SYSTEMS AND METHODS FOR IDENTIFYING MALICIOUS HOSTS
First Claim
1. A method, comprising:
- receiving network communication, which indicates a name of a host and an alleged network address of the host;
verifying whether the alleged network address is genuinely associated with the host; and
in response to detecting that the alleged network address is not genuinely associated with the host, deciding that the network communication associated with the host is malicious.
1 Assignment
0 Petitions
Accused Products
Abstract
A malware detection system analyzes communication traffic to and/or from a certain host. The malware detection system uses the mismatch between host name and IP address to assign a quantitative score, which is indicative of the probability that the host is malicious. The system may use this score, for example, in combination with other indications, to decide whether the host in question is malicious or innocent. The overall decision may use, for example, a rule engine, machine learning techniques or any other suitable means. The malware detection system may also analyze alerts regarding hosts that are suspected of being malicious. The alerts may originate, for example, from Command & Control (C&C) detection, from an Intrusion Detection System (IDS), or from any other suitable source. A given alert typically reports a name of the suspected host and an IP address that allegedly belongs to that host.
-
Citations
18 Claims
-
1. A method, comprising:
-
receiving network communication, which indicates a name of a host and an alleged network address of the host; verifying whether the alleged network address is genuinely associated with the host; and in response to detecting that the alleged network address is not genuinely associated with the host, deciding that the network communication associated with the host is malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 15)
-
-
10. Apparatus, comprising:
-
an interface, which is configured to receive network communication that indicates a name of a host and an alleged network address of the host; and a processor, which is configured to verify whether the alleged network address is genuinely associated with the host, and, in response to detecting that the alleged network address is not genuinely associated with the host, to decide that the network communication associated with the host is malicious. - View Dependent Claims (11, 12, 13, 14, 16, 17, 18)
-
Specification