Systems and methods for unauthorized activity defense

摘要

A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

主权项

1. A malicious traffic sensor adapted for coupling with a communication network, comprising:
one or more virtual computing systems to process network data that is associated with communications traffic received from the communication network and directed to a destination device and comprises one or more suspicious characteristics associated with malware, each of the one or more virtual computing systems includes a virtual machine to process the network data; and a hardware-based controller communicatively coupled to the one or more virtual computing systems, the controller being configured to
monitor behaviors of the one or more virtual computing systems during processing of the network data,determine, during processing of the network data, that at least one of the monitored behaviors represents an anomalous behavior, the anomalous behavior includes an unauthorized activity that is conducted in response to processing of the network data within the one or more virtual computing systems that indicates the network data includes malware, andgenerate a signature that characterizes the malware.