenter et al. Apr 2006 A1
20060095968 Portolani et al. May 2006 A1
20060101516 Sudaharan et al. May 2006 A1
20060101517 Banzhof et al. May 2006 A1
20060117385 Mester et al. Jun 2006 A1
20060123477 Raghavan et al. Jun 2006 A1
20060129382 Anand et al. Jun 2006 A1
20060143709 Brooks et al. Jun 2006 A1
20060150249 Gassen et al. Jul 2006 A1
20060161983 Cothrell et al. Jul 2006 A1
20060161987 Levy-Yurista Jul 2006 A1
20060161989 Reshef et al. Jul 2006 A1
20060164199 Gilde et al. Jul 2006 A1
20060173992 Weber et al. Aug 2006 A1
20060179147 Tran et al. Aug 2006 A1
20060184632 Marino et al. Aug 2006 A1
20060190561 Conboy et al. Aug 2006 A1
20060191010 Benjamin Aug 2006 A1
20060221956 Narayan et al. Oct 2006 A1
20060236393 Kramer et al. Oct 2006 A1
20060242709 Seinfeld et al. Oct 2006 A1
20060248519 Jaeger et al. Nov 2006 A1
20060248582 Panjwani et al. Nov 2006 A1
20060251104 Koga Nov 2006 A1
20060253906 Rubin et al. Nov 2006 A1
20060288417 Bookbinder et al. Dec 2006 A1
20070006288 Mayfield et al. Jan 2007 A1
20070006313 Porras et al. Jan 2007 A1
20070011174 Takaragi et al. Jan 2007 A1
20070016951 Piccard et al. Jan 2007 A1
20070019286 Kikuchi Jan 2007 A1
20070033645 Jones Feb 2007 A1
20070038943 FitzGerald et al. Feb 2007 A1
20070064689 Shin et al. Mar 2007 A1
20070074169 Chess et al. Mar 2007 A1
20070094730 Bhikkaji et al. Apr 2007 A1
20070101435 Konanka et al. May 2007 A1
20070128855 Cho et al. Jun 2007 A1
20070142030 Sinha et al. Jun 2007 A1
20070143827 Nicodemus et al. Jun 2007 A1
20070156895 Vuong Jul 2007 A1
20070157180 Tillmann et al. Jul 2007 A1
20070157306 Elrod et al. Jul 2007 A1
20070168988 Eisner et al. Jul 2007 A1
20070169195 Anand et al. Jul 2007 A1
20070171824 Ruello et al. Jul 2007 A1
20070174915 Gribble et al. Jul 2007 A1
20070192500 Lum Aug 2007 A1
20070192858 Lum Aug 2007 A1
20070198275 Malden et al. Aug 2007 A1
20070208822 Wang et al. Sep 2007 A1
20070220607 Sprosts et al. Sep 2007 A1
20070240215 Flores et al. Oct 2007 A1
20070240217 Tuvell et al. Oct 2007 A1
20070240218 Tuvell et al. Oct 2007 A1
20070240219 Tuvell et al. Oct 2007 A1
20070240220 Tuvell et al. Oct 2007 A1
20070240222 Tuvell et al. Oct 2007 A1
20070250930 Aziz et al. Oct 2007 A1
20070256132 Oliphant Nov 2007 A2
20070271446 Nakamura Nov 2007 A1
20080005782 Aziz Jan 2008 A1
20080018122 Zierler et al. Jan 2008 A1
20080028463 Dagon et al. Jan 2008 A1
20080032556 Schreier Feb 2008 A1
20080040710 Chiriac Feb 2008 A1
20080046781 Childs et al. Feb 2008 A1
20080066179 Liu Mar 2008 A1
20080072326 Danford et al. Mar 2008 A1
20080077793 Tan et al. Mar 2008 A1
20080080518 Hoeflin et al. Apr 2008 A1
20080086720 Lekel Apr 2008 A1
20080098476 Syversen Apr 2008 A1
20080120722 Sima et al. May 2008 A1
20080134178 Fitzgerald et al. Jun 2008 A1
20080134334 Kim et al. Jun 2008 A1
20080141376 Clausen et al. Jun 2008 A1
20080163356 Won-Jip et al. Jul 2008 A1
20080181227 Todd Jul 2008 A1
20080184367 McMillan et al. Jul 2008 A1
20080184373 Traut et al. Jul 2008 A1
20080189787 Arnold et al. Aug 2008 A1
20080201778 Guo et al. Aug 2008 A1
20080209557 Herley et al. Aug 2008 A1
20080215742 Goldszmidt et al. Sep 2008 A1
20080222729 Chen et al. Sep 2008 A1
20080263665 Ma et al. Oct 2008 A1
20080295172 Bohacek Nov 2008 A1
20080301810 Lehane et al. Dec 2008 A1
20080307524 Singh et al. Dec 2008 A1
20080313738 Enderby Dec 2008 A1
20080320594 Jiang Dec 2008 A1
20090003317 Kasralikar et al. Jan 2009 A1
20090007100 Field et al. Jan 2009 A1
20090013408 Schipka Jan 2009 A1
20090031423 Liu et al. Jan 2009 A1
20090036111 Danford et al. Feb 2009 A1
20090037835 Goldman Feb 2009 A1
20090044024 Oberheide et al. Feb 2009 A1
20090044274 Budko et al. Feb 2009 A1
20090064332 Porras et al. Mar 2009 A1
20090076791 Rhoades et al. Mar 2009 A1
20090077666 Chen et al. Mar 2009 A1
20090083369 Marmor Mar 2009 A1
20090083855 Apap et al. Mar 2009 A1
20090089879 Wang et al. Apr 2009 A1
20090094697 Provos et al. Apr 2009 A1
20090113425 Ports et al. Apr 2009 A1
20090125976 Wassermann et al. May 2009 A1
20090126015 Monastyrsky et al. May 2009 A1
20090126016 Sobko et al. May 2009 A1
20090133125 Choi et al. May 2009 A1
20090144823 Lamastra et al. Jun 2009 A1
20090158430 Borders Jun 2009 A1
20090172815 Gu et al. Jul 2009 A1
20090187992 Poston Jul 2009 A1
20090193293 Stolfo et al. Jul 2009 A1
20090198651 Shiffer et al. Aug 2009 A1
20090198670 Shiffer et al. Aug 2009 A1
20090198689 Frazier et al. Aug 2009 A1
20090199274 Frazier et al. Aug 2009 A1
20090199296 Xie et al. Aug 2009 A1
20090204514 Bhogal et al. Aug 2009 A1
20090228233 Anderson et al. Sep 2009 A1
20090241187 Troyansky Sep 2009 A1
20090241190 Todd Sep 2009 A1
20090265692 Godefroid et al. Oct 2009 A1
20090271866 Liske Oct 2009 A1
20090271867 Zhang Oct 2009 A1
20090300415 Zhang et al. Dec 2009 A1
20090300761 Park et al. Dec 2009 A1
20090328185 Berg Dec 2009 A1
20090328221 Blumfield Dec 2009 A1
20100005146 Drako et al. Jan 2010 A1
20100011205 McKenna Jan 2010 A1
20100017546 Poo et al. Jan 2010 A1
20100030996 Butler, II Feb 2010 A1
20100031353 Thomas et al. Feb 2010 A1
20100037314 Perdisci et al. Feb 2010 A1
20100043073 Kuwamura Feb 2010 A1
20100054278 Stolfo et al. Mar 2010 A1
20100058474 Hicks Mar 2010 A1
20100064044 Nonoyama Mar 2010 A1
20100077481 Polyakov et al. Mar 2010 A1
20100083376 Pereira et al. Apr 2010 A1
20100103837 Jungck Apr 2010 A1
20100115621 Staniford et al. May 2010 A1
20100132038 Zaitsev May 2010 A1
20100154056 Smith et al. Jun 2010 A1
20100180344 Malyshev et al. Jul 2010 A1
20100192057 Majidian Jul 2010 A1
20100192223 Ismael et al. Jul 2010 A1
20100220863 Dupaquis et al. Sep 2010 A1
20100235831 Dittmer Sep 2010 A1
20100251104 Massand Sep 2010 A1
20100275210 Phillips et al. Oct 2010 A1
20100281102 Chinta et al. Nov 2010 A1
20100281541 Stolfo et al. Nov 2010 A1
20100281542 Stolfo et al. Nov 2010 A1
20100287260 Peterson et al. Nov 2010 A1
20100299754 Amit et al. Nov 2010 A1
20100306173 Frank Dec 2010 A1
20100306825 Spivack Dec 2010 A1
20100332593 Barash Dec 2010 A1
20110004737 Greenebaum Jan 2011 A1
20110025504 Lyon et al. Feb 2011 A1
20110041179 St Hlberg Feb 2011 A1
20110047594 Mahaffey et al. Feb 2011 A1
20110047620 Mahaffey et al. Feb 2011 A1
20110055907 Narasimhan et al. Mar 2011 A1
20110078794 Manni et al. Mar 2011 A1
20110093951 Aziz Apr 2011 A1
20110099620 Stavrou et al. Apr 2011 A1
20110099633 Aziz Apr 2011 A1
20110099635 Silberman et al. Apr 2011 A1
20110113231 Kaminsky May 2011 A1
20110113427 Dotan May 2011 A1
20110145918 Jung et al. Jun 2011 A1
20110145920 Mahaffey et al. Jun 2011 A1
20110145934 Abramovici et al. Jun 2011 A1
20110167493 Song et al. Jul 2011 A1
20110167494 Bowen et al. Jul 2011 A1
20110173178 Conboy et al. Jul 2011 A1
20110173213 Frazier et al. Jul 2011 A1
20110173460 Ito et al. Jul 2011 A1
20110219449 St. Neitzel et al. Sep 2011 A1
20110219450 McDougal et al. Sep 2011 A1
20110225624 Sawhney et al. Sep 2011 A1
20110225655 Niemela et al. Sep 2011 A1
20110247072 Staniford et al. Oct 2011 A1
20110265182 Peinado et al. Oct 2011 A1
20110289582 Kejriwal et al. Nov 2011 A1
20110302587 Nishikawa et al. Dec 2011 A1
20110302656 El-Moussa Dec 2011 A1
20110307954 Melnik et al. Dec 2011 A1
20110307955 Kaplan et al. Dec 2011 A1
20110307956 Yermakov et al. Dec 2011 A1
20110314546 Aziz et al. Dec 2011 A1
20110320816 Yao et al. Dec 2011 A1
20120023593 Puder et al. Jan 2012 A1
20120054869 Yen et al. Mar 2012 A1
20120066698 Yanoo Mar 2012 A1
20120079596 Thomas et al. Mar 2012 A1
20120084859 Radinsky et al. Apr 2012 A1
20120096553 Srivastava et al. Apr 2012 A1
20120110667 Zubrilin et al. May 2012 A1
20120117652 Manni et al. May 2012 A1
20120121154 Xue et al. May 2012 A1
20120124426 Maybee et al. May 2012 A1
20120167219 Zaitsev et al. Jun 2012 A1
20120174186 Aziz et al. Jul 2012 A1
20120174196 Bhogavilli et al. Jul 2012 A1
20120174218 McCoy et al. Jul 2012 A1
20120198279 Schroeder Aug 2012 A1
20120210423 Friedrichs et al. Aug 2012 A1
20120222121 Staniford et al. Aug 2012 A1
20120255015 Sahita et al. Oct 2012 A1
20120255017 Sallam Oct 2012 A1
20120260342 Dube et al. Oct 2012 A1
20120266244 Green et al. Oct 2012 A1
20120278886 Luna Nov 2012 A1
20120284710 Vinberg Nov 2012 A1
20120297489 Dequevy Nov 2012 A1
20120304244 Xie Nov 2012 A1
20120330801 McDougal et al. Dec 2012 A1
20120331553 Aziz et al. Dec 2012 A1
20130014259 Gribble et al. Jan 2013 A1
20130036472 Aziz Feb 2013 A1
20130047257 Aziz Feb 2013 A1
20130074185 McDougal et al. Mar 2013 A1
20130086684 Mohler Apr 2013 A1
20130097699 Balupari et al. Apr 2013 A1
20130097706 Titonis et al. Apr 2013 A1
20130111587 Goel et al. May 2013 A1
20130117852 Stute May 2013 A1
20130117855 Kim et al. May 2013 A1
20130139264 Brinkley et al. May 2013 A1
20130160125 Likhachev et al. Jun 2013 A1
20130160127 Jeong et al. Jun 2013 A1
20130160130 Mendelev et al. Jun 2013 A1
20130160131 Madou et al. Jun 2013 A1
20130167236 Sick Jun 2013 A1
20130174214 Duncan Jul 2013 A1
20130185789 Hagiwara et al. Jul 2013 A1
20130185795 Winn et al. Jul 2013 A1
20130185798 Saunders et al. Jul 2013 A1
20130191915 Antonakakis et al. Jul 2013 A1
20130196649 Paddon et al. Aug 2013 A1
20130227691 Aziz et al. Aug 2013 A1
20130246370 Bartram et al. Sep 2013 A1
20130247186 LeMasters Sep 2013 A1
20130247187 Hsiao et al. Sep 2013 A1
20130263260 Mahaffey et al. Oct 2013 A1
20130291109 Staniford et al. Oct 2013 A1
20130298243 Kumar et al. Nov 2013 A1
20130318038 Shiffer et al. Nov 2013 A1
20130318073 Shiffer et al. Nov 2013 A1
20130325791 Shiffer et al. Dec 2013 A1
20130325792 Shiffer et al. Dec 2013 A1
20130325871 Shiffer et al. Dec 2013 A1
20130325872 Shiffer et al. Dec 2013 A1
20130333046 Sambamurthy Dec 2013 A1
20140026217 Saxena et al. Jan 2014 A1
20140032875 Butler Jan 2014 A1
20140053260 Gupta et al. Feb 2014 A1
20140053261 Gupta et al. Feb 2014 A1
20140096184 Zaitsev Apr 2014 A1
20140130158 Wang et al. May 2014 A1
20140137180 Lukacs et al. May 2014 A1
20140169762 Ryu Jun 2014 A1
20140179360 Jackson et al. Jun 2014 A1
20140181131 Ross Jun 2014 A1
20140181975 Spernow et al. Jun 2014 A1
20140189687 Jung et al. Jul 2014 A1
20140189866 Shiffer et al. Jul 2014 A1
20140189882 Jung et al. Jul 2014 A1
20140237600 Silberman et al. Aug 2014 A1
20140280245 Wilson Sep 2014 A1
20140283037 Sikorski et al. Sep 2014 A1
20140283063 Thompson et al. Sep 2014 A1
20140317735 Kolbitsch Oct 2014 A1
20140325344 Bourke et al. Oct 2014 A1
20140328204 Klotsche et al. Nov 2014 A1
20140337836 Ismael Nov 2014 A1
20140344926 Cunningham et al. Nov 2014 A1
20140351935 Shao et al. Nov 2014 A1
20140380473 Bu et al. Dec 2014 A1
20140380474 Paithane et al. Dec 2014 A1
20150007312 Pidathala et al. Jan 2015 A1
20150026810 Friedrichs et al. Jan 2015 A1
20150096022 Vincent Apr 2015 A1
20150096023 Mesdaq et al. Apr 2015 A1
20150096024 Haq et al. Apr 2015 A1
20150096025 Ismael Apr 2015 A1
20150121526 McLamon et al. Apr 2015 A1
20150180886 Staniford et al. Jun 2015 A1
20150186645 Aziz et al. Jul 2015 A1
20150199513 Ismael et al. Jul 2015 A1
20150199531 Ismael et al. Jul 2015 A1
20150199532 Ismael et al. Jul 2015 A1
20150220735 Paithane et al. Aug 2015 A1
20150244732 Golshan et al. Aug 2015 A1
20150363598 Xu Dec 2015 A1
20150372980 Eyada Dec 2015 A1
20160004869 Ismael et al. Jan 2016 A1
20160006756 Ismael et al. Jan 2016 A1
20160044000 Cunningham Feb 2016 A1
20160127393 Aziz et al. May 2016 A1
20160191547 Zafar et al. Jun 2016 A1
20160191550 Ismael et al. Jun 2016 A1
20160261612 Mesdaq et al. Sep 2016 A1
20160285914 Singh et al. Sep 2016 A1
20160301703 Aziz Oct 2016 A1
20160335110 Paithane et al. Nov 2016 A1
20170083703 Abbasi et al. Mar 2017 A1
20180013770 Ismael Jan 2018 A1
20180048660 Paithane et al. Feb 2018 A1
20180121316 Ismael et al. May 2018 A1
20180288077 Siddiqui et al. Oct 2018 A1
20180357812 Church Dec 2018 A1
20190066377 Schoening Feb 2019 A1
Foreign Referenced Citations (11)
Number Date Country
2439806 Jan 2008 GB
2490431 Oct 2012 GB
0223805 Mar 2002 WO
0206928 Nov 2003 WO
2007117636 Oct 2007 WO
2008041950 Apr 2008 WO
2011084431 Jul 2011 WO
2011112348 Sep 2011 WO
2012075336 Jun 2012 WO
2012145066 Oct 2012 WO
2013067505 May 2013 WO
Non-Patent Literature Citations (109)
Entry
“Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003).
“Packet”, Microsoft Computer Dictionary Microsoft Press, (Mar. 2002), 1 page.
“When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.iso?reload=true&arnumber=990073, (Dec. 7, 2013).
Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108.
Adetoye, Adedayo, et al., “Network Intrusion Detection & Response System”, (“Adetoye”) (Sep. 2003).
AltaVista Advanced Search Results (subset). “attack vector identifier” Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orchestrator . . . , (Accessed on Sep. 15, 2009).
AltaVista Advanced Search Results (subset). “Event Orchestrator”. Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orchesrator . . . , (Accessed on Sep. 3, 2009).
Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126.
Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006.
Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlaq Berlin Heidelberg, (2006), pp. 165-184.
Baldi, Mario; Risso, Fulvio; “A Framework for Rapid Development and Portable Execution of Packet-Handling Applications”, 5th IEEE International Symposium Processing and Information Technology, Dec. 21, 2005, pp. 233-238.
Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77.
Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists,org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003).
Bowen, B. M. et al “BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection”, in Recent Advances in Intrusion Detection, Springer ISBN: 978-3-642-15511-6 (pp. 118-137) (Sep. 15, 2010).
Chaudet, C., et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82.
Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012).
Cisco, Configuring the Catalyst Switched Port Analyzer (SPAN) (“Cisco”), (1992-2003).
Clark, John, Sylvian Leblanc,and Scott Knight. “Risks associated with usb hardware trojan devices used by insiders.” Systems Conference (SysCon), 2011 IEEE International. IEEE, 2011.
Cohen, M.I., “PyFlag—An advanced network forensic framework”, Digital investigation 5, Elsevier, (2008), pp. S112-S120.
Costa, M., et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05 Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005).
Crandall, J.R., et al., “Minos:Control Data Attack Prevention Orthogonal to Memory Model”, 37th International Symposium on Microarchitecture, Portland, Oregon, (Dec. 2004).
Deutsch, P., ““Zlib compressed data format specification version 3.3” RFC 1950, (1996)”.
Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007).
Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002).
Excerpt regarding First Printing Date for Merike Kaeo, Designing Network Security (“Kaeo”), (2005).
Filiol, Eric , et al., “Combinatorial Optimisation of Worm Propagation on an Unknown Network”, International Journal of Computer Science 2.2 (2007).
FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010.
FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010.
FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011.
Gibler, Clint, et al. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer Berlin Heidelberg, 2012.
Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review vol. 42 Issue 3, pp. 21-28.
Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:http://www.informationweek.com/microsofts-honeymonkeys-show-patching-windows-works/d/d-d/1035069? [retrieved on Jun. 1, 2016].
Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase @ CMU, Carnegie Mellon University, 2007.
Hjelmvik, Erik, “Passive Network Security Analysis with NetworkMiner”, (IN)Secure, Issue 18, (Oct. 2008), pp. 1-100.
Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University.
IEEE Xplore Digital Library Sear Results (subset) for “detection of unknown computer worms”. Http//ieeexplore.ieee.org/searchresult.jsp?SortField=Score&SortOrder=desc&ResultC . . . (Accessed on Aug. 28, 2009).
Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011.
Kaeo, Merike, “Designing Network Security”, (“Kaeo”), (Nov. 2003).
Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6.
Kim, H., et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286.
King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”), (Dec. 2002).
Krasnyansky, Max, et al., Universal TUN/TAP driver, available at https://www.kernel.org/doc/Documentation/networking/tuntap.txt (2002) (“Krasnyansky”).
Kreibich, C., et al., “Honeycomb—Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003).
Kristoff, J., “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages.
Leading Colleges Select FireEye to Stop Malware-Related Data Breaches, FireEye Inc., 2009.
Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711.
Liljenstam, Michael, et al., “Simulating Realistic Network Traffic for Worm Warning System Design and Testing”, Institute for Security Technology studies, Dartmouth College, (“Liljenstam”), (Oct. 27, 2003).
Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011.
Lok Kwong et al: “DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis”, Aug. 10, 2012, XP055158513, Retrieved from the Internet: URL:https://www.usenix.org/system/files/conference/usenixsecurity12/sec12- -final107.pdf [retrieved on Dec. 15, 2014].
Marchette, David J., Computer Intrusion Detection and Network Monitoring: A Statistical (“Marchette”), (2001).
Margolis, P.E., “Random House Webster's Computer & Internet Dictionary 3rd Edition”, ISBN 0375703519, p. 595 (Dec. 1998).
Moore, D., et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910.
Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34.
Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg.
Natvig, Kurt, “Sandboxii: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002).
NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987.
Newsome, J., et al., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, In Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005).
Newsome, J., et al., “Polygraph: Automatically Generating Signatures for Polymorphic Worms”, In Proceedings of the IEEE Symposium on Security and Privacy, (May 2005).
Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302.
Oberheide et al., CloudAV.sub.—N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA.
PCT/US2014/043726 filed Jun. 23, 2014 International Search Report and Written Opinion dated Oct. 9, 2014.
PCT/US2015/067082 filed Dec. 21, 2015 International Search Report and Written Opinion dated Feb. 24, 2016.
Peter M. Chen, and Brian D. Noble, “When Virtual Is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”), (2001).
Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doorn, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Approach to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”).
Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25.
Singh, S., et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004).
Spitzner, Lance, “Honeypots: Tracking Hackers”, (“Spizner”), (Sep. 17, 2002).
The Sniffers's Guide to Raw Traffic available at: yuba.stanford.edu/˜casado/pcap/sectionl.html, (Jan. 6, 2014).
Thomas H. Ptacek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998).
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Final Office Action dated Feb. 27, 2013.
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Final Office Action dated Nov. 22, 2010.
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Non-Final Office Action dated Aug. 28, 2012.
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Non-Final Office Action dated May 6, 2010.
U.S. Appl. No. 13/925,688, filed Jun. 24, 2013 Final Office Action dated Jan. 12, 2017.
U.S. Appl. No. 13/925,688, filed Jun. 24, 2013 Final Office Action dated Mar. 11, 2016.
U.S. Appl. No. 13/925,688, filed Jun. 24, 2013 Non-Final Office Action dated Jun. 2, 2015.
U.S. Appl. No. 13/925,688, filed Jun. 24, 2013 Non-Final Office Action dated Sep. 16, 2016.
U.S. Appl. No. 14/059,381, filed Oct. 21, 2013 Non-Final Office Action dated Oct. 29, 2014.
U.S. Appl. No. 14/229,541, filed Mar. 28, 2014 Non-Final Office Action dated Apr. 20, 2016.
U.S. Appl. No. 14/620,060, filed Feb. 11, 2015, Non-Final Office Action dated Apr. 3, 2015.
U.S. Appl. No. 14/675,648, filed Mar. 31, 2015 Notice of Allowance dated Jul. 5, 2016.
U.S. Appl. No. 15/339,459, filed Oct. 31, 2016 Non-Final Office Action dated Feb. 9, 2017.
U.S. Appl. No. 15/451,243, filed Mar. 6, 2017 Notice of Allowance dated Jul. 26, 2017.
U.S. Pat. No. 8,171,553 filed Apr. 20, 2006, Inter Parties Review Decision dated Jul. 10, 2015.
U.S. Pat. No. 8,291,499 filed Mar. 16, 2012, Inter Parties Review Decision dated Jul. 10, 2015.
Venezia, Paul, “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003).
Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350.
Whyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages.
Williamson, Mathew M., “Throttling Virses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9.
Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1.
Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82.
“Mining Specification of Malicious Behavior”—Jha et al, UCSB, Sep. 2007 https://www.cs.ucsb.edu/.about.chris/research/doc/esec07.sub.--mining.pdf-.
Didier Stevens, “Malicious PDF Documents Explained”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 9, No. 1, Jan. 1, 2011, pp. 80-82, XP011329453, ISSN: 1540-7993, DOI: 10.1109/MSP.2011.14.
Hiroshi Shinotsuka, Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems, Oct. 26, 2012, http://www.symantec.com/connect/blogs/, pp. 1-4.
Khaled Salah et al: “Using Cloud Computing to Implement a Security Overlay Network”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 11, No. 1, Jan. 1, 2013 (Jan. 1, 2013).
Lastline Labs, The Threat of Evasive Malware, Feb. 25, 2013, Lastline Labs, pp. 1-8.
U.S. Appl. No. 14/579,896, filed Dec. 22, 2014 Advisory Action dated Aug. 23, 2016.
U.S. Appl. No. 14/579,896, filed Dec. 22, 2014 Final Office Action dated Jul. 6, 2016.
U.S. Appl. No. 14/579,896, filed Dec. 22, 2014 Non-Final Office Action dated Mar. 22, 2016.
U.S. Appl. No. 14/579,896, filed Dec. 22, 2014 Non-Final Office Action dated Oct. 18, 2016.
U.S. Appl. No. 14/579,896, filed Dec. 22, 2014 Notice of Allowance dated Mar. 1, 2017.
U.S. Appl. No. 14/586,233, filed Dec. 30, 2014 Advisory Action dated Jun. 13, 2017.
U.S. Appl. No. 14/586,233, filed Dec. 30, 2014 Final Office Action dated Mar. 9, 2017.
U.S. Appl. No. 14/586,233, filed Dec. 30, 2014 Non-Final Office Action dated Aug. 24, 2016.
Vladimir Getov: “Security as a Service in Smart Clouds—Opportunities and Concerns”, Computer Software and Applications Conference (COMPSAC), 2012 IEEE 36th Annual, IEEE, Jul. 16, 2012 (Jul. 16, 2012).
U.S. Appl. No. 14/316,716 filed Jun. 26, 2014 Non-Final Office Action dated Jul. 1, 2019.
U.S. Appl. No. 14/577,909 filed Dec. 19, 2014 Non-Final Office Action dated Jul. 30, 2019.
U.S. Appl. No. 14/577,920 filed Dec. 19, 2014 Final Office Action dated Jul. 10, 2019.
U.S. Appl. No. 15/831,311 filed Dec. 4, 2017 Non-Final Office Action dated Jul. 22, 2019.
Continuations (2)
Number Date Country
Parent 15451243 Mar 2017 US
Child 15728436 US
Parent 14229541 Mar 2014 US
Child 15451243 US