SYSTEM AND METHOD FOR DETECTING A MALICIOUS COMMAND AND CONTROL CHANNEL

US 20130097699A1
Filed: 10/18/2011
Published: 04/18/2013
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting repetitive connections from an idle source node to a destination node;

calculating a score for the idle source node based on behavior of the repetitive connections;

taking a policy action if the score exceeds a threshold value.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware.

327 Citations

20 Claims

1. A method, comprising:
- detecting repetitive connections from an idle source node to a destination node;
  
  calculating a score for the idle source node based on behavior of the repetitive connections;
  
  taking a policy action if the score exceeds a threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the repetitive connections use a hypertext transfer protocol.
  - 3. The method of claim 1, wherein detecting the repetitive connections comprises:
    - detecting connections to more than X addresses;
      
      detecting connections to less than Y unique addresses within a predetermined time period; and
      
      detecting connections to less than Z unique resource identifiers associated with at least one of the unique addresses;
      
      wherein X, Y, and Z are parameters indicative of a pattern consistent with repetitive connections not generated by a human user.
  - 4. The method of claim 1, wherein calculating the score comprises using heuristics to identify behavior indicative of a threat.
  - 5. The method of claim 1, wherein calculating the score comprises using heuristics to identify behavior indicative of a bot command and control channel.
  - 6. The method of claim 1, wherein calculating the score comprises increasing the score if the destination node is associated with a domain registered within a year.
  - 7. The method of claim 1, wherein calculating the score comprises increasing the score if at least one of the repetitive connections does not have a referrer field and does not have a root resource identifier.
  - 8. The method of claim 1, wherein calculating the score comprises increasing the score if at least one of the repetitive connections does not identify a known user agent.
  - 9. The method of claim 1, wherein calculating the score comprises increasing the score if at least one of the repetitive connections identifies the destination node by a public network address.
  - 10. The method of claim 1, wherein calculating the score comprises increasing the score if the repetitive connections have less than X average request header lines, wherein X is a parameter indicative of a malware connection to the destination node.
  - 11. The method of claim 1, wherein calculating the score comprises increasing the score if the repetitive connections have an average response size less than X, wherein X is a parameter indicative of responses from a command and control server.
  - 12. The method of claim 1, wherein calculating the score comprises requesting a reputation value associated with the destination node and increasing the score if the reputation value indicates the destination node is associated with a threat.
  - 13. The method of claim 1, wherein calculating the score comprises increasing the score if the destination node has a network address in a zone associated with a threat.

14. A method, comprising:
- detecting repetitive connections initiated by a source node;
  
  calculating a score for the source node based on the repetitive connections if the repetitive connections comprise connections to at least X resources within a time period, to less than Y unique addresses within the time period, and to less than Z unique resources for at least one of the unique addresses within the time period, wherein X, Y, and Z are parameters indicative of a behavior consistent with a threat; and
  
  taking a policy action if the score exceeds a threshold score.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein calculating the score comprises using heuristics to identify behavior indicative of the threat.
  - 16. The method of claim 14, wherein the repetitive connections use a hypertext transfer protocol.
  - 17. The method of claim 14, wherein the threat is a bot connecting to a command and control server.
  - 18. The method of claim 14, wherein X greater than or equal to 10, Y is less than or equal to 5, and Z is less than or equal to 5.
  - 19. The method of claim 14, wherein the time period is at least eight hours.
  - 20. The method of claim 14, wherein:
    - the threat is a bot connecting to a command and control server using a hypertext transfer protocol;
      
      X is greater than or equal to 10, Y is less than or equal to 5, and Z is less than or equal to 5;
      
      the time period is at least eight hours;
      
      calculating the score comprises using heuristics to identify behavior indicative of the threat; and
      
      the policy action is sending an alert to an administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mahadik, Vinay, Balupari, Ravindra, Shah, Chintan H., Madhusudan, Bharath

Granted Patent

US 8,677,487 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 2463/144   Detection or countermeasure...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

SYSTEM AND METHOD FOR DETECTING A MALICIOUS COMMAND AND CONTROL CHANNEL

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

327 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTING A MALICIOUS COMMAND AND CONTROL CHANNEL

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

327 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links