System and method for strategic anti-malware monitoring

US 10,581,899 B2
Filed: 11/27/2018
Issued: 03/03/2020
Est. Priority Date: 07/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and remediating botnet participation in a network, comprising:

communicating with a scanning target located in the network to obtain netstat information describing a plurality of current connections on the scanning target;

detecting that the scanning target is a participant in a botnet based on the netstat information;

determining connectivity associated with the botnet based at least in part on the netstat information describing the plurality of current connections on the scanning target, wherein the determined connectivity indicates a topology associated with one or more compromised hosts that have been recruited into participation in the botnet and botnet traffic attributable to each of the one or more compromised hosts; and

disabling network connectivity for at least the scanning target and the one or more compromised hosts to isolate the network from the botnet traffic.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

3 Citations

View as Search Results

30 Claims

1. A method for detecting and remediating botnet participation in a network, comprising:
- communicating with a scanning target located in the network to obtain netstat information describing a plurality of current connections on the scanning target;
  
  detecting that the scanning target is a participant in a botnet based on the netstat information;
  
  determining connectivity associated with the botnet based at least in part on the netstat information describing the plurality of current connections on the scanning target, wherein the determined connectivity indicates a topology associated with one or more compromised hosts that have been recruited into participation in the botnet and botnet traffic attributable to each of the one or more compromised hosts; and
  
  disabling network connectivity for at least the scanning target and the one or more compromised hosts to isolate the network from the botnet traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the detecting includes:
    - identifying one or more Internet Protocol (IP) addresses associated with each of the plurality of current connections on the scanning target; and
      
      comparing the one or more IP addresses to a list that includes one or more known botnet IP addresses; and
      
      determining that the scanning target is a participant in the botnet in response to at least one of the one or more IP addresses appearing in the list.
  - 3. The method of claim 2,wherein the identifying identifies a source IP address and a destination IP address associated with each of the plurality of current connections on the scanning target,wherein the comparing compares the source IP address and the destination IP address to the list, andwherein the botnet determination is based on one or more of the source IP address or the destination IP address appearing in the list.
  - 4. The method recited in claim 1, wherein the detecting includes:
    - scanning a web application on the scanning target;
      
      identifying at least one external network address to which the scanned web application points; and
      
      determining that the scanning target is a participant in the botnet in response to the at least one external network address to which the scanned web application points corresponding to one or more of an Internet Protocol (IP) address that appears in a list that includes one or more known botnet IP addresses or a domain name system (DNS) name associated with known botnet activity.
  - 5. The method recited in claim 1, wherein the detecting detects that the scanning target is a participant in the botnet in response to information describing traffic associated with at least one connection observed in the network indicating that the at least one connection has a source Internet Protocol (IP) address or a destination IP address that appears in a list that includes one or more known botnet IP addresses.
  - 6. The method of claim 5, further comprising:
    - determining whether the detected participation in the botnet originated from a malicious external IP address associated with the botnet or an internal host that reached out to the malicious external IP address associated with the botnet based on the information describing the traffic associated with the at least one connection.
  - 7. The method of claim 1, wherein the detecting detects that the scanning target is a participant in the botnet in response to information describing traffic associated with at least one connection observed in the network indicating that the traffic includes a query to a domain name system (DNS) Internet Protocol (IP) address that appears in a list that includes one or more known botnet IP addresses.
  - 8. The method of claim 7, further comprising:
    - determining whether the detected participation in the botnet originated from a malicious external IP address associated with the botnet or an internal host that reached out to the malicious external IP address associated with the botnet based on the information describing the traffic associated with the at least one connection.
  - 9. The method recited in claim 1, further comprising:
    - identifying an IP address associated with the scanning target; and
      
      detecting that the scanning target is a participant in the botnet in response to the IP address associated with the scanning target appearing in a list that includes one or more known botnet IP addresses.
  - 10. The method recited in claim 1, further comprising:
    - identifying a Domain Name System (DNS) Internet Protocol (IP) address used on the scanning target; and
      
      detecting that the scanning target is a participant in the botnet in response to the DNS IP address used on the scanning target appearing in a list that includes one or more known botnet IP addresses.

