Traffic simulation to identify malicious activity

US 10,084,806 B2
Filed: 08/30/2013
Issued: 09/25/2018
Est. Priority Date: 08/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

using a dynamic analysis system comprising a processor in communication with a network;

receiving, by the processor, a copy of a malware program;

loading, using the processor, the copy of the malware program into a simulated endpoint;

executing, using the processor, the copy of the malware program in the simulated endpoint, the simulated endpoint being within the dynamic analysis system;

generating, based on the execution, network traffic at the simulated endpoint for the malware program, the traffic being generated by the malware program for communicating with a network infrastructure;

receiving, using the processor, network traffic intended for the malware program at the simulated endpoint;

monitoring, using the processor, the traffic to and from the malware program on the simulated endpoint;

assessing, using the processor, the network traffic on the simulated endpoint to determine at least one of a source and a destination for the traffic on the simulated endpoint, and content of the traffic on the simulated endpoint; and

capturing using the processor, metadata associated with the traffic on the simulated endpoint and storing the metadata in the database; and

using a comparison system comprising a processor;

comparing, using the processor of the comparison system, metadata associated with observed network traffic to the metadata associated with the traffic on the simulated endpoint to determine whether the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar;

when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are not statistically similar, generating a low infection confidence score associated with the observed network traffic; and

when the metadata associated with the suspicious network traffic and the metadata associated with the on the simulated endpoint are statistically similar, generating a high infection confidence score associated with the observed network traffic, the high infection confidence score being higher than the low infection confidence score.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods may simulate traffic to identify malicious activity. A dynamic analysis system comprising a processor in communication with a network may receive a copy of a malware program and load the copy of the malware program into a simulated endpoint. The system may monitor simulated endpoint network traffic to or from the simulated endpoint, assess the simulated endpoint network traffic to determine a source and/or destination for the simulated endpoint network traffic and/or content of the simulated endpoint network traffic, and capture and store metadata associated with the simulated endpoint network traffic. A comparison system may compare simulated network traffic metadata to observed network traffic metadata to determine whether the metadata are statistically similar. When the metadata are not statistically similar, the system may generate a low infection confidence score. When the metadata are statistically similar, the system may generate a high infection confidence score.

281 Citations

24 Claims

1. A method comprising:
- using a dynamic analysis system comprising a processor in communication with a network;
  
  receiving, by the processor, a copy of a malware program;
  
  loading, using the processor, the copy of the malware program into a simulated endpoint;
  
  executing, using the processor, the copy of the malware program in the simulated endpoint, the simulated endpoint being within the dynamic analysis system;
  
  generating, based on the execution, network traffic at the simulated endpoint for the malware program, the traffic being generated by the malware program for communicating with a network infrastructure;
  
  receiving, using the processor, network traffic intended for the malware program at the simulated endpoint;
  
  monitoring, using the processor, the traffic to and from the malware program on the simulated endpoint;
  
  assessing, using the processor, the network traffic on the simulated endpoint to determine at least one of a source and a destination for the traffic on the simulated endpoint, and content of the traffic on the simulated endpoint; and
  
  capturing using the processor, metadata associated with the traffic on the simulated endpoint and storing the metadata in the database; and
  
  using a comparison system comprising a processor;
  
  comparing, using the processor of the comparison system, metadata associated with observed network traffic to the metadata associated with the traffic on the simulated endpoint to determine whether the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar;
  
  when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are not statistically similar, generating a low infection confidence score associated with the observed network traffic; and
  
  when the metadata associated with the suspicious network traffic and the metadata associated with the on the simulated endpoint are statistically similar, generating a high infection confidence score associated with the observed network traffic, the high infection confidence score being higher than the low infection confidence score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - sending, with the comparison system, the low infection confidence score or the high infection confidence score to a display in communication with the comparison system.
  - 3. The method of claim 1, further comprising:
    - when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar, analyzing, with the dynamic analysis system, the metadata associated with the traffic on the simulated endpoint to identify a simulated network traffic type.
  - 4. The method of claim 1, wherein the observed network traffic comprises all traffic to and from an asset having a potential malware infection associated with the network.
  - 5. The method of claim 1, wherein the observed network traffic comprises suspicious network traffic.
  - 6. The method of claim 5, further comprising:
    - monitoring, with a monitoring system comprising a processor in communication with the network, network traffic to and from an asset associated with the network;
      
      assessing, with the monitoring system, the network traffic to determine at least one of a source and destination for the network traffic, and content of the network traffic;
      
      determining, with the monitoring system, whether the network traffic is suspicious network traffic based on the assessed at least one of source, destination, and content;
      
      when the network traffic is determined to be suspicious network traffic, capturing, with the monitoring system, metadata associated with the suspicious network traffic and storing the metadata in a database in communication with the processor; and
      
      when the network traffic is not determined to be suspicious network traffic, disregarding, with the monitoring system, metadata associated with the network traffic.
  - 7. The method of claim 6, wherein the monitoring comprises monitoring a transport protocol of the network traffic, monitoring an application protocol of the network traffic, monitoring a source and destination of the network traffic, and monitoring content of the network traffic.
  - 8. The method of claim 6, wherein the determining whether the network traffic is suspicious network traffic is based on a low reputation score associated with the source and destination for the network traffic, a suspicious DGA cluster associated with the source and destination for the network traffic, a suspicious DGA cluster associated with the content of the network traffic, and a suspicious content element within the content of the network traffic.
  - 9. The method of claim 6, further comprising:
    - when the network traffic is determined to be suspicious network traffic, indexing, with the monitoring system, the metadata.
  - 10. The method of claim 6, wherein the metadata comprises at least one of a source port, a destination port, a transport protocol, an application protocol, a time stamp, a duration, a source identifier, a destination identifier, a bytes in count, a bytes out count, a connection success indicator, a connection status, a DNS RR set, HTTP data, a file within the content of the network traffic, the content of the network traffic, and a subsequent communication.
  - 11. The method of claim 6, further comprising:
    - when the network traffic is determined to be suspicious network traffic, sending, with the monitoring system, a report indicating that the network traffic is determined to be suspicious network traffic to a display in communication with the monitoring system.
  - 12. The method of claim 6, wherein determining whether the network traffic is suspicious network traffic comprises determining that all traffic to and from the asset is suspicious network traffic when the asset is an asset with a potential malware infection.

13. A system comprising:
- a database;
  
  a dynamic analysis system comprising a processor in communication with a network and in communication with the database, the dynamic analysis system being constructed and arranged to;
  
  receive, by the processor, a copy of a malware program;
  
  load, using the processor, the copy of the malware program into a simulated endpoint;
  
  execute, using the processor, the copy of the malware program in the simulated endpoint, the simulated endpoint being within the dynamic analysis system;
  
  generate, based on the execution, network traffic at the simulated endpoint for the malware program, the traffic being generated by the malware program for communicating with a network infrastructure;
  
  receive, using the processor, network traffic intended for the malware program at the simulated endpoint in response;
  
  monitor, using the processor, the traffic to and from the malware program on the simulated endpoint;
  
  assess, using the processor, the traffic on the simulated endpoint to determine at least one of a source and a destination for the traffic on the simulated endpoint, and content of the traffic on the simulated endpoint;
  
  capture, using the processor, metadata associated with the traffic on the simulated endpoint and store the metadata in the database; and
  
  compare, using the processor, metadata associated with observed network traffic to the metadata associated with the traffic on the simulated endpoint to determine whether the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar;
  
  when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are not statistically similar, generate a low infection confidence score associated with the observed network traffic; and
  
  when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar, generate a high infection confidence score associated with the observed network traffic, the high infection confidence score being higher than the low infection confidence score.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the comparison system is further constructed and arranged to:
    - send the low infection confidence score or the high infection confidence score to a display in communication with the comparison system.
  - 15. The system of claim 13, wherein the dynamic analysis system is further constructed and arranged to:
    - when the metadata associated with the observed network traffic and the metadata associated with the traffic on the simulated endpoint are statistically similar, analyze the metadata associated with the simulated network traffic to identify a simulated network traffic type.
  - 16. The system of claim 13, wherein the observed network traffic comprises all traffic to and from an asset having a potential malware infection associated with the network.
  - 17. The system of claim 13, wherein the observed network traffic comprises suspicious network traffic.
  - 18. The system of claim 17, further comprising:
    - a monitoring system comprising a processor in communication with the network and in communication with the database, the monitoring system being constructed and arranged to;
      
      monitor network traffic to and from an asset associated with the network;
      
      assess the network traffic to determine at least one of a source and destination for the network traffic and content of the network traffic;
      
      determine whether the network traffic is suspicious network traffic based on the assessed destination and/or content;
      
      when the network traffic is determined to be suspicious network traffic, capture metadata associated with the suspicious network traffic and store the metadata in the database; and
      
      when the network traffic is not determined to be suspicious network traffic, disregard metadata associated with the network traffic.
  - 19. The system of claim 18, wherein the monitoring comprises monitoring a transport protocol of the network traffic, monitoring an application protocol of the network traffic, monitoring a source and destination of the network traffic, and monitoring content of the network traffic.
  - 20. The system of claim 18, wherein the determining whether the network traffic is suspicious network traffic is based on a low reputation score associated with the source and destination for the network traffic, a suspicious DGA cluster associated with the source and destination for the network traffic, a suspicious DGA cluster associated with the content of the network traffic, and a suspicious content element within the content of the network traffic.
  - 21. The system of claim 18, wherein the monitoring system is further constructed and arranged to:
    - when the network traffic is determined to be suspicious network traffic, index the metadata.
  - 22. The system of claim 18, wherein the metadata comprises at least one of a source port, a destination port, a transport protocol, an application protocol, a time stamp, a duration, a source identifier, a destination identifier, a bytes in count, a bytes out count, a connection success indicator, a connection status, a DNS RR set, HTTP data, a file within the content of the network traffic, the content of the network traffic, and a subsequent communication.
  - 23. The system of claim 18, wherein the monitoring system is further constructed and arranged to:
    - when the network traffic is determined to be suspicious network traffic, send a report indicating that the network traffic is determined to be suspicious network traffic to a display in communication with the monitoring system.
  - 24. The system of claim 18, wherein the monitoring system is constructed and arranged to determine whether the network traffic is suspicious network traffic with a method comprising determining that all traffic to and from the asset is suspicious network traffic when the asset is an asset with a potential malware infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Ward, Joseph, Hobson, Andrew
Primary Examiner(s)
King, John B

Application Number

US14/015,663
Publication Number

US 20140090058A1
Time in Patent Office

1,852 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1433 Vulnerability analysis

Traffic simulation to identify malicious activity

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

281 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Traffic simulation to identify malicious activity

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

281 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links