Periodicity detection of network traffic
First Claim
1. A method for identifying potential malware in a network environment, comprising:
- detecting, on a server within the network environment, a communication from a process running on the server, wherein the communication is addressed to a remote device that is not part of the network environment;
determining a tuple comprising a process identifier for the process and an address for the remote device;
determining whether a periodicity object including the tuple currently exists;
in response to determining that the periodicity object currently exists, determining whether the communication is part of an ongoing message or is part of a new message;
in response to determining that the communication is part of the ongoing message, updating a last transmission time maintained by the periodicity object;
in response to determining that the communication is part of the new message;
calculating a time variance for the new message;
updating a message counter maintained by the periodicity object;
updating an average time variance maintained by the periodicity object based on the average time variance, the time variance, and the message counter;
updating a standard deviation maintained by the periodicity object based on the average time variance, the time variance, the standard deviation, and the message counter;
in response to updating the standard deviation, determining whether the standard deviation satisfies a suspicion condition; and
in response to determining that the standard deviation satisfies the suspicion condition, generating an alert.
1 Assignment
0 Petitions
Accused Products
Abstract
The improved detection of malicious processes executing on a networked computing device is provided. An agent running on the networked computing device monitors the communications transmitted to devices outside of the network to determine whether the process is likely using a periodic beacon signal to communicate with an external control center associated with a potentially malicious party. The agent maintains a dictionary data structure of objects, identifiable by the process identifier and the remote device'"'"'s address, to track a given process/destination group'"'"'s communication history. The communication history is updated when new messages are identified for periodic patterns to be identified for the messages, which may be used to identify a process as potentially malicious.
-
Citations
20 Claims
-
1. A method for identifying potential malware in a network environment, comprising:
-
detecting, on a server within the network environment, a communication from a process running on the server, wherein the communication is addressed to a remote device that is not part of the network environment; determining a tuple comprising a process identifier for the process and an address for the remote device; determining whether a periodicity object including the tuple currently exists; in response to determining that the periodicity object currently exists, determining whether the communication is part of an ongoing message or is part of a new message; in response to determining that the communication is part of the ongoing message, updating a last transmission time maintained by the periodicity object; in response to determining that the communication is part of the new message; calculating a time variance for the new message; updating a message counter maintained by the periodicity object; updating an average time variance maintained by the periodicity object based on the average time variance, the time variance, and the message counter; updating a standard deviation maintained by the periodicity object based on the average time variance, the time variance, the standard deviation, and the message counter; in response to updating the standard deviation, determining whether the standard deviation satisfies a suspicion condition; and in response to determining that the standard deviation satisfies the suspicion condition, generating an alert. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for identifying potential malware in a network environment, comprising:
-
a plurality of servers within the network environment, each server of the plurality of servers comprising a processor and a computer memory storage device including instructions, which when executed by the processor, are operable to provide a periodicity agent on a given server, wherein the periodicity agent is operable to; monitor outbound communications from processes running on the given server to remote destinations outside of the network environment; create a periodicity object for each process/destination tuple, wherein the periodicity object maintains a process/destination tuple, a last communication time, a last message start time, an average time range between messages, and a standard deviation of the average time range; in response to observing an outbound communication for a given process/destination tuple at a given time; update the last communication time maintained by an associated periodicity object to the given time; determine whether the outbound communication is a latest communication of an ongoing message or a first communication of a new message; in response to determining that the outbound communication is a first communication, calculate a difference between the last message start time and the given time and update the average time range and the standard deviation based on the difference; in response to updating the standard deviation to satisfy a suspicion condition, generate an alert. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A computer-readable storage device including instructions that when executed by a processor on a server are operable to provide a periodicity agent performing steps comprising:
-
maintaining a dictionary of periodicity objects, wherein a periodicity object of the dictionary of periodicity objects maintains; a tuple comprising a process identifier and a destination address, the tuple identifying the periodicity object; a last packet time, identifying a time at which a most recent packet has been observed for the tuple; a previous message start time, identifying a time at which a most recent message observed for the tuple originated; an average inter-message time, maintaining a running calculation for a mean time between observing originations of successive messages for the tuple; and a standard deviation, maintaining a running calculation for variance between the originations of successive messages and the average inter-message time; detecting a communication from a process running on the server, wherein the communication is addressed to a device that is not part of a network environment to which the server belongs and is observed at a given time; identifying a message tuple for the communication; determining, based on the message tuple, whether the dictionary includes a matching periodicity object; in response to determining that the dictionary does not include the matching periodicity object, creating the matching periodicity object in the dictionary; in response to determining that the dictionary includes the matching periodicity object; determining whether the communication is an initial packet for a new message or a most-recent packet for an ongoing message; in response to determining that the communication is the most-recent packet, updating the last transmission time maintained by the matching periodicity object to the given time; in response to determining that the communication is the initial packet; calculating a time difference between the given time and the previous message start time and updating the previous message start time to the given time; updating the average inter-message time maintained by the matching periodicity object based on the time difference; updating the standard deviation maintained by the matching periodicity object based on the time difference; in response to updating the standard deviation, determining whether the standard deviation satisfies a suspicion condition; and in response to determining that the standard deviation satisfies the suspicion condition, generating an alert. - View Dependent Claims (18, 19, 20)
-
Specification