DETECTING MALICIOUS BEHAVIOUR ON A COMPUTER NETWORK

US 20110302656A1
Filed: 02/23/2010
Published: 12/08/2011
Est. Priority Date: 02/24/2009
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malicious behaviour on a network comprising inspecting the contents of packets of data travelling through the network and attempting to detect the presence of data representing a memory location corresponding to a known memory location or range of memory locations in which a known system program is known to execute on a given type of system, and, upon making such a detection, checking for suspicious behaviour from one or both of the source or destination host of the packet and, upon detecting such suspicious behaviour, determining that there is a risk of the respective source and/or destination device having been infected by a malicious program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malicious behaviour detector (100) for detecting malicious behaviour on a network, comprises a processor unit (120) and associated system memory (130) containing computer program code. The computer program code provides a signature matching module (132) to perform malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs; a Domain Name Service, DNS, request and/or response detection module (134) to monitor the requests made by hosts connected to the network and/or responses thereto; and an evidence assessment module (138) to analyse the results of the partial signature detection and the DNS monitoring make a determination of the suspected presence of malicious behaviour on the network based upon the analysis of the results of both the partial signature detection and the DNS monitoring.

127 Citations

18 Claims

1. A method of detecting malicious behaviour on a network comprising inspecting the contents of packets of data travelling through the network and attempting to detect the presence of data representing a memory location corresponding to a known memory location or range of memory locations in which a known system program is known to execute on a given type of system, and, upon making such a detection, checking for suspicious behaviour from one or both of the source or destination host of the packet and, upon detecting such suspicious behaviour, determining that there is a risk of the respective source and/or destination device having been infected by a malicious program.
- View Dependent Claims (2, 5, 18)
- - 2. A method according to claim 1 wherein the known memory location or range of locations is associated with a buffer overflow exploit.
  - 5. A computer readable carrier medium carrying computer program code for causing a digital processor to carry out the method of claim 1.
  - 18. A computer readable carrier medium carrying computer program code for causing a digital processor to carry out the method of claim 1.

3. A malicious behaviour detector for detecting malicious behaviour on a network comprising a processor unit and associated system memory containing computer program code for providing:
- a signature matching module to inspect the contents of packets of data travelling through the network and to attempt to detect the presence of data representing a memory location corresponding to a known memory location or range of memory locations in which a known system program is known to execute on a given type of system;
  
  a suspicious behaviour detection module to check for suspicious behaviour from one or both of the source or destination host of the packet, upon making a signature matching detection; and
  
  an evidence assessment module to determine that there is a risk of the respective source and/or destination device having been infected by a malicious program, upon detecting suspicious behaviour.
- View Dependent Claims (4)
- - 4. A detector according to claim 3 wherein the known memory location or range of locations is associated with a buffer overflow exploit.

6. A method of detecting malicious behaviour on a network, the method comprising:
- performing malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs;
  
  monitoring the Domain Name Service, DNS, requests made by hosts connected to the network and/or responses thereto;
  
  analysing the results of the partial signature detection and the DNS monitoring; and
  
  making a determination of the suspected presence of malicious behaviour on the network based upon an analysis of the results of both the partial signature detection and the DNS monitoring.
- View Dependent Claims (7, 8)
- - 7. A method according to claim 6 wherein a determination of the suspected presence of malicious behaviour on the network is more likely to be made if suspicious DNS requests and/or responses are detected in respect of a host to which a packet of data has previously been sent, within a predetermined period of time, in which a partial signature has been detected, than in the case of a host to which no such packet of data has previously been sent, within a predetermined period of time, in which a partial signature has been detected.
  - 8. A method according to claim 7 wherein the partial signature comprises a memory location or range of memory locations known to be associated with a buffer overflow exploit.

9. A malicious behaviour detector for detecting malicious behaviour on a network, comprising:
- a processor unit and associated system memory containing computer program code for providing;
  
  a signature matching module to perform malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs;
  
  a Domain Name Service, DNS, request and/or response detection module to monitor the requests made by hosts connected to the network and/or responses thereto; and
  
  an evidence assessment module to analyse the results of the partial signature defection and the DNS monitoring make a determination of the suspected presence of malicious behaviour on the network based upon the analysis of the results of both the partial signature detection and the DNS monitoring.

10. A method of detecting malicious behaviour on a network, the method comprising:
- monitoring for suspicious behaviour of hosts connected to the network; and
  
  the method being characterised byperforming malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs, each partial signature being a part only of the code for a malicious program;
  
  analysing the results of the partial signature detection and the suspicious behaviour monitoring; and
  
  making a determination of the suspected presence of malicious behaviour on the network based upon an analysis of the results of both the partial signature detection and the suspicious behaviour monitoring.
- View Dependent Claims (11, 12, 13, 14)
- - 11. A method according to claim 10 wherein a determination of the suspected presence of malicious behaviour on the network is more likely to be made if suspicious behaviour is detected in respect of a host to which a packet of data has previously been sent, within a predetermined period of time, in which a partial signature has been detected, than in the case of a host to which no such packet of data has previously been sent, within a predetermined period of time, in which a partial signature has been detected.
  - 12. A method according to claim 10 wherein the partial signature comprises a representation of a memory location or range of memory locations in which a system program executes on a given type of system.
  - 13. A method according claim 10 wherein each partial signature is a representation of a memory location corresponding to a memory location or range of memory locations in which a system program is known to execute on a given type of system, and wherein monitoring for suspicious behaviour comprises, upon making such a detection, checking for suspicious behaviour from one or both of the source and destination host devices of the packet and, upon detecting such suspicious behaviour, determining that there is a risk of the respective source and/or destination host device having been infected by a malicious program.
  - 14. A method according to claim 10 wherein the partial signature is a representation of a memory location associated with a buffer overflow exploit.

15. A malicious behaviour detector for detecting malicious behaviour on a network, comprising:
- a processor unit and associated system memory containing computer program code for providing;
  
  a suspicious behaviour detection module to monitor for suspicious behaviour by host devices connected to the network;
  
  the detector being characterised in that the processor unit and associated system memory containing computer program code are further operable to provide;
  
  a signature matching module to perform malicious partial signature detection by reading the contents of packets of data passing through the network to look for partial signatures associated with malicious programs, each partial signature being a part only of the code for a malicious program; and
  
  an evidence assessment module to analyse the results of the partial signature detection and the suspicious behaviour monitoring to make a determination of the suspected presence of malicious behaviour on the network based upon the analysis of the results of both the partial signature detection and the suspicious behaviour monitoring.
- View Dependent Claims (16, 17)
- - 16. A malicious behaviour detector according to claim 15 wherein the signature matching module is operable to inspect the contents of packets of data travelling through the network and to attempt to detect the presence of data representing a memory location corresponding to a memory location or range of memory locations in which a system program executes on a given type of system;
  - 17. A malicious behaviour detector according to claim 15 wherein the suspicious behaviour detection module comprises a Domain Name Service request and/or response detection module to monitor Domain Name Service requests made by host devices connected to the network and/or responses thereto.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
El-Moussa, Fadi

Granted Patent

US 8,966,631 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

DETECTING MALICIOUS BEHAVIOUR ON A COMPUTER NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

127 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING MALICIOUS BEHAVIOUR ON A COMPUTER NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

127 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links