Periodicity detection of network traffic

US 10,204,214 B2
Filed: 09/14/2016
Issued: 02/12/2019
Est. Priority Date: 09/14/2016
Status: Active Grant

First Claim

Patent Images

1. A method for identifying potential malware in a network environment, comprising:

detecting, on a server within the network environment, a communication from a process running on the server, wherein the communication is addressed to a remote device that is not part of the network environment;

determining a tuple comprising a process identifier for the process and an address for the remote device;

determining whether a periodicity object including the tuple currently exists;

in response to determining that the periodicity object currently exists, determining whether the communication is part of an ongoing message or is part of a new message;

in response to determining that the communication is part of the ongoing message, updating a last transmission time maintained by the periodicity object;

in response to determining that the communication is part of the new message;

calculating a time variance for the new message;

updating a message counter maintained by the periodicity object;

updating an average time variance maintained by the periodicity object based on the average time variance, the time variance, and the message counter;

updating a standard deviation maintained by the periodicity object based on the average time variance, the time variance, the standard deviation, and the message counter;

in response to updating the standard deviation, determining whether the standard deviation satisfies a suspicion condition; and

in response to determining that the standard deviation satisfies the suspicion condition, generating an alert.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The improved detection of malicious processes executing on a networked computing device is provided. An agent running on the networked computing device monitors the communications transmitted to devices outside of the network to determine whether the process is likely using a periodic beacon signal to communicate with an external control center associated with a potentially malicious party. The agent maintains a dictionary data structure of objects, identifiable by the process identifier and the remote device'"'"'s address, to track a given process/destination group'"'"'s communication history. The communication history is updated when new messages are identified for periodic patterns to be identified for the messages, which may be used to identify a process as potentially malicious.

Citations

20 Claims

1. A method for identifying potential malware in a network environment, comprising:
- detecting, on a server within the network environment, a communication from a process running on the server, wherein the communication is addressed to a remote device that is not part of the network environment;
  
  determining a tuple comprising a process identifier for the process and an address for the remote device;
  
  determining whether a periodicity object including the tuple currently exists;
  
  in response to determining that the periodicity object currently exists, determining whether the communication is part of an ongoing message or is part of a new message;
  
  in response to determining that the communication is part of the ongoing message, updating a last transmission time maintained by the periodicity object;
  
  in response to determining that the communication is part of the new message;
  
  calculating a time variance for the new message;
  
  updating a message counter maintained by the periodicity object;
  
  updating an average time variance maintained by the periodicity object based on the average time variance, the time variance, and the message counter;
  
  updating a standard deviation maintained by the periodicity object based on the average time variance, the time variance, the standard deviation, and the message counter;
  
  in response to updating the standard deviation, determining whether the standard deviation satisfies a suspicion condition; and
  
  in response to determining that the standard deviation satisfies the suspicion condition, generating an alert.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - wherein updating the message counter increments the message count for each message observed for a given tuple;
      
      prior to determining whether the suspicion condition is satisfied, determining whether the message counter meets a significance number of messages observed for the given tuple; and
      
      in response to determining that the message counter does not meet the significance number of messages observed for the given tuple, determining that the suspicion condition is not satisfied.
  - 3. The method of claim 1, wherein calculating the time variance comprises determining an inter-communications gap between the new message and a prior message.
  - 4. The method of claim 1, wherein calculating the time variance comprises determining a time range since a previous message started.
  - 5. The method of claim 1, wherein determining whether the standard deviation satisfies the suspicion condition further comprises:
    - comparing the standard deviation to a first periodicity threshold;
      
      comparing the standard deviation to a second periodicity threshold;
      
      when the standard deviation falls below the first periodicity threshold and does not fall below the second periodicity threshold, determining that the suspicion condition is satisfied.
  - 6. The method of claim 1, further comprising:
    - comparing the tuple to a known-safe tuple;
      
      in response to the tuple matching the known-safe tuple, determining that the suspicion condition is not satisfied.
  - 7. The method of claim 1, wherein the server maintains a dictionary comprising a plurality of periodicity objects, wherein each periodicity object maintained in the dictionary is associated with one tuple.
  - 8. The method of claim 7, further comprising:
    - in response to determining that the periodicity object does not currently exist, creating a new periodicity object associated with the tuple in the dictionary.
  - 9. The method of claim 1, wherein when the server has not observed a communication establishing handshake between the server and the remote device, the communication is ignored.
  - 10. The method of claim 1, determining whether the communication is part of the ongoing message or is part of the new message comprises:
    - measuring a time difference between when the communication was observed and when a previous communication was observed for the tuple, the periodicity object maintaining a last communication time associated with the previous communication;
      
      comparing the time difference to a minimal time definition;
      
      in response to the time difference exceeding the minimal time definition, determining that the communication is part of the new message; and
      
      in response to the time difference not exceeding the minimal time definition, determining that the communication is part of the ongoing message.

11. A system for identifying potential malware in a network environment, comprising:
- a plurality of servers within the network environment, each server of the plurality of servers comprising a processor and a computer memory storage device including instructions, which when executed by the processor, are operable to provide a periodicity agent on a given server, wherein the periodicity agent is operable to;
  
  monitor outbound communications from processes running on the given server to remote destinations outside of the network environment;
  
  create a periodicity object for each process/destination tuple, wherein the periodicity object maintains a process/destination tuple, a last communication time, a last message start time, an average time range between messages, and a standard deviation of the average time range;
  
  in response to observing an outbound communication for a given process/destination tuple at a given time;
  
  update the last communication time maintained by an associated periodicity object to the given time;
  
  determine whether the outbound communication is a latest communication of an ongoing message or a first communication of a new message;
  
  in response to determining that the outbound communication is a first communication, calculate a difference between the last message start time and the given time and update the average time range and the standard deviation based on the difference;
  
  in response to updating the standard deviation to satisfy a suspicion condition, generate an alert.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein a given periodicity object is deleted from the given server in response to an associated process terminating on the given server.
  - 13. The system of claim 11, wherein in response to observing the outbound communication for the given process/destination tuple, the given process/destination tuple is compared against a known-safe tuple filter;
    - andin response to the given process/tuple satisfying the known-safe tuple filter, ignore the outbound communication.
  - 14. The system of claim 11, wherein when the outbound communication is transmitted to a location within the network environment, ignore the outbound communication.
  - 15. The system of claim 11, wherein the alert quarantines the given server from the network environment.
  - 16. The system of claim 11, wherein the alert initiates a virus scan process on the given server.

17. A computer-readable storage device including instructions that when executed by a processor on a server are operable to provide a periodicity agent performing steps comprising:
- maintaining a dictionary of periodicity objects, wherein a periodicity object of the dictionary of periodicity objects maintains;
  
  a tuple comprising a process identifier and a destination address, the tuple identifying the periodicity object;
  
  a last packet time, identifying a time at which a most recent packet has been observed for the tuple;
  
  a previous message start time, identifying a time at which a most recent message observed for the tuple originated;
  
  an average inter-message time, maintaining a running calculation for a mean time between observing originations of successive messages for the tuple; and
  
  a standard deviation, maintaining a running calculation for variance between the originations of successive messages and the average inter-message time;
  
  detecting a communication from a process running on the server, wherein the communication is addressed to a device that is not part of a network environment to which the server belongs and is observed at a given time;
  
  identifying a message tuple for the communication;
  
  determining, based on the message tuple, whether the dictionary includes a matching periodicity object;
  
  in response to determining that the dictionary does not include the matching periodicity object, creating the matching periodicity object in the dictionary;
  
  in response to determining that the dictionary includes the matching periodicity object;
  
  determining whether the communication is an initial packet for a new message or a most-recent packet for an ongoing message;
  
  in response to determining that the communication is the most-recent packet, updating the last transmission time maintained by the matching periodicity object to the given time;
  
  in response to determining that the communication is the initial packet;
  
  calculating a time difference between the given time and the previous message start time and updating the previous message start time to the given time;
  
  updating the average inter-message time maintained by the matching periodicity object based on the time difference;
  
  updating the standard deviation maintained by the matching periodicity object based on the time difference;
  
  in response to updating the standard deviation, determining whether the standard deviation satisfies a suspicion condition; and
  
  in response to determining that the standard deviation satisfies the suspicion condition, generating an alert.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable storage device of claim 17, wherein the periodicity object further maintains:
    - a message counter, identifying a number of messages observed for the tuple since creation of the periodicity object; and
      
      the message counter maintained by the matching periodicity object is incremented in response to determining that the communication is the initial packet.
  - 19. The computer-readable storage device of claim 17, wherein whether the communication is the initial packet for the new message or the most-recent packet for the ongoing message is determined by comparing a difference between the given time and the last transmission time to a defined minimal duration;
    - in response to the difference exceeding the defined minimal duration, determining that the communication is the initial packet; and
      
      in response to the difference not exceeding the defined minimal duration, determining that the communication is the most-recent packet.
  - 20. The computer-readable storage device of claim 17, wherein when the communication is detected but the periodicity agent has not observed a communications handshake between the device and server, the communication is ignored.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Reed, Kyle Allan, Swann, Matthew Michael, Thayer, Edward Chris
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Le, Thanh H

Application Number

US15/265,670
Publication Number

US 20180077177A1
Time in Patent Office

881 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/561   Virus type analysis

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/535   Tracking the activity of th...

Periodicity detection of network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Periodicity detection of network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links