Systems and methods for identifying and performing an action in response to identified malicious network traffic

US 10,432,658 B2
Filed: 01/20/2015
Issued: 10/01/2019
Est. Priority Date: 01/17/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of determining a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct a potentially infected client device to perform a conditional action, the method comprising:

responding to a determination using a list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system;

determining a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application from the potentially infected client device, by sending more than one response communications to that first network communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and

the blackhole system using the matching protocol to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented systems, methods, and computer-readable media are provided for causing an action to be performed in response to a network communication, such as a malicious network communication. In accordance with some embodiments, a first network communication sent from a client device is received, and a protocol used in the first network communication is determined. Once the protocol is determined, the protocol may be implemented to enable a second network communication with the client device. An action to be performed based at least in part on the protocol may be identified, and an instruction may be sent to the client device in the second network communication.

61 Citations

View as Search Results

16 Claims

1. A computer-implemented method of determining a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct a potentially infected client device to perform a conditional action, the method comprising:
- responding to a determination using a list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system;
  
  determining a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application from the potentially infected client device, by sending more than one response communications to that first network communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and
  
  the blackhole system using the matching protocol to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the first network connection is established between the malware application and a subsystem that implements the malware protocol.
  - 3. The computer-implemented method of claim 1, wherein the conditional action includes gathering, at the potentially infected client device, information about the malware application.
  - 4. The computer-implemented method of claim 1, wherein the conditional action includes gathering, at the potentially infected client device, information about the potentially infected client device and sending said first network communication including the information.
  - 5. The computer-implemented method of claim 1, wherein the conditional action includes gathering, at the infected client device, information about a network connection.
  - 6. The computer-implemented method of claim 1, further comprising:
    - intercepting a communication from a compromised computer to the malicious system, wherein the compromised computer is the client device and wherein the communication is the first network communication; and
      
      remediating malicious activity in the compromised computer by emulating the malicious system while sending the instruction to the malware application.
  - 7. The computer-implemented method of claim 1, further comprising:
    - intercepting a communication from a compromised computer to the malicious system, wherein the compromised computer is the client device and wherein the communication is the first network communication; and
      
      gathering information about malicious activity in the compromised computer by emulating the malicious system while sending the instruction to the malware application.

8. A computer-implemented system for determining a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct the client to perform a conditional action, comprising:
- a memory device that stores instructions; and
  
  one or more processors that execute the instructions to;
  
  respond to a determination using a list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system;
  
  determine a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application, by sending more than one response communications to that first communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the potentially infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and
  
  use the matching protocol, by the blackhole system, to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the connection is established between the malware application and a subsystem that implements the malware protocol.
  - 10. The system of claim 8, wherein the conditional action includes gathering, at the potentially infected client device, information about the malware application.
  - 11. The system of claim 8, wherein the conditional action includes gathering, at the potentially infected client device, information about the potentially infected client device and sending a network communication including the information.
  - 12. The system of claim 8, wherein the conditional action includes gathering, at the infected client device, information about a network connection.

13. A non-transitory computer-readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to perform a method ofusing a list of domain names associated with malicious sources so as to determine a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct a client device to perform a conditional action, the method comprising:
- responding to a determination using said list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system;
  
  determining a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application, by sending more than one response communications to that first communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and
  
  the blackhole system using the matching protocol to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device.
- View Dependent Claims (14, 15, 16)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the conditional action includes gathering, at the infected client device, information about the malware application.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the conditional action includes gathering, at the infected client device, information about the infected client device.
  - 16. The non-transitory computer-readable medium of claim 13, wherein the conditional action includes gathering, at the infected client device, information about a network connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Percipient Networks, LLC (Gladiator Corporation), WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Inventors
Back, Gregory Thomas, Cloke, Patrick Michael, Dicato, Jr., Stephen Ralph, Espinal, Daniel Eugenio, O'Boyle, Todd Aaron, Serafini, John Sheldon
Primary Examiner(s)
Kabir, Jahangir

Application Number

US14/600,885
Publication Number

US 20150207812A1
Time in Patent Office

1,715 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

Systems and methods for identifying and performing an action in response to identified malicious network traffic

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for identifying and performing an action in response to identified malicious network traffic

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links