System and method for strategic anti-malware monitoring
First Claim
1. A method for detecting and remediating botnet participation in a network, comprising:
- communicating with a scanning target located in the network to obtain netstat information describing a plurality of current connections on the scanning target;
detecting that the scanning target is a participant in a botnet based on the netstat information;
determining connectivity associated with the botnet based at least in part on the netstat information describing the plurality of current connections on the scanning target, wherein the determined connectivity indicates a topology associated with one or more compromised hosts that have been recruited into participation in the botnet and botnet traffic attributable to each of the one or more compromised hosts; and
disabling network connectivity for at least the scanning target and the one or more compromised hosts to isolate the network from the botnet traffic.
3 Assignments
0 Petitions
Accused Products
Abstract
The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.
3 Citations
30 Claims
-
1. A method for detecting and remediating botnet participation in a network, comprising:
-
communicating with a scanning target located in the network to obtain netstat information describing a plurality of current connections on the scanning target; detecting that the scanning target is a participant in a botnet based on the netstat information; determining connectivity associated with the botnet based at least in part on the netstat information describing the plurality of current connections on the scanning target, wherein the determined connectivity indicates a topology associated with one or more compromised hosts that have been recruited into participation in the botnet and botnet traffic attributable to each of the one or more compromised hosts; and disabling network connectivity for at least the scanning target and the one or more compromised hosts to isolate the network from the botnet traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting and remediating botnet participation in a network, comprising:
-
a memory; and one or more processors coupled to the memory and configured to; communicate with a scanning target located in the network to obtain netstat information describing a plurality of current connections on the scanning target; detect that the scanning target is a participant in a botnet based on the netstat information; determine connectivity associated with the botnet based at least in part on the netstat information describing the plurality of current connections on the scanning target, wherein the determined connectivity indicates a topology associated with one or more compromised hosts that have been recruited into participation in the botnet and botnet traffic attributable to each of the one or more compromised hosts; and disable network connectivity for at least the scanning target and the one or more compromised hosts to isolate the network from the botnet traffic. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon for strategic anti-malware monitoring in a network, wherein executing the computer-executable instructions by one or more processors causes the one or more processors to:
-
communicate with a scanning target located in the network to obtain netstat information describing a plurality of current connections on the scanning target; detect that the scanning target is a participant in a botnet based on the netstat information; determine connectivity associated with the botnet based at least in part on the netstat information describing the plurality of current connections on the scanning target, wherein the determined connectivity indicates a topology associated with one or more compromised hosts that have been recruited into participation in the botnet and botnet traffic attributable to each of the one or more compromised hosts; and disable network connectivity for at least the scanning target and the one or more compromised hosts to isolate the network from the botnet traffic. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification