SYSTEM AND METHOD FOR DETECTING A MALICIOUS COMMAND AND CONTROL CHANNEL
First Claim
1. A method, comprising:
- detecting repetitive connections from an idle source node to a destination node;
calculating a score for the idle source node based on behavior of the repetitive connections;
taking a policy action if the score exceeds a threshold value.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware.
327 Citations
20 Claims
-
1. A method, comprising:
-
detecting repetitive connections from an idle source node to a destination node; calculating a score for the idle source node based on behavior of the repetitive connections; taking a policy action if the score exceeds a threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method, comprising:
-
detecting repetitive connections initiated by a source node; calculating a score for the source node based on the repetitive connections if the repetitive connections comprise connections to at least X resources within a time period, to less than Y unique addresses within the time period, and to less than Z unique resources for at least one of the unique addresses within the time period, wherein X, Y, and Z are parameters indicative of a behavior consistent with a threat; and taking a policy action if the score exceeds a threshold score. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification