Classifying sets of malicious indicators for detecting command and control communications associated with malware

US 10,637,880 B1
Filed: 07/23/2018
Issued: 04/28/2020
Est. Priority Date: 05/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting communications associated with a cyber-attack, comprising:

performing a first analysis on a first portion of a communication to determine at least a first high quality indicator associated with content within the first portion of the communication, the first high quality indicator identifying a correlation of the content with a malicious activity and being represented by a first value for use in classifying the communication;

performing a second analysis by inspecting a second portion of the communication to determine one or more supplemental indicators, the second portion of the communication is different than the first portion of the communication and each of the one or more supplemental indicators being represented by a corresponding value for use in classifying the communication; and

classifying the communication as part of the cyber-attack by (i) classifying the communication as being part of the cyber-attack when at least the first value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, and (ii) in response to the first high quality indicator failing to exceed the first threshold and being greater than a second threshold, using the one or more corresponding values representing the one or more supplemental indicators with at least the first value to classify whether the communication is part of the cyber-attack.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting a cyber-attack by performing a first analysis on content within a first portion of a communication to determine whether the content includes a first high quality indicator. The first high quality indicator identifies a correlation of the content with a malicious activity. Subsequent to the first analysis, performing a second analysis on a second portion of the communication to determine one or more supplemental indicators. Thereafter, the communication is classified as part of a cyber-attack when (i) a value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, or (ii) upon failing to exceed the first threshold and being greater than a second threshold, using the values representing the one or more supplemental indicators with the first value to classify the communication as being part of the cyber-attack.

733 Citations

19 Claims

1. A method for detecting communications associated with a cyber-attack, comprising:
- performing a first analysis on a first portion of a communication to determine at least a first high quality indicator associated with content within the first portion of the communication, the first high quality indicator identifying a correlation of the content with a malicious activity and being represented by a first value for use in classifying the communication;
  
  performing a second analysis by inspecting a second portion of the communication to determine one or more supplemental indicators, the second portion of the communication is different than the first portion of the communication and each of the one or more supplemental indicators being represented by a corresponding value for use in classifying the communication; and
  
  classifying the communication as part of the cyber-attack by (i) classifying the communication as being part of the cyber-attack when at least the first value associated with the first high quality indicator exceeds a first threshold without consideration of the one or more supplemental indicators, and (ii) in response to the first high quality indicator failing to exceed the first threshold and being greater than a second threshold, using the one or more corresponding values representing the one or more supplemental indicators with at least the first value to classify whether the communication is part of the cyber-attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the first value being a probative value that is greater than a probative value of any of the one or more corresponding values representing the one or more supplemental indicators.
  - 3. The method of claim 1, wherein the content within the first portion of the communication includes an uniform resource locator (URL) and the communication is a network communication.
  - 4. The method of claim 3, wherein the network communication is classified as being part of the cyber-attack when the first value of the first high quality indicator exceeds the first threshold.
  - 5. The method of claim 3, wherein the cyber-attack includes a command and control (CnC) communication operating as a callback.
  - 6. The method of claim 3, wherein the performing of the first analysis on the first portion of the network communication comprises parsing packets of the network communication to extract the URL and determining whether the URL compares to any of a plurality of URLs that are known to be associated with malicious activity that is part of the cyber-attack.
  - 7. The method of claim 6, wherein the determining whether the URL compares to any of the plurality of URLs comprises performing a hash operation on the URL to produce a hash result and comparing the hash result to a plurality of hash results that correspond to a plurality of URLs for previously analyzed communications that are determined to be part of the cyber-attack.
  - 8. The method of claim 3, wherein the performing of the first analysis on the first portion of the network communication comprises assessing reputation information associated with the URL and determining whether the URL is associated with malicious activity that is part of the cyber-attack based on the reputation information.
  - 9. The method of claim 8, wherein the reputation information includes at least one of (i) a length of time a domain associated with the URL has been registered, or (ii) a country in which an Internet Protocol (IP) address of the URL is located.
  - 10. The method of claim 9, wherein the reputation information further includes at least one of (i) a determination whether a web site accessible via the URL uses a security protocol to protect communications with the web site, or (ii) a name of the Internet Service Provider (ISP) hosting the web site.
  - 11. The method of claim 3, wherein the performing of the first analysis on the first portion of the network communication comprises an analysis of a reputation of a domain name of the URL to determine a probability that a detected presence of the domain name indicates the network communication is part of the cyber-attack.
  - 12. The method of claim 3, wherein the performing of the first analysis on the first portion of the network communication comprises an analysis of a reputation of an Internet Protocol (IP) address of the URL to determine a probability that a detected presence of the IP address indicates the network communication is part of the cyber-attack.
  - 13. The method of claim 1, where the performing of the second analysis on the second portion of the communication comprises performing an analysis of components of a header of the communication being a network communication to detect a protocol anomaly.
  - 14. The method of claim 1, wherein the performing of the first analysis, the performing of the second analysis and the classifying of the communication is entirely conducted with a cloud based facility.
  - 15. The method of claim 1, wherein the performing of the first analysis, the performing of the second analysis and the classifying of the communication is entirely conducted with a malware content detection (MCD) system.
  - 16. The method of claim 1, wherein the first value being a probative value representing a mathematical combination of the one or more values associated with the one or more high quality indicators, including the first value.

17. A method for detecting a cyber-attack, comprising:
- performing a first analysis on an uniform resource locator (URL) included as part of a network communication to determine whether the URL corresponds to at least a first high quality indicator, the first high quality indicator (i) identifying at least a prescribed level of correlation with a malicious activity and (ii) being represented by at least a first probative value for use in classifying the network communication;
  
  performing a second analysis by inspecting metadata related to the URL included as part of the network communication to determine whether the analyzed metadata corresponds to one or more supplemental indicators, each of the one or more supplemental indicators being represented by a corresponding probative value for use in classifying the network communication; and
  
  classifying the network communication including the URL as part of the cyber-attack by at least (i) classifying the network communication as being part of the cyber-attack when the first probative value exceeds a first threshold without consideration of the corresponding probative values associated with the one or more supplemental indicators, and (ii) in response to the first probative value determined for the at least the first high quality indicator failing to exceed the first threshold and being greater than a second threshold that is less than the first threshold, using the corresponding probative values associated with the one or more supplemental indicators with at least the first probative value to classify whether the network communication is part of the cyber-attack.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, wherein the first probative value is greater than any corresponding probative value for the one or more supplemental indicators.
  - 19. The method of claim 17, wherein the metadata includes attributes related to content within data packets forming the network communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Islam, Ali, Bu, Zheng
Primary Examiner(s)
Callahan, Paul E

Application Number

US16/043,013
Time in Patent Office

645 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Classifying sets of malicious indicators for detecting command and control communications associated with malware

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

733 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Classifying sets of malicious indicators for detecting command and control communications associated with malware

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

733 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links