Distributed systems and methods for automatically detecting unknown bots and botnets
First Claim
1. A system for detecting malicious callbacks from malicious code, comprising:
- a first local analyzer to capture packets that are part of communications over a network, generate a signature from information obtained from at least one captured packet of the captured packets, determine whether the signature matches any signature of a first plurality of signatures stored in a first storage device that is accessible to the first local analyzer, and determine whether the at least one captured packet includes an anomaly in response to the signature failing to match any of the signatures of the first plurality of signatures; and
a central analyzer, including a processor and a memory, remotely located and communicatively coupled to the first local analyzer, the central analyzer to receive a portion of the information and the signature from the first local analyzer in response to the signature failing to match any of the signatures stored in the first storage device, the central analyzer including logic that, upon execution by the processor, is configured to determine whether the signature matches a verified callback signature being a signature associated with malware callback stored within a second storage device that is accessible to the central analyzer, the second storage device including a second plurality of signatures that is greater in number than the first plurality of signatures, whereinin response to the signature failing to match any verified callback signature stored within the second data storage device, the central analysis to (i) perform an analysis on the portion of the information obtained from the at least one captured packet that is provided to the central analyzer;
(ii) determine whether the at least one captured packet is associated with a malicious callback; and
(iii) store a designation identifying that the at least one captured packet is associated with the malicious callback with the signature associated with the at least one captured packet in the second storage device.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting malicious activity through one or more local analyzers and a central analyzer. The local analyzer captures packets that are part of communications over a network, generates a signature from information obtained from one or more of the captured packets, and determines whether the signature matches any signature of a first plurality of signatures stored in a first storage device that is accessible to the first local analyzer. The central analyzer remotely receives a portion of the information and the signature from the first local analyzer in response to the signature failing to match any of the signatures stored in the first storage device. The central analyzer determines whether the signature matches any global signature stored within a second storage device that is accessible to the central analyzer.
-
Citations
21 Claims
-
1. A system for detecting malicious callbacks from malicious code, comprising:
-
a first local analyzer to capture packets that are part of communications over a network, generate a signature from information obtained from at least one captured packet of the captured packets, determine whether the signature matches any signature of a first plurality of signatures stored in a first storage device that is accessible to the first local analyzer, and determine whether the at least one captured packet includes an anomaly in response to the signature failing to match any of the signatures of the first plurality of signatures; and a central analyzer, including a processor and a memory, remotely located and communicatively coupled to the first local analyzer, the central analyzer to receive a portion of the information and the signature from the first local analyzer in response to the signature failing to match any of the signatures stored in the first storage device, the central analyzer including logic that, upon execution by the processor, is configured to determine whether the signature matches a verified callback signature being a signature associated with malware callback stored within a second storage device that is accessible to the central analyzer, the second storage device including a second plurality of signatures that is greater in number than the first plurality of signatures, wherein in response to the signature failing to match any verified callback signature stored within the second data storage device, the central analysis to (i) perform an analysis on the portion of the information obtained from the at least one captured packet that is provided to the central analyzer;
(ii) determine whether the at least one captured packet is associated with a malicious callback; and
(iii) store a designation identifying that the at least one captured packet is associated with the malicious callback with the signature associated with the at least one captured packet in the second storage device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A local analyzer comprising:
-
a network interface to receive a plurality of packets captured from network traffic; one or more processors communicatively coupled to the network interface; and a storage device communicatively coupled to the one or more processors, the storage device comprises a signature generating logic that, when executed by the one or more processors, generates a header signature based on information from a header obtained from a captured packet of the plurality of captured packets, a signature matching logic that, when executed by the one or more processors, determines whether the header signature corresponds to one of a plurality of packet header signatures corresponding to verified callbacks, an inspection logic that, when executed by the one or more processors and in response to the header signature failing to match any of the plurality of packet header signatures, detects whether the captured packet header includes one or more header anomalies, the captured packet header identified as having one or more header anomalies being a suspect header, and a local storage device that includes the plurality of packet header signatures corresponding to verified callbacks, the plurality of packet header signatures are updated with additional packet header signatures corresponding to verified callbacks, and a reporting logic that, when executed by the one or more processors and in response to the inspection logic detecting that the captured packet header includes one or more header anomalies, transmits the header signature and information associated with the captured packet to a central analyzer for further analysis to determine whether the captured packet is part of a malicious callback. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A central analyzer in communications with a plurality of local analyzers over a network, the central analyzer comprising:
-
a network interface operable to receive information associated with a packet under analysis from a local analyzer of the plurality of local analyzers for further analysis to determine whether the packet under analysis is part of a malicious callback; one or more hardware processors; and a storage device coupled to the one or more hardware processors, the storage device comprises a signature matching logic that, when executed by the one or more hardware processors, determines whether a header signature for a suspect header of the packet under analysis corresponds to one of a plurality of header signatures associated with verified callbacks that are stored in a storage device accessible by the central analyzer, evaluation logic that, when executed by the one or more hardware processors, accesses content within the suspect header to determine a likelihood of the content being associated with malicious activity, and threat heuristics logic that, when executed by the one or more hardware processors, generates a pattern that contains attributes associated with the packet under analysis, analyzes the pattern, and determines a probability of one or more attributes associated with the pattern includes malware and is associated with a malicious callback, wherein the network interface further operable to return a message to the local analyzer containing information with respect to the suspect header being verified as corresponding to a malicious callback.
-
Specification