Method and system for detecting malware
First Claim
Patent Images
1. A method of analysis, comprising:
- collecting, using at least one decoy virtual machine, honeypot NX domain names from at least one known infected asset in at least one real network, the honeypot NX domain names being domain names that are not registered;
collecting, using the at least one decoy virtual machine, real network NX domain names from at least one asset in the at least one real network;
grouping the honeypot NX domain names and the real network NX domain names based on statistical similarities;
creating at least one training vector, wherein the at least one training vector is created by;
computing various statistical values for at least one group of the honeypot NX domain names, andcollecting the various statistical values for the at least one group of the honeypot NX domain names in at least one vector;
creating, using the real network NX domain names, a plurality of testing vectors, wherein the plurality of testing vectors are created by;
computing various statistical values for at least one group of the real network NX domain names, andcollecting the various statistical values for the at least one group of the real network NX domain names in the plurality of testing vectors;
classifying each of the testing vectors as benign vectors or malicious vectors based on the at least one training vector; and
classifying the at least one asset in the at least one real network as infected if at least one of the plurality of testing vectors is classified as a malicious vector.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector.
-
Citations
18 Claims
-
1. A method of analysis, comprising:
-
collecting, using at least one decoy virtual machine, honeypot NX domain names from at least one known infected asset in at least one real network, the honeypot NX domain names being domain names that are not registered; collecting, using the at least one decoy virtual machine, real network NX domain names from at least one asset in the at least one real network; grouping the honeypot NX domain names and the real network NX domain names based on statistical similarities; creating at least one training vector, wherein the at least one training vector is created by; computing various statistical values for at least one group of the honeypot NX domain names, and collecting the various statistical values for the at least one group of the honeypot NX domain names in at least one vector; creating, using the real network NX domain names, a plurality of testing vectors, wherein the plurality of testing vectors are created by; computing various statistical values for at least one group of the real network NX domain names, and collecting the various statistical values for the at least one group of the real network NX domain names in the plurality of testing vectors; classifying each of the testing vectors as benign vectors or malicious vectors based on the at least one training vector; and classifying the at least one asset in the at least one real network as infected if at least one of the plurality of testing vectors is classified as a malicious vector. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system of analysis, comprising:
-
at least one computer connected to at least one network; at least one application executing in the at least one computer, the at least one application configured for; collecting, using at least one decoy virtual machine, honeypot NX domain names from at least one known infected asset in at least one real network, the honeypot NX domain names being domain names that are not registered; collecting, using the at least one decoy virtual machine, real network NX domain names from at least one asset in the at least one real network; grouping the honeypot NX domain names and the real network NX domain names based on statistical similarities; creating at least one training vector, wherein the at least one training vector is created by; computing various statistical values for at least one group of the honeypot NX domain names, and collecting the various statistical values for the at least one group of the honeypot NX domain names in at least one vector; creating, using the real network NX domain names, a plurality of testing vectors, wherein the plurality of testing vectors are created by; computing various statistical values for at least one group of the real network NX domain names, and collecting the various statistical values for the at least one group of the real network NX domain names in the plurality of testing vectors; classifying each of the testing vectors as benign vectors or malicious vectors based on the at least one training vector; and classifying the at least one asset in the at least one real network as infected if at least one of the plurality of testing vectors is classified as a malicious vector. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification