System and method for tracking malware route and behavior for defending against cyberattacks

US 10,097,569 B2
Filed: 09/23/2016
Issued: 10/09/2018
Est. Priority Date: 06/23/2016
Status: Active Grant

First Claim

Patent Images

1. A system for tracking a malware route and behavior in order to defend against cyberattacks, comprising:

multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created using the first event data;

a tracking information database server for storing the pieces of host-based event information therein; and

a tracking information analysis server for creating behavior events by defining malware behavior from the pieces of host-based event information, for searching the pieces of host-based event information and the behavior events for a target to be analyzed based on a preset input value, for creating first tracking contexts, through which the malware behavior is capable of being identified, by analyzing a relationship between the pieces of host-based event information and a relationship between a set of the pieces of host-based event information and a set of the behavior events, which correspond to the target to be analyzed, and for creating second tracking contexts, through which a malware route and behavior events between the multiple hosts are capable of being tracked, by analyzing a correlation between the first tracking contexts,wherein the first tracking contexts are tracking contexts inside at least one of the multiple hosts, and the second tracking contexts are tracking contexts between the multiple hosts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attack tracking system includes multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created therefrom; a tracking information database server storing the pieces of host-based event information; a tracking information analysis server creating behavior events by defining malware behavior from the pieces of host-based event information, retrieving targets to be analyzed from the pieces of host-based event information and the behavior events based on a preset input value, creating first tracking contexts for identifying the malware behavior by analyzing the relationship between the pieces of host-based event information and the relationship between a set of the pieces of host-based event information and a set of the behavior events, and creating second tracking contexts tracking malware routes and behavior events between the multiple hosts by analyzing the correlation between the first tracking contexts.

5 Citations

14 Claims

1. A system for tracking a malware route and behavior in order to defend against cyberattacks, comprising:
- multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created using the first event data;
  
  a tracking information database server for storing the pieces of host-based event information therein; and
  
  a tracking information analysis server for creating behavior events by defining malware behavior from the pieces of host-based event information, for searching the pieces of host-based event information and the behavior events for a target to be analyzed based on a preset input value, for creating first tracking contexts, through which the malware behavior is capable of being identified, by analyzing a relationship between the pieces of host-based event information and a relationship between a set of the pieces of host-based event information and a set of the behavior events, which correspond to the target to be analyzed, and for creating second tracking contexts, through which a malware route and behavior events between the multiple hosts are capable of being tracked, by analyzing a correlation between the first tracking contexts,wherein the first tracking contexts are tracking contexts inside at least one of the multiple hosts, and the second tracking contexts are tracking contexts between the multiple hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein each of the multiple hosts includes:
    - an event-tracking module for, tracking the event data; and
      
      a tracking information collection module for creating unit event information by collecting the tracked event data.
  - 3. The system of claim 2, wherein the tracking information collection module includes:
    - a data collector for creating second event data from the first event data;
      
      a data normalization engine for creating normalized data by normalizing the second event data;
      
      an information generator for extracting data necessary for tracking from the normalized data and obtaining related additional information from the extracted data, thereby generating information data; and
      
      a unit event generator for generating a host-based event by adding information about a host in which an event occurs to the information data.
  - 4. The system of claim 3, wherein;
    - the additional information includes at least one of parent file information, process information, a file hash value, Internet Protocol (IP) address information, and time information, andthe information about the host includes at least one of a Media Access Control (MAC) address and a name of the host.
  - 5. The system of claim 2, wherein the event-tracking module is an Event Trace for Windows (ETW), and the pieces of host-based event information are stored in the tracking information database server in real time whenever a corresponding event occurs.
  - 6. The system of claim 1, wherein the malware behavior is one of an influx of malware, execution of malware, and propagation of malware.
  - 7. The system of claim 1, wherein the target to be analyzed is at least one of the corresponding host, a malware file, and a malware process.
  - 8. The system of claim 1, wherein the second tracking contexts are created by identifying at least one of an entry point via which malware enters a domain, a route via which the malware migrates, and a route via which the, malware propagates by analyzing the correlation between the first tracking contexts.
  - 9. The system of claim 8, wherein at least one of the entry point via which malware enters a domain, a route via which the malware migrates, and a route via which the malware propagates is identified using a collection of Internet Protocol (IP) addresses, which are created as a result of identifying at least one of an influx of malware into a host, execution of malware, and propagation of malware for each host in a list of hosts suspected of being infected with malware or using execution of malware in the domain based on an execution analysis result in the multiple hosts.
  - 10. The system of claim 9, wherein:
    - if at least one of the entry point via which malware enters the domain, a route via which the malware migrates, and a route via which the malware propagates is not identified using the collection of IP addresses, an additional list of hosts suspected of being infected with malware is acquired by searching for the behavior events collected inside the domain using a file name that is used for the influx of malware to the host in the list or the propagation of malware, and at least one of the entry point via which malware enters the domain, a route via which the malware migrates, and a route via which the malware propagates is identified using the additional list, wherein the file name is obtained as an analysis result.
  - 11. The system of claim 1, wherein the piece of host-based event information includes at least one of creation of a file, deletion of a file, reading a file, copying a file, a start of a process, termination of a process, reading a process, reading a registry entry, writing data in a registry, deletion of a registry entry, a request for access to a network, permission for access to a network, a request for a connection to an external storage medium, permission for a connection to an external storage medium, writing data in a Master Boot Record (MBR) area, and writing data in a Volume Boot Record (VBR) area, or parent information thereof.
  - 12. The system of claim 1, wherein the first tracking contexts are created in such a way that:
    - a list of hosts suspected of being infected with malware in a domain is acquired;
      
      a first behavior event related to the malware behavior, among the pieces of host-based event information and the behavior events for each of the hosts in the list, is identified; and
      
      a second behavior event is identified based on a unit/behavior event concerning a main object related to the first behavior event.
  - 13. The system of claim 12, wherein the main object includes a file and a process.

14. A method for tracking a malware route and behavior in order to defend against cyberattacks, comprising:
- collecting, by multiple hosts, first event data concerning object behavior and creating, by the multiple hosts, pieces of host-based event information using the first event data;
  
  storing, by the multiple hosts, the pieces of host-based event information in a tracking information database server;
  
  creating, by a tracking information analysis server, behavior events by defining malware behavior from the pieces of host-based event information;
  
  retrieving, by the tracking information analysis server, a target to be analyzed from the pieces of host-based event information and the behavior events based on, a preset input value;
  
  creating, by the tracking information analysis server, first tracking contexts, through which the malware behavior is capable of being identified, by analyzing a relationship between the pieces of the host-based event information and a relationship between a set of the pieces of the host-based event information and a set of the behavior events; and
  
  creating, by the tracking information analysis server, second tracking contexts, through which a malware route and behavior events between the multiple hosts are capable of being tracked, by analyzing a correlation between the first tracking contexts,wherein the first tracking contexts are tracking contexts inside at least one of the multiple hosts, and the second tracking contexts are tracking contexts between the multiple hosts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Agency For Defense Development (Government of The Republic of China)
Original Assignee
Agency For Defense Development (Government of The Republic of China)
Inventors
Jeong, Il-Hoon, Lee, Hwa-Seong, Choi, Chang-Hee, Yun, Ho-Sang
Primary Examiner(s)
McNally, Michael S

Application Number

US15/273,928
Publication Number

US 20170374086A1
Time in Patent Office

746 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

System and method for tracking malware route and behavior for defending against cyberattacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

5 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for tracking malware route and behavior for defending against cyberattacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links