Mitigating communication and control attempts

US 10,320,810 B1
Filed: 10/31/2016
Issued: 06/11/2019
Est. Priority Date: 10/31/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

transmit an initial communication and control profile to a first network monitoring system, wherein the initial communication and control profile includes at least one domain, extracted from a first application sample comprising at least one file during at least one of;

a static analysis and a dynamic analysis of the first application sample, and corresponding to a communication and control channel;

at least in part in response to information received from a second network monitoring system that is different from the first network monitoring system, revise the initial communication and control profile and change a verdict associated with a second application sample that is different from the first application sample; and

transmit an updated communication and control profile to the first network monitoring system; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The profiling and fingerprinting of communication and control (C&C) infrastructure is disclosed herein. An initial C&C profile is transmitted to a first network monitoring system. The initial C&C profile includes at least one of: (1) a domain corresponding to a C&C channel, and (2) a C&C pattern corresponding to a C&C channel. At least in part in response to information received from a second network monitoring system, the initial C&C profile is revised. An updated C&C profile is transmitted to the first network monitoring system.

33 Citations

View as Search Results

27 Claims

1. A system, comprising:
- a processor configured to;
  
  transmit an initial communication and control profile to a first network monitoring system, wherein the initial communication and control profile includes at least one domain, extracted from a first application sample comprising at least one file during at least one of;
  
  a static analysis and a dynamic analysis of the first application sample, and corresponding to a communication and control channel;
  
  at least in part in response to information received from a second network monitoring system that is different from the first network monitoring system, revise the initial communication and control profile and change a verdict associated with a second application sample that is different from the first application sample; and
  
  transmit an updated communication and control profile to the first network monitoring system; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1 wherein the processor is further configured to transmit the initial communication and control profile to an application sample analysis system.
  - 3. The system of claim 1 wherein the processor is further configured to transmit the updated communication and control profile to an application sample analysis system.
  - 4. The system of claim 1 wherein the first network monitoring system comprises a data appliance.
  - 5. The system of claim 1 wherein the initial communication and control profile is created at a communication and control pattern generation system in response to a message from an application sample analysis system.
  - 6. The system of claim 1 wherein the information received from the second network monitoring system comprises an additional domain corresponding to the initial communication and control profile.
  - 7. The system of claim 1 wherein the information received from the second network monitoring system comprises an additional pattern corresponding to the initial communication and control profile.
  - 8. The system of claim 1 wherein the information received from the second network monitoring system is obtained by the second network monitoring system from observed network traffic.
  - 9. The system of claim 1 wherein the initial communication and control profile comprises at least one of:
    - a plurality of communication and control patterns, and a plurality of communication and control domains.
  - 10. The system of claim 1 wherein the initial communication and control profile is built in response to analysis of a plurality of application samples by an application sample analysis system.
  - 11. The system of claim 1 wherein the processor is further configured to determine that a first communication and control profile and a second communication and control profile should be merged into a merged communication and control profile.
  - 12. The system of claim 1 wherein the first network monitoring system is configured to continue to use the initial communication and control profile for a period of time while passively monitoring using the updated communication and control profile.
  - 13. The system of claim 12 wherein, after the period of time has elapsed, the first network monitoring system stops using the initial communication and control profile and starts actively monitoring using the updated communication and control profile.

14. A method, comprising:
- transmitting an initial communication and control profile to a first network monitoring system, wherein the initial communication and control profile includes at least one domain, extracted from a first application sample comprising at least one file during at least one of;
  
  a static analysis and a dynamic analysis of the first application sample, and corresponding to a communication and control channel;
  
  at least in part in response to information received from a second network monitoring system that is different from the first network monitoring system, revising the initial communication and control profile and changing a verdict associated with a second application sample that is different from the first application sample; and
  
  transmitting an updated communication and control profile to the first network monitoring system.
- View Dependent Claims (15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 15. The method of claim 14 wherein the information received from the second network monitoring system comprises an additional domain corresponding to the initial communication and control profile.
  - 16. The method of claim 14 wherein the information received from the second network monitoring system comprises an additional pattern corresponding to the initial communication and control profile.
  - 18. The method of claim 14 further comprising transmitting the initial communication and control profile to an application sample analysis system.
  - 19. The method of claim 14 further comprising transmitting the updated communication and control profile to an application sample analysis system.
  - 20. The method of claim 14 wherein the first network monitoring system comprises a data appliance.
  - 21. The method of claim 14 wherein the initial communication and control profile is created at a communication and control pattern generation system in response to a message from an application sample analysis system.
  - 22. The method of claim 14 wherein the information received from the second network monitoring system is obtained by the second network monitoring system from observed network traffic.
  - 23. The method of claim 14 wherein the initial communication and control profile comprises at least one of:
    - a plurality of communication and control patterns, and a plurality of communication and control domains.
  - 24. The method of claim 14 wherein the initial communication and control profile is built in response to analysis of a plurality of application samples by an application sample analysis system.
  - 25. The method of claim 14 further comprising determining that a first communication and control profile and a second communication and control profile should be merged into a merged communication and control profile.
  - 26. The method of claim 14 wherein the first network monitoring system is configured to continue to use the initial communication and control profile for a period of time while passively monitoring using the updated communication and control profile.
  - 27. The method of claim 26 wherein, after the period of time has elapsed, the first network monitoring system stops using the initial communication and control profile and starts actively monitoring using the updated communication and control profile.

17. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- transmitting an initial communication and control profile to a first network monitoring system, wherein the initial communication and control profile includes at least one domain, extracted from a first application sample comprising at least one file during at least one of;
  
  a static analysis and a dynamic analysis of the first application sample, and corresponding to a communication and control channel;
  
  at least in part in response to information received from a second network monitoring system that is different from the first network monitoring system, revising the initial communication and control profile and changing a verdict associated with a second application sample that is different from the first application sample; and
  
  transmitting an updated communication and control profile to the first network monitoring system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Xu, Zhi, Zheng, Cong
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/339,783
Time in Patent Office

953 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/1408   by monitoring network traff...

H04L 67/02   based on web technology, e....

H04L 67/04   specially adapted for termi...

H04L 67/10   in which an application is ...

H04L 67/125   involving control of end-de...

H04L 67/131   Protocols for games, networ...

H04L 67/30   Profiles

H04L 67/303   Terminal profiles

H04L 67/306   User profiles

H04L 67/53   using third party service p...

H04L 67/56   Provisioning of proxy servi...

H04L 67/564   Enhancement of application ...

Mitigating communication and control attempts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigating communication and control attempts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links