Systems and methods for identifying and performing an action in response to identified malicious network traffic
First Claim
1. A computer-implemented method of determining a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct a potentially infected client device to perform a conditional action, the method comprising:
- responding to a determination using a list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system;
determining a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application from the potentially infected client device, by sending more than one response communications to that first network communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and
the blackhole system using the matching protocol to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device.
10 Assignments
0 Petitions
Accused Products
Abstract
Computer-implemented systems, methods, and computer-readable media are provided for causing an action to be performed in response to a network communication, such as a malicious network communication. In accordance with some embodiments, a first network communication sent from a client device is received, and a protocol used in the first network communication is determined. Once the protocol is determined, the protocol may be implemented to enable a second network communication with the client device. An action to be performed based at least in part on the protocol may be identified, and an instruction may be sent to the client device in the second network communication.
61 Citations
16 Claims
-
1. A computer-implemented method of determining a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct a potentially infected client device to perform a conditional action, the method comprising:
-
responding to a determination using a list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system; determining a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application from the potentially infected client device, by sending more than one response communications to that first network communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and the blackhole system using the matching protocol to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented system for determining a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct the client to perform a conditional action, comprising:
-
a memory device that stores instructions; and one or more processors that execute the instructions to; respond to a determination using a list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system; determine a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application, by sending more than one response communications to that first communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the potentially infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and use the matching protocol, by the blackhole system, to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A non-transitory computer-readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to perform a method of
using a list of domain names associated with malicious sources so as to determine a malware protocol being used by a malware application to communicate to a malicious system, so that a blackhole system may then use the determined protocol to direct a client device to perform a conditional action, the method comprising: -
responding to a determination using said list of domain names associated with malicious sources that a domain name received from the potentially infected client device is associated with a malicious system by sending the potentially infected client device an internet protocol (IP) address of the blackhole system rather than an IP address of the malicious system so as to intercept a first network communication from the potentially infected client device at the blackhole system; determining a malware protocol of the malware application through pattern matching and real-time interaction with the potentially infected client device in an iterative process in which the blackhole system, in response to receiving the first network communication, attempts to establish a connection with the malware application, by sending more than one response communications to that first communication using a first guessed malware protocol and depending on whether or not that first guessed protocol establishes a connection with the malware application, iteratively using more than one successive, guessed malware protocols from a plurality of protocols, to the infected client device until a successful connection has been made to identify the corresponding guessed malware protocol as a matching protocol; and the blackhole system using the matching protocol to emulate a malicious system by sending an instruction to the malware application to uninstall said malware application stored on the potentially infected client device. - View Dependent Claims (14, 15, 16)
-
Specification