Traffic simulation to identify malicious activity
First Claim
1. A method comprising:
- using a dynamic analysis system comprising a processor in communication with a network;
receiving, by the processor, a copy of a malware program;
loading, using the processor, the copy of the malware program into a simulated endpoint;
executing, using the processor, the copy of the malware program in the simulated endpoint, the simulated endpoint being within the dynamic analysis system;
generating, based on the execution, network traffic at the simulated endpoint for the malware program, the traffic being generated by the malware program for communicating with a network infrastructure;
receiving, using the processor, network traffic intended for the malware program at the simulated endpoint;
monitoring, using the processor, the traffic to and from the malware program on the simulated endpoint;
assessing, using the processor, the network traffic on the simulated endpoint to determine at least one of a source and a destination for the traffic on the simulated endpoint, and content of the traffic on the simulated endpoint; and
capturing using the processor, metadata associated with the traffic on the simulated endpoint and storing the metadata in the database; and
using a comparison system comprising a processor;
comparing, using the processor of the comparison system, metadata associated with observed network traffic to the metadata associated with the traffic on the simulated endpoint to determine whether the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar;
when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are not statistically similar, generating a low infection confidence score associated with the observed network traffic; and
when the metadata associated with the suspicious network traffic and the metadata associated with the on the simulated endpoint are statistically similar, generating a high infection confidence score associated with the observed network traffic, the high infection confidence score being higher than the low infection confidence score.
12 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods may simulate traffic to identify malicious activity. A dynamic analysis system comprising a processor in communication with a network may receive a copy of a malware program and load the copy of the malware program into a simulated endpoint. The system may monitor simulated endpoint network traffic to or from the simulated endpoint, assess the simulated endpoint network traffic to determine a source and/or destination for the simulated endpoint network traffic and/or content of the simulated endpoint network traffic, and capture and store metadata associated with the simulated endpoint network traffic. A comparison system may compare simulated network traffic metadata to observed network traffic metadata to determine whether the metadata are statistically similar. When the metadata are not statistically similar, the system may generate a low infection confidence score. When the metadata are statistically similar, the system may generate a high infection confidence score.
281 Citations
24 Claims
-
1. A method comprising:
-
using a dynamic analysis system comprising a processor in communication with a network; receiving, by the processor, a copy of a malware program; loading, using the processor, the copy of the malware program into a simulated endpoint; executing, using the processor, the copy of the malware program in the simulated endpoint, the simulated endpoint being within the dynamic analysis system; generating, based on the execution, network traffic at the simulated endpoint for the malware program, the traffic being generated by the malware program for communicating with a network infrastructure; receiving, using the processor, network traffic intended for the malware program at the simulated endpoint; monitoring, using the processor, the traffic to and from the malware program on the simulated endpoint; assessing, using the processor, the network traffic on the simulated endpoint to determine at least one of a source and a destination for the traffic on the simulated endpoint, and content of the traffic on the simulated endpoint; and capturing using the processor, metadata associated with the traffic on the simulated endpoint and storing the metadata in the database; and using a comparison system comprising a processor; comparing, using the processor of the comparison system, metadata associated with observed network traffic to the metadata associated with the traffic on the simulated endpoint to determine whether the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar; when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are not statistically similar, generating a low infection confidence score associated with the observed network traffic; and when the metadata associated with the suspicious network traffic and the metadata associated with the on the simulated endpoint are statistically similar, generating a high infection confidence score associated with the observed network traffic, the high infection confidence score being higher than the low infection confidence score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a database; a dynamic analysis system comprising a processor in communication with a network and in communication with the database, the dynamic analysis system being constructed and arranged to; receive, by the processor, a copy of a malware program; load, using the processor, the copy of the malware program into a simulated endpoint; execute, using the processor, the copy of the malware program in the simulated endpoint, the simulated endpoint being within the dynamic analysis system; generate, based on the execution, network traffic at the simulated endpoint for the malware program, the traffic being generated by the malware program for communicating with a network infrastructure; receive, using the processor, network traffic intended for the malware program at the simulated endpoint in response; monitor, using the processor, the traffic to and from the malware program on the simulated endpoint; assess, using the processor, the traffic on the simulated endpoint to determine at least one of a source and a destination for the traffic on the simulated endpoint, and content of the traffic on the simulated endpoint; capture, using the processor, metadata associated with the traffic on the simulated endpoint and store the metadata in the database; and compare, using the processor, metadata associated with observed network traffic to the metadata associated with the traffic on the simulated endpoint to determine whether the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar; when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are not statistically similar, generate a low infection confidence score associated with the observed network traffic; and when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar, generate a high infection confidence score associated with the observed network traffic, the high infection confidence score being higher than the low infection confidence score. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification