DETECTING MALICIOUS BEHAVIOUR ON A COMPUTER NETWORK
First Claim
1. A method of detecting malicious behaviour on a network comprising inspecting the contents of packets of data travelling through the network and attempting to detect the presence of data representing a memory location corresponding to a known memory location or range of memory locations in which a known system program is known to execute on a given type of system, and, upon making such a detection, checking for suspicious behaviour from one or both of the source or destination host of the packet and, upon detecting such suspicious behaviour, determining that there is a risk of the respective source and/or destination device having been infected by a malicious program.
1 Assignment
0 Petitions
Accused Products
Abstract
A malicious behaviour detector (100) for detecting malicious behaviour on a network, comprises a processor unit (120) and associated system memory (130) containing computer program code. The computer program code provides a signature matching module (132) to perform malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs; a Domain Name Service, DNS, request and/or response detection module (134) to monitor the requests made by hosts connected to the network and/or responses thereto; and an evidence assessment module (138) to analyse the results of the partial signature detection and the DNS monitoring make a determination of the suspected presence of malicious behaviour on the network based upon the analysis of the results of both the partial signature detection and the DNS monitoring.
127 Citations
18 Claims
- 1. A method of detecting malicious behaviour on a network comprising inspecting the contents of packets of data travelling through the network and attempting to detect the presence of data representing a memory location corresponding to a known memory location or range of memory locations in which a known system program is known to execute on a given type of system, and, upon making such a detection, checking for suspicious behaviour from one or both of the source or destination host of the packet and, upon detecting such suspicious behaviour, determining that there is a risk of the respective source and/or destination device having been infected by a malicious program.
-
3. A malicious behaviour detector for detecting malicious behaviour on a network comprising a processor unit and associated system memory containing computer program code for providing:
-
a signature matching module to inspect the contents of packets of data travelling through the network and to attempt to detect the presence of data representing a memory location corresponding to a known memory location or range of memory locations in which a known system program is known to execute on a given type of system; a suspicious behaviour detection module to check for suspicious behaviour from one or both of the source or destination host of the packet, upon making a signature matching detection; and an evidence assessment module to determine that there is a risk of the respective source and/or destination device having been infected by a malicious program, upon detecting suspicious behaviour. - View Dependent Claims (4)
-
-
6. A method of detecting malicious behaviour on a network, the method comprising:
-
performing malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs; monitoring the Domain Name Service, DNS, requests made by hosts connected to the network and/or responses thereto; analysing the results of the partial signature detection and the DNS monitoring; and making a determination of the suspected presence of malicious behaviour on the network based upon an analysis of the results of both the partial signature detection and the DNS monitoring. - View Dependent Claims (7, 8)
-
-
9. A malicious behaviour detector for detecting malicious behaviour on a network, comprising:
-
a processor unit and associated system memory containing computer program code for providing; a signature matching module to perform malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs; a Domain Name Service, DNS, request and/or response detection module to monitor the requests made by hosts connected to the network and/or responses thereto; and an evidence assessment module to analyse the results of the partial signature defection and the DNS monitoring make a determination of the suspected presence of malicious behaviour on the network based upon the analysis of the results of both the partial signature detection and the DNS monitoring.
-
-
10. A method of detecting malicious behaviour on a network, the method comprising:
-
monitoring for suspicious behaviour of hosts connected to the network; and
the method being characterised byperforming malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs, each partial signature being a part only of the code for a malicious program; analysing the results of the partial signature detection and the suspicious behaviour monitoring; and making a determination of the suspected presence of malicious behaviour on the network based upon an analysis of the results of both the partial signature detection and the suspicious behaviour monitoring. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A malicious behaviour detector for detecting malicious behaviour on a network, comprising:
-
a processor unit and associated system memory containing computer program code for providing; a suspicious behaviour detection module to monitor for suspicious behaviour by host devices connected to the network; the detector being characterised in that the processor unit and associated system memory containing computer program code are further operable to provide; a signature matching module to perform malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs, each partial signature being a part only of the code for a malicious program; and an evidence assessment module to analyse the results of the partial signature detection and the suspicious behaviour monitoring to make a determination of the suspected presence of malicious behaviour on the network based upon the analysis of the results of both the partial signature detection and the suspicious behaviour monitoring. - View Dependent Claims (16, 17)
-
Specification