METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION

US 20090172815A1
Filed: 04/04/2008
Published: 07/02/2009
Est. Priority Date: 04/04/2007
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malware infection at a local host in a network, the method comprising:

monitoring communications between the local host and one or more entities external to the network;

generating at least one dialog warning if the communications include a transaction indicative of a malware infection;

declaring a malware infection if, within a predefined period of time, the at least one dialog warning includes;

at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection; and

outputting an infection profile for the local host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, the present invention is a method and apparatus for detecting malware infection. One embodiment of a method for detecting a malware infection at a local host in a network, includes monitoring communications between the local host and one or more entities external to the network, generating a dialog warning if the communications include a transaction indicative of a malware infection, declaring a malware infection if, within a predefined period of time, the dialog warnings includes at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection, and outputting an infection profile for the local host.

435 Citations

20 Claims

1. A method for detecting a malware infection at a local host in a network, the method comprising:
- monitoring communications between the local host and one or more entities external to the network;
  
  generating at least one dialog warning if the communications include a transaction indicative of a malware infection;
  
  declaring a malware infection if, within a predefined period of time, the at least one dialog warning includes;
  
  at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection; and
  
  outputting an infection profile for the local host.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein a transaction indicative of a malware infection includes at least one of:
    - a scan attempt targeting the local host, an exploit at the local host, a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.
  - 3. The method of claim 1, wherein the generating comprises:
    - applying at least one rule file to the communications; and
      
      outputting a dialog warning if one or more of the communications satisfy the at least one rule file.
  - 4. The method of claim 1, wherein the at least one dialog warning indicating a transaction initiated at the local host comprises a dialog warning indicating an exploit at the local host.
  - 5. The method of claim 4, wherein the at least one dialog warning indicating an additional transaction indicative of a malware infection indicates at least one of:
    - a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.
  - 6. The method of claim 1, wherein each of the at least one dialog warning indicating a transaction initiated at the local host and the at least one dialog warning indicating an additional transaction indicative of a malware infection indicates one of:
    - a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.
  - 7. The method of claim 1, wherein the infection profile includes at least one of:
    - a confidence score indicative of a likelihood that the local host is infected with malware, an Internet Protocol address of the local host, at least one Internet Protocol address associated with a source of the malware infection, at least one Internet Protocol address associated with a command and control server, at least one transaction indicative of the malware infection, and a time range of the malware infection.

8. A computer readable storage medium containing an executable program for detecting a malware infection at a local host in a network, where the program performs the steps of:
- monitoring communications between the local host and one or more entities external to the network;
  
  generating at least one dialog warning if the communications include a transaction indicative of a malware infection;
  
  declaring a malware infection if, within a predefined period of time, the at least one dialog warning includes;
  
  at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection; and
  
  outputting an infection profile for the local host.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable storage medium of claim 8, wherein a transaction indicative of a malware infection includes at least one of:
    - a scan attempt targeting the local host, an exploit at the local host, a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.
  - 10. The computer readable storage medium of claim 8, wherein the generating comprises:
    - applying at least one rule file to the communications; and
      
      outputting a dialog warning if one or more of the communications satisfy the at least one rule file.
  - 11. The computer readable storage medium of claim 8, wherein the at least one dialog warning indicating a transaction initiated at the local host comprises a dialog warning indicating an exploit at the local host.
  - 12. The computer readable storage medium of claim 11, wherein the at least one dialog warning indicating an additional transaction indicative of a malware infection indicates at least one of:
    - a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.
  - 13. The computer readable storage medium of claim 8, wherein each of the at least one dialog warning indicating a transaction initiated at the local host and the at least one dialog warning indicating an additional transaction indicative of a malware infection indicates one of:
    - a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.
  - 14. The computer readable storage medium of claim 8, wherein the infection profile includes at least one of:
    - a confidence score indicative of a likelihood that the local host is infected with malware, an Internet Protocol address of the local host, at least one Internet Protocol address associated with a source of the malware infection, at least one Internet Protocol address associated with a command and control server, at least one transaction indicative of the malware infection, and a time range of the malware infection.

15. A system for detecting a malware infection at a local host in a network, the system comprising:
- means for monitoring communications between the local host and one or more entities external to the network;
  
  means for generating at least one dialog warning if the communications include a transaction indicative of a malware infection;
  
  means for declaring a malware infection if, within a predefined period of time, the at least one dialog warning includes;
  
  at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection; and
  
  means for outputting an infection profile for the local host.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein a transaction indicative of a malware infection includes at least one of:
    - a scan attempt targeting the local host, an exploit at the local host, a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.
  - 17. The system of claim 15, wherein the generating means comprises:
    - means for applying at least one rule file to the communications; and
      
      means for outputting a dialog warning if one or more of the communications satisfy the at least one rule file.
  - 18. The system of claim 15, wherein the at least one dialog warning indicating a transaction initiated at the local host comprises a dialog warning indicating an exploit at the local host.
  - 19. The system of claim 18, wherein the at least one dialog warning indicating an additional transaction indicative of a malware infection indicates at least one of:
    - a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.
  - 20. The system of claim 15, wherein each of the at least one dialog warning indicating a transaction initiated at the local host and the at least one dialog warning indicating an additional transaction indicative of a malware infection indicates one of:
    - a binary download at the local host, a command and control communication involving the local host, or a scan originating at the local host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Fong, Martin, Gu, Guofei, Porras, Phillip Andrew

Granted Patent

US 8,955,122 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 11/3495   for systems

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

435 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

435 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others