System and method for bot detection
First Claim
Patent Images
1. A method for detecting a communication channel of a bot in a network, comprising:
- analyzing a portion of network data being transmitted over the network;
configuring a module within a controller to determine a communication protocol being used in a transmission of the network data over a communication channel;
responsive to detecting the communication channel using the communication protocol, processing at least the portion of the network data within a first virtual machine to determine whether a bot communication exists by at least determining whether the portion of the network data includes a plurality of commands in a particular sequence that, according to the determined communication protocol, tend to be associated with the bot communication; and
performing a recovery process when the bot communication is detected, the recovery process including, determining one or more network devices that participated in communications using the communication channel operating as a command and control communication channel.
7 Assignments
0 Petitions
Accused Products
Abstract
Exemplary systems and methods for detecting a communication channel of a bot. In exemplary embodiments, presence of a communication channel between a first network device and a second network device is detected. Data from the communication channel is scanned and used to determine if a suspected bot communication exists. If a bot communication is detected, then a recovery process may be initiated.
-
Citations
33 Claims
-
1. A method for detecting a communication channel of a bot in a network, comprising:
-
analyzing a portion of network data being transmitted over the network; configuring a module within a controller to determine a communication protocol being used in a transmission of the network data over a communication channel; responsive to detecting the communication channel using the communication protocol, processing at least the portion of the network data within a first virtual machine to determine whether a bot communication exists by at least determining whether the portion of the network data includes a plurality of commands in a particular sequence that, according to the determined communication protocol, tend to be associated with the bot communication; and performing a recovery process when the bot communication is detected, the recovery process including, determining one or more network devices that participated in communications using the communication channel operating as a command and control communication channel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A controller comprising:
-
one or more processors; and a storage device communicatively coupled to the one or more processors, the storage device including; a first software module that, when executed by the one or more processors, to detect network data transmitted between a first network device and a second network device over a network, a second software module that, when executed by the one or more processors, to (i) determine a communication protocol being used in a transmission of the network data over a communication channel of the network, and (ii) scan at least a portion of the network data for a plurality of commands in a particular sequence that, according to the determined communication protocol, tend to be associated with a bot communication, the scan including analyzing content of at least the portion of the network data for bot related activities including analyzing for the plurality of commands, including a scan command utilized by a bot to gather information from a targeted source and transfer to a third network device over the communication channel; a third software module including a plurality of virtual machines, wherein each of the plurality of virtual machines is in communication with the second software module, wherein at least a first virtual machine of the plurality of virtual machines (1) receives at least the portion of the network data, and (2) processes at least the portion of the network data to detect a bot related activity, and wherein responsive to detection of the bot related activity, the third software module generates an activity signature based on at least the detected bot related activity, and a signature module to store generated activity signatures. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A controller comprising:
-
one or more processors; and a storage system communicatively coupled with the one or more processors, the storage system includes a bot detection logic that, when executed by the one or more processors;
(i) analyzes a portion of network data that permits control, via a network, of a first network device without authorization by a user of the first network device, (ii) configures a module within a controller that determines a communication protocol being used in a transmission of the network data over a communication channel, (iii) provides at least a portion of network data associated with the communication channel to a first virtual machine, and (iv) analyzes operations of the first virtual machine based on processing of at least the portion of the network data including (a) a plurality of commands in a particular sequence that, according to the communication protocol as determined by the controller, are part of the portion of the network data and tend to be associated with a bot communication and (b) the network data originated from a non-standard port. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification