Classifying sets of malicious indicators for detecting command and control communications associated with malware
First Claim
1. A method for detecting communications associated with a cyber-attack, comprising:
- performing a first analysis on a first portion of a communication to determine at least a first high quality indicator associated with content within the first portion of the communication, the first high quality indicator identifying a correlation of the content with a malicious activity and being represented by a first value for use in classifying the communication;
performing a second analysis by inspecting a second portion of the communication to determine one or more supplemental indicators, the second portion of the communication is different than the first portion of the communication and each of the one or more supplemental indicators being represented by a corresponding value for use in classifying the communication; and
classifying the communication as part of the cyber-attack by (i) classifying the communication as being part of the cyber-attack when at least the first value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, and (ii) in response to the first high quality indicator failing to exceed the first threshold and being greater than a second threshold, using the one or more corresponding values representing the one or more supplemental indicators with at least the first value to classify whether the communication is part of the cyber-attack.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting a cyber-attack by performing a first analysis on content within a first portion of a communication to determine whether the content includes a first high quality indicator. The first high quality indicator identifies a correlation of the content with a malicious activity. Subsequent to the first analysis, performing a second analysis on a second portion of the communication to determine one or more supplemental indicators. Thereafter, the communication is classified as part of a cyber-attack when (i) a value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, or (ii) upon failing to exceed the first threshold and being greater than a second threshold, using the values representing the one or more supplemental indicators with the first value to classify the communication as being part of the cyber-attack.
733 Citations
19 Claims
-
1. A method for detecting communications associated with a cyber-attack, comprising:
-
performing a first analysis on a first portion of a communication to determine at least a first high quality indicator associated with content within the first portion of the communication, the first high quality indicator identifying a correlation of the content with a malicious activity and being represented by a first value for use in classifying the communication; performing a second analysis by inspecting a second portion of the communication to determine one or more supplemental indicators, the second portion of the communication is different than the first portion of the communication and each of the one or more supplemental indicators being represented by a corresponding value for use in classifying the communication; and classifying the communication as part of the cyber-attack by (i) classifying the communication as being part of the cyber-attack when at least the first value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, and (ii) in response to the first high quality indicator failing to exceed the first threshold and being greater than a second threshold, using the one or more corresponding values representing the one or more supplemental indicators with at least the first value to classify whether the communication is part of the cyber-attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for detecting a cyber-attack, comprising:
-
performing a first analysis on an uniform resource locator (URL) included as part of a network communication to determine whether the URL corresponds to at least a first high quality indicator, the first high quality indicator (i) identifying at least a prescribed level of correlation with a malicious activity and (ii) being represented by at least a first probative value for use in classifying the network communication; performing a second analysis by inspecting metadata related to the URL included as part of the network communication to determine whether the analyzed metadata corresponds to one or more supplemental indicators, each of the one or more supplemental indicators being represented by a corresponding probative value for use in classifying the network communication; and classifying the network communication including the URL as part of the cyber-attack by at least (i) classifying the network communication as being part of the cyber-attack when the first probative value exceeds a first threshold without consideration of the corresponding probative values associated with the one or more supplemental indicators, and (ii) in response to the first probative value determined for the at least the first high quality indicator failing to exceed the first threshold and being greater than a second threshold that is less than the first threshold, using the corresponding probative values associated with the one or more supplemental indicators with at least the first probative value to classify whether the network communication is part of the cyber-attack. - View Dependent Claims (18, 19)
-
Specification