System and method for bot detection

US 10,587,636 B1
Filed: 04/17/2017
Issued: 03/10/2020
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a communication channel of a bot in a network, comprising:

analyzing a portion of network data being transmitted over the network;

configuring a module within a controller to determine a communication protocol being used in a transmission of the network data over a communication channel;

responsive to detecting the communication channel using the communication protocol, processing at least the portion of the network data within a first virtual machine to determine whether a bot communication exists by at least determining whether the portion of the network data includes a plurality of commands in a particular sequence that, according to the determined communication protocol, tend to be associated with the bot communication; and

performing a recovery process when the bot communication is detected, the recovery process including, determining one or more network devices that participated in communications using the communication channel operating as a command and control communication channel.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary systems and methods for detecting a communication channel of a bot. In exemplary embodiments, presence of a communication channel between a first network device and a second network device is detected. Data from the communication channel is scanned and used to determine if a suspected bot communication exists. If a bot communication is detected, then a recovery process may be initiated.

Citations

33 Claims

1. A method for detecting a communication channel of a bot in a network, comprising:
- analyzing a portion of network data being transmitted over the network;
  
  configuring a module within a controller to determine a communication protocol being used in a transmission of the network data over a communication channel;
  
  responsive to detecting the communication channel using the communication protocol, processing at least the portion of the network data within a first virtual machine to determine whether a bot communication exists by at least determining whether the portion of the network data includes a plurality of commands in a particular sequence that, according to the determined communication protocol, tend to be associated with the bot communication; and
  
  performing a recovery process when the bot communication is detected, the recovery process including, determining one or more network devices that participated in communications using the communication channel operating as a command and control communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising detecting a presence of the communication channel in the network between a first network device and a second network device of the one or more network devices.
  - 3. The method of claim 1, wherein the processing of at least the portion of the network data within the first virtual machine to determine whether the bot communication exists further includes determining that the portion of the network data originated from a non-standard port.
  - 4. The method of claim 3, wherein prior to the processing of at least the portion of the network data within a first virtual machine, the method includes determining whether the portion of network data associated with the communication channel is associated with the suspicious activity, the suspicious activity including bot related activities that comprise at least one of:
    - installing a copy of the bot on a third network device, establishing a command and control communication channel with the third network device, receiving one or more instructions from a bot-infected network device, transmitting a ping message to the third network device in a denial-of-service attack, receiving instructions to act as a keylogger, or transmitting personal information or email addresses over the network.
  - 5. The method of claim 4, wherein the third network device is different than both of the first network device and the second network device.
  - 6. The method of claim 1, wherein the processing of at least the portion of the network data includes analyzing content of at least the portion of the network data for a command of the plurality of commands directed to establishment of the communication channel being an Internet Relay Chat (IRC) channel.
  - 7. The method of claim 1, wherein the plurality of commands includes a first command to establish the communication channel followed by a scan command.
  - 8. The method of claim 7, wherein the first command establishes the communication channel being an Internet Relay Chat (IRC) channel.
  - 9. The method of claim 1, wherein the performing of the recovery process further includes identifying the one or more network devices that participated in communications using the communication channel operating as the command and control communication channel.
  - 10. The method of claim 9, wherein the identifying of the one or more network devices comprises adjusting a color of an icon associated with the one or more network devices.
  - 11. The method claim 1, wherein the determining whether the portion of the network data includes the plurality of commands in the particular sequence comprises scanning for commands that indicate a particular protocol associated with a command and control (C&
    - C) channel is being established.
  - 12. The method claim 11, wherein the plurality of commands in the particular sequence include a JOIN command followed by a SCAN command.
  - 13. The method of claim 1, wherein the plurality of commands that tend to establish a command and control (C&
    - C) communication channel.

14. A controller comprising:
- one or more processors; and
  
  a storage device communicatively coupled to the one or more processors, the storage device including;
  
  a first software module that, when executed by the one or more processors, to detect network data transmitted between a first network device and a second network device over a network,a second software module that, when executed by the one or more processors, to (i) determine a communication protocol being used in a transmission of the network data over a communication channel of the network, and (ii) scan at least a portion of the network data for a plurality of commands in a particular sequence that, according to the determined communication protocol, tend to be associated with a bot communication, the scan including analyzing content of at least the portion of the network data for bot related activities including analyzing for the plurality of commands, including a scan command utilized by a bot to gather information from a targeted source and transfer to a third network device over the communication channel;
  
  a third software module including a plurality of virtual machines, wherein each of the plurality of virtual machines is in communication with the second software module, wherein at least a first virtual machine of the plurality of virtual machines (1) receives at least the portion of the network data, and (2) processes at least the portion of the network data to detect a bot related activity, and wherein responsive to detection of the bot related activity, the third software module generates an activity signature based on at least the detected bot related activity, anda signature module to store generated activity signatures.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The controller of claim 14, wherein the second software module being further configured to analyzing whether the portion of the network data originated from a non-standard port.
  - 16. The controller of claim 14, wherein second software module that, when executed by the one or more processors, is further configured to scan at least the portion of the network data for suspicious activity including one or more bot related activities by at least installing a copy of the bot on the third network device, establishing a command and control communication channel with the third network device, transmitting a ping message to the third network device in a denial-of-service attack, or receiving instructions to act as a keylogger.
  - 17. The controller of claim 14, wherein the third network device is different than both of the first network device and the second network device.
  - 18. The controller of claim 14, wherein the scan by the second software module includes analyzing content of at least the portion of the network data for a JOIN command directed to establishing the communication channel between the first network device and the second network device via the network.
  - 19. The controller of claim 14, further comprising:
    - a heuristic module that identifies a bot server, the first network device or the second network device by analyzing one or more data packets of the network data.
  - 20. The controller of claim 19, wherein the first virtual machine is selected by the third software module based on one or more characteristics of one of the first network device or the second network based on identification by the heuristic module.
  - 21. The controller of claim 14, further comprising:
    - a fourth software module that, responsive to detection of the suspicious activities during scanning of at least the portion of the network data, performs a recovery process, wherein at least one of (i) the first network device, or (ii) the second network device are flagged as being associated with the suspicious activities.
  - 22. The controller of claim 14, wherein the second software scans at least the portion of the network data for the plurality of commands in the particular sequence by at least scanning for commands that indicate a particular protocol associated with a command and control (C&
    - C) communication channel is being established.
  - 23. The controller of claim 14, wherein the plurality of commands in the particular sequence includes a JOIN command followed by a SCAN command.

24. A controller comprising:
- one or more processors; and
  
  a storage system communicatively coupled with the one or more processors, the storage system includes a bot detection logic that, when executed by the one or more processors;
  
  (i) analyzes a portion of network data that permits control, via a network, of a first network device without authorization by a user of the first network device, (ii) configures a module within a controller that determines a communication protocol being used in a transmission of the network data over a communication channel, (iii) provides at least a portion of network data associated with the communication channel to a first virtual machine, and (iv) analyzes operations of the first virtual machine based on processing of at least the portion of the network data including (a) a plurality of commands in a particular sequence that, according to the communication protocol as determined by the controller, are part of the portion of the network data and tend to be associated with a bot communication and (b) the network data originated from a non-standard port.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 25. The controller of claim 24, the bot detection logic that, when executed by the one or more processors:
    - (v) generates and stores an activity signature based on analysis by the first virtual machine for use in subsequent analyses.
  - 26. The controller of claim 24, wherein detection of the communication channel that permits control of the first network device without authorization by the user of the network device includes detection of at least one or more bot related activities.
  - 27. The controller of claim 26, wherein the bot related activities include one or more activities from among a plurality of activities including:
    - (i) bot propagation, (ii) initiating a malware attack on the first network device, (iii) installing a copy of the bot on the first network device, (iv) establishing a command and control (C&
      
      C) communication channel with the first network device, (v) receiving one or more instructions from a bot-infected network device, (vi) transmitting a ping message to the first network device in a denial-of-service attack, (vii) transmitting spam across the communication channel, (viii) receiving instructions to act as a keylogger, (ix) recording keystrokes, (x) receiving instructions to search the first network device for personal information or email addresses, and (xi) transmitting personal information or email addresses over the network.
  - 28. The controller of claim 24, wherein the bot detection logic analyzes the operations of the first virtual machine by at least analyzing content of at least the portion of the network data for a command of the plurality of commands directed to establishing the communication channel being an Internet Relay Chat (IRC) channel.
  - 29. The controller of claim 24, wherein the bot detection logic that, when executed by the one or more processors:
    - identifies a bot server or the first network device by analyzing one or more data packets of the network data.
  - 30. The controller of claim 29, wherein the first virtual machine is selected based on one or more characteristics of the first network device based on identification via analysis of the one or more data packets of the network data.
  - 31. The controller of claim 24, wherein the bot detection logic that, when executed by the one or more processors:
    - responsive to detection of the communication channel that permits control, via a network, of the first network device without authorization by the user of the first network device, performing a recovery process, wherein the first network device is flagged as being associated with bot related activities.
  - 32. The controller of claim 24, wherein the bot detection logic analyzes operations of the first virtual machine based on processing of at least the portion of the network data including the plurality of commands in the particular sequence by at least scanning for commands that indicate a particular protocol associated with a command and control (C&
    - C) communication channel is being established.
  - 33. The controller of claim 24, wherein the plurality of commands in the particular sequence includes a JOIN command followed by a SCAN command.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Lai, Wei-Lung, Manni, Jayaraman
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin E

Application Number

US15/489,661
Time in Patent Office

1,058 Days
Field of Search
US Class Current
CPC Class Codes

H03K 19/17744   for input/output signals

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and method for bot detection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for bot detection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links