Distributed systems and methods for automatically detecting unknown bots and botnets

US 10,200,384 B1
Filed: 08/29/2016
Issued: 02/05/2019
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious callbacks from malicious code, comprising:

a first local analyzer to capture packets that are part of communications over a network, generate a signature from information obtained from at least one captured packet of the captured packets, determine whether the signature matches any signature of a first plurality of signatures stored in a first storage device that is accessible to the first local analyzer, and determine whether the at least one captured packet includes an anomaly in response to the signature failing to match any of the signatures of the first plurality of signatures; and

a central analyzer, including a processor and a memory, remotely located and communicatively coupled to the first local analyzer, the central analyzer to receive a portion of the information and the signature from the first local analyzer in response to the signature failing to match any of the signatures stored in the first storage device, the central analyzer including logic that, upon execution by the processor, is configured to determine whether the signature matches a verified callback signature being a signature associated with malware callback stored within a second storage device that is accessible to the central analyzer, the second storage device including a second plurality of signatures that is greater in number than the first plurality of signatures, whereinin response to the signature failing to match any verified callback signature stored within the second data storage device, the central analysis to (i) perform an analysis on the portion of the information obtained from the at least one captured packet that is provided to the central analyzer;

(ii) determine whether the at least one captured packet is associated with a malicious callback; and

(iii) store a designation identifying that the at least one captured packet is associated with the malicious callback with the signature associated with the at least one captured packet in the second storage device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malicious activity through one or more local analyzers and a central analyzer. The local analyzer captures packets that are part of communications over a network, generates a signature from information obtained from one or more of the captured packets, and determines whether the signature matches any signature of a first plurality of signatures stored in a first storage device that is accessible to the first local analyzer. The central analyzer remotely receives a portion of the information and the signature from the first local analyzer in response to the signature failing to match any of the signatures stored in the first storage device. The central analyzer determines whether the signature matches any global signature stored within a second storage device that is accessible to the central analyzer.

710 Citations

21 Claims

1. A system for detecting malicious callbacks from malicious code, comprising:
- a first local analyzer to capture packets that are part of communications over a network, generate a signature from information obtained from at least one captured packet of the captured packets, determine whether the signature matches any signature of a first plurality of signatures stored in a first storage device that is accessible to the first local analyzer, and determine whether the at least one captured packet includes an anomaly in response to the signature failing to match any of the signatures of the first plurality of signatures; and
  
  a central analyzer, including a processor and a memory, remotely located and communicatively coupled to the first local analyzer, the central analyzer to receive a portion of the information and the signature from the first local analyzer in response to the signature failing to match any of the signatures stored in the first storage device, the central analyzer including logic that, upon execution by the processor, is configured to determine whether the signature matches a verified callback signature being a signature associated with malware callback stored within a second storage device that is accessible to the central analyzer, the second storage device including a second plurality of signatures that is greater in number than the first plurality of signatures, whereinin response to the signature failing to match any verified callback signature stored within the second data storage device, the central analysis to (i) perform an analysis on the portion of the information obtained from the at least one captured packet that is provided to the central analyzer;
  
  (ii) determine whether the at least one captured packet is associated with a malicious callback; and
  
  (iii) store a designation identifying that the at least one captured packet is associated with the malicious callback with the signature associated with the at least one captured packet in the second storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the central analyzer being further configured to provide the signature to a second local analyzer communicatively coupled to the central analyzer and different than the first local analyzer in response to the signature matching the verified callback signature.
  - 3. The system of claim 1, wherein the central analyzer being implemented as part of a cloud-based server and in communication with at least the first local analyzer and the second local analyzer that are located in different enterprise networks.
  - 4. The system of claim 1, wherein the local analyzer compriseslocal signature matching logic that generates the signature from information obtained from the at least one captured packet and determines whether the signature matches any signature of the first plurality of signatures stored within the first storage device implemented within the local analyzer;
    - andinspection logic that analyzes one or more packet headers of the at least one captured packet for anomalies that identify the at least one captured packet potentially include malware.
  - 5. The system of claim 4, wherein the central analyzer to receive the portion of the information and the signature from the first local analyzer in response to (i) the local signature matching logic failing to match any of the signatures stored in the first storage device and (ii) the inspection logic analyzing the one or more packet headers and identifying an anomaly associated with the one or more packet headers.
  - 6. The system of claim 5, wherein the local signature matching logic generates the signature by removing parameter values within the one or more packet headers to remove personal information associated with a sender of the at least one captured packet and generating a hash value from remaining information within the one or more packet headers.
  - 7. The system of claim 4, wherein the inspection logic analyzes the one or more packet headers by at least identifying (i) non-standard patterns as content within fields of the at least one captured packet relative to an Hypertext Transfer Protocol (HTTP) protocol or (ii) invalid header sequencing for the HTTP protocol.
  - 8. The system of claim 1, wherein the first storage device operates as a local signature cache implemented within the local analyzer and accessed by a hardware processor implemented within the local analyzer and the second storage device operates as a global signature cache implemented within the central analyzer and accessed by a hardware processor implemented within the central analyzer.
  - 9. The system of claim 4, wherein the inspection logic analyzes the one or more packet headers by at least (a) identifying invalid header sequencing for an Hypertext Transfer Protocol (HTTP) protocol or (b) comparing structures of the one or more packet headers with at least (i) a whitelist of prevalent, legitimate header structures for the HTTP protocol or (ii) a blacklist of illegitimate header structures for the HTTP protocol.
  - 10. The system of claim 1, wherein the at least one captured packet is determined to be associated with the malicious callback by at least (i) generating a callback probability score associated with the at least one captured packet and (ii) determining the at least one captured packet has the callback probability score exceeding a predetermined threshold as being associated with the malicious callback.
  - 11. The system of claim 1, wherein the central analyzer comprisesglobal signature matching logic that determines whether the signature matches a verified callback signature of the second plurality of signatures;
    - andin response to, at least in part, the global signature matching logic failing to determine that the signature matching any of the second plurality of signatures, threat heuristics logic performs an analysis of one or more packet headers of the at least one captured packet to determine whether a packet header of the one or more packet headers includes a bootkit.
  - 12. The system of claim 11, wherein the central analyzer further comprisesevaluation logic that accesses a uniform resource locator (URL) within the one or more packet headers, determines a reputation of a destination of the URL based on on-line resources including information obtained by visiting a website accessible using the URL, and provides a portion of the information acquired when determining the reputation of the destination of the URL in response to the evaluation logic determining that (i) the URL is suspicious attribute that requires additional analysis and (ii) the signature failed to match any of the second plurality of signatures.
  - 13. The system of claim 1, wherein the local analyzer compriseslocal signature matching logic that generates the signature from information obtained from the at least one captured packet and determines whether the signature matches any signature of the first plurality of signatures;
    - andinspection logic that analyzes a domain identifier contained within a field of a packet header of the one packet headers, where the domain identifier is deemed to be suspicious and require additional analysis to determine whether the packet header is associated with a callback.

14. A local analyzer comprising:
- a network interface to receive a plurality of packets captured from network traffic;
  
  one or more processors communicatively coupled to the network interface; and
  
  a storage device communicatively coupled to the one or more processors, the storage device comprisesa signature generating logic that, when executed by the one or more processors, generates a header signature based on information from a header obtained from a captured packet of the plurality of captured packets,a signature matching logic that, when executed by the one or more processors, determines whether the header signature corresponds to one of a plurality of packet header signatures corresponding to verified callbacks,an inspection logic that, when executed by the one or more processors and in response to the header signature failing to match any of the plurality of packet header signatures, detects whether the captured packet header includes one or more header anomalies, the captured packet header identified as having one or more header anomalies being a suspect header, anda local storage device that includes the plurality of packet header signatures corresponding to verified callbacks, the plurality of packet header signatures are updated with additional packet header signatures corresponding to verified callbacks, anda reporting logic that, when executed by the one or more processors and in response to the inspection logic detecting that the captured packet header includes one or more header anomalies, transmits the header signature and information associated with the captured packet to a central analyzer for further analysis to determine whether the captured packet is part of a malicious callback.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The local analyzer of claim 14, wherein the signature matching logic, when executed by the one or more processors, is configured for use the header signature as an index in searching the local storage device for one of the plurality of packet header signatures corresponding to verified callbacks.
  - 16. The local analyzer of claim 14, wherein the signature matching logic generates the header signature by removing parameter values within the header of the captured packet to remove personal information associated with a sender of the captured packet and generating a hash value from remaining information within the header.
  - 17. The local analyzer of claim 14, wherein the inspection logic is configured to detect whether the captured packet header includes one or more header anomalies by at least identifying non-standard patterns as content within fields of the captured packet relative to a Hypertext Transfer Protocol (HTTP) protocol.
  - 18. The local analyzer of claim 14, wherein the inspection logic is configured to detect whether the captured packet header includes one or more header anomalies by at least identifying invalid header sequencing for a selected applicable protocol.
  - 19. The local analyzer of claim 14, wherein the inspection logic is configured to detect whether the captured packet header includes one or more header anomalies by at least comparing structures of the captured packet header with at least (i) a whitelist of prevalent, legitimate header structures for a selected application protocol or (ii) a blacklist of illegitimate header structures for the selected applicable protocol.
  - 20. The local analyzer of claim 14 further comprising an alert generator that, when executed by the one or more processors, is configured, in the event of a signature match, to generate an alert being a warning to a user or a security administrator that the captured packet may be associated with malware.

21. A central analyzer in communications with a plurality of local analyzers over a network, the central analyzer comprising:
- a network interface operable to receive information associated with a packet under analysis from a local analyzer of the plurality of local analyzers for further analysis to determine whether the packet under analysis is part of a malicious callback;
  
  one or more hardware processors; and
  
  a storage device coupled to the one or more hardware processors, the storage device comprisesa signature matching logic that, when executed by the one or more hardware processors, determines whether a header signature for a suspect header of the packet under analysis corresponds to one of a plurality of header signatures associated with verified callbacks that are stored in a storage device accessible by the central analyzer,evaluation logic that, when executed by the one or more hardware processors, accesses content within the suspect header to determine a likelihood of the content being associated with malicious activity, andthreat heuristics logic that, when executed by the one or more hardware processors, generates a pattern that contains attributes associated with the packet under analysis, analyzes the pattern, and determines a probability of one or more attributes associated with the pattern includes malware and is associated with a malicious callback,wherein the network interface further operable to return a message to the local analyzer containing information with respect to the suspect header being verified as corresponding to a malicious callback.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Mushtaq, Atif, Rosenberry, Todd, Aziz, Ashar, Islam, Ali
Primary Examiner(s)
Abedin, Shanto

Application Number

US15/250,770
Time in Patent Office

890 Days
Field of Search

726 11- 14, 726 22- 25
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/57   Certifying or maintaining t...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 67/02   based on web technology, e....

Distributed systems and methods for automatically detecting unknown bots and botnets

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

710 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed systems and methods for automatically detecting unknown bots and botnets

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

710 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links