11. A system for detecting and remediating botnet participation in a network, comprising:
- a memory; and
  
  one or more processors coupled to the memory and configured to;
  
  communicate with a scanning target located in the network to obtain netstat information describing a plurality of current connections on the scanning target;
  
  detect that the scanning target is a participant in a botnet based on the netstat information;
  
  determine connectivity associated with the botnet based at least in part on the netstat information describing the plurality of current connections on the scanning target, wherein the determined connectivity indicates a topology associated with one or more compromised hosts that have been recruited into participation in the botnet and botnet traffic attributable to each of the one or more compromised hosts; and
  
  disable network connectivity for at least the scanning target and the one or more compromised hosts to isolate the network from the botnet traffic.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the one or more processors are configured to detect that the scanning target is a participant in the botnet by:
    - identifying one or more Internet Protocol (IP) addresses associated with each of the plurality of current connections on the scanning target; and
      
      comparing the one or more IP addresses to a list that includes one or more known botnet IP addresses; and
      
      determining that the scanning target is a participant in the botnet in response to at least one of the one or more IP addresses appearing in the list.
  - 13. The system of claim 12,wherein the identifying identifies a source IP address and a destination IP address associated with each of the plurality of current connections on the scanning target,wherein the comparing compares the source IP address and the destination IP address to the list, andwherein the botnet determination is based on one or more of the source IP address or the destination IP address appearing in the list.
  - 14. The system recited in claim 11, wherein the one or more processors are configured to detect that the scanning target is a participant in the botnet by:
    - scanning a web application on the scanning target;
      
      identifying at least one external network address to which the scanned web application points; and
      
      determining that the scanning target is a participant in the botnet in response to the at least one external network address to which the scanned web application points corresponding to one or more of an Internet Protocol (IP) address that appears in a list that includes one or more known botnet IP addresses or a domain name system (DNS) name associated with known botnet activity.
  - 15. The system recited in claim 11, wherein the one or more processors are configured to detect that the scanning target is a participant in the botnet in response to information describing traffic associated with at least one connection observed in the network indicating that the at least one connection has a source Internet Protocol (IP) address or a destination IP address that appears in a list that includes one or more known botnet IP addresses.
  - 16. The system of claim 15, wherein the one or more processors are further configured to:
    - determine whether the detected participation in the botnet originated from a malicious external IP address associated with the botnet or an internal host that reached out to the malicious external IP address associated with the botnet based on the information describing the traffic associated with the at least one connection.
  - 17. The system of claim 11, wherein the one or more processors are configured to detect that the scanning target is a participant in the botnet in response to information describing traffic associated with at least one connection observed in the network indicating that the traffic includes a query to a domain name system (DNS) Internet Protocol (IP) address that appears in a list that includes one or more known botnet IP addresses.
  - 18. The system of claim 17, wherein the one or more processors are further configured to:
    - determine whether the detected participation in the botnet originated from a malicious external IP address associated with the botnet or an internal host that reached out to the malicious external IP address associated with the botnet based on the information describing the traffic associated with the at least one connection.
  - 19. The system recited in claim 11, wherein the one or more processors are further configured to:
    - identify an IP address associated with the scanning target; and
      
      detect that the scanning target is a participant in the botnet in response to the IP address associated with the scanning target appearing in a list that includes one or more known botnet IP addresses.
  - 20. The system recited in claim 11, wherein the one or more processors are further configured to:
    - identify a Domain Name System (DNS) Internet Protocol (IP) address used on the scanning target; and
      
      detect that the scanning target is a participant in the botnet in response to the DNS IP address used on the scanning target appearing in a list that includes one or more known botnet IP addresses.

21. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon for strategic anti-malware monitoring in a network, wherein executing the computer-executable instructions by one or more processors causes the one or more processors to:
- communicate with a scanning target located in the network to obtain netstat information describing a plurality of current connections on the scanning target;
  
  detect that the scanning target is a participant in a botnet based on the netstat information;
  
  determine connectivity associated with the botnet based at least in part on the netstat information describing the plurality of current connections on the scanning target, wherein the determined connectivity indicates a topology associated with one or more compromised hosts that have been recruited into participation in the botnet and botnet traffic attributable to each of the one or more compromised hosts; and
  
  disable network connectivity for at least the scanning target and the one or more compromised hosts to isolate the network from the botnet traffic.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory computer-readable storage medium of claim 21, wherein the computer-executable instructions cause the one or more processors to detect that the scanning target is a participant in the botnet by:
    - identifying one or more Internet Protocol (IP) addresses associated with each of the plurality of current connections on the scanning target; and
      
      comparing the one or more IP addresses to a list that includes one or more known botnet IP addresses; and
      
      determining that the scanning target is a participant in the botnet in response to at least one of the one or more IP addresses appearing in the list.
  - 23. The non-transitory computer-readable storage medium of claim 22,wherein the identifying identifies a source IP address and a destination IP address associated with each of the plurality of current connections on the scanning target,wherein the comparing compares the source IP address and the destination IP address to the list, andwherein the botnet determination is based on one or more of the source IP address or the destination IP address appearing in the list.
  - 24. The non-transitory computer-readable storage medium recited in claim 21, wherein the computer-executable instructions cause the one or more processors to detect that the scanning target is a participant in the botnet by:
    - scanning a web application on the scanning target;
      
      identifying at least one external network address to which the scanned web application points; and
      
      determining that the scanning target is a participant in the botnet in response to the at least one external network address to which the scanned web application points corresponding to one or more of an Internet Protocol (IP) address that appears in a list that includes one or more known botnet IP addresses or a domain name system (DNS) name associated with known botnet activity.
  - 25. The non-transitory computer-readable storage medium recited in claim 21, wherein the computer-executable instructions cause the one or more processors to detect that the scanning target is a participant in the botnet in response to information describing traffic associated with at least one connection observed in the network indicating that the at least one connection has a source Internet Protocol (IP) address or a destination IP address that appears in a list that includes one or more known botnet IP addresses.
  - 26. The non-transitory computer-readable storage medium of claim 25, wherein the computer-executable instructions further cause the one or more processors to:
    - determine whether the detected participation in the botnet originated from a malicious external IP address associated with the botnet or an internal host that reached out to the malicious external IP address associated with the botnet based on the information describing the traffic associated with the at least one connection.
  - 27. The non-transitory computer-readable storage medium of claim 21, wherein the computer-executable instructions cause the one or more processors to detect that the scanning target is a participant in the botnet in response to information describing traffic associated with at least one connection observed in the network indicating that the traffic includes a query to a domain name system (DNS) Internet Protocol (IP) address that appears in a list that includes one or more known botnet IP addresses.
  - 28. The non-transitory computer-readable storage medium of claim 27, wherein the computer-executable instructions further cause the one or more processors to:
    - determine whether the detected participation in the botnet originated from a malicious external IP address associated with the botnet or an internal host that reached out to the malicious external IP address associated with the botnet based on the information describing the traffic associated with the at least one connection.
  - 29. The non-transitory computer-readable storage medium recited in claim 21, wherein the computer-executable instructions further cause the one or more processors to:
    - identify an IP address associated with the scanning target; and
      
      detect that the scanning target is a participant in the botnet in response to the IP address associated with the scanning target appearing in a list that includes one or more known botnet IP addresses.
  - 30. The non-transitory computer-readable storage medium recited in claim 21, wherein the computer-executable instructions further cause the one or more processors to:
    - identify a Domain Name System (DNS) Internet Protocol (IP) address used on the scanning target; and
      
      detect that the scanning target is a participant in the botnet in response to the DNS IP address used on the scanning target appearing in a list that includes one or more known botnet IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Inventors
Ranum, Marcus J., Gula, Ron
Primary Examiner(s)
Pearson, David J

Application Number

US16/200,797
Publication Number

US 20190089718A1
Time in Patent Office

462 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/903   Querying for retrieval from...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

System and method for strategic anti-malware monitoring

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for strategic anti-malware monitoring

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links