DISTRIBUTED SYSTEM FOR BOT DETECTION
First Claim
1. A method comprising:
- executing, on a computer system including one or more processors, a characterizing module and an engagement module and a sinkhole module each executing one or more services on one or more ports;
detecting, by the engagement module, suspicious activities by a source with respect to the one or more ports of the engagement module;
allowing, by the engagement module, installation by the source of a malicious module in the engagement module;
forwarding, by the engagement module, traffic generated by the malicious module, to the sinkhole module;
responding, by the sinkhole module, to the traffic by processing the traffic and a transmitting a simulated response to the malicious module according to a service of the one or more services of the sinkhole module;
transmitting by the engagement module a first plurality of events describing behavior of the malicious module executing within the engagement module;
transmitting by the sinkhole module a second plurality of events processing of the traffic by the sinkhole module;
correlating, by the characterizing module the first and second plurality of events to generate a descriptor of the malicious module; and
using by one of the computer system and a different computer system, the descriptor to at least one of prevent an attempt to install the malicious module and remove an instance of the malicious module on the one of the computer system and the different computer system.
3 Assignments
0 Petitions
Accused Products
Abstract
A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. The Sinkhole module may implement a proxy mode in which traffic received by the Sinkhole module is transmitted to a destination specified in the traffic but modified to reference the Sinkhole as the source. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.
93 Citations
20 Claims
-
1. A method comprising:
-
executing, on a computer system including one or more processors, a characterizing module and an engagement module and a sinkhole module each executing one or more services on one or more ports; detecting, by the engagement module, suspicious activities by a source with respect to the one or more ports of the engagement module; allowing, by the engagement module, installation by the source of a malicious module in the engagement module; forwarding, by the engagement module, traffic generated by the malicious module, to the sinkhole module; responding, by the sinkhole module, to the traffic by processing the traffic and a transmitting a simulated response to the malicious module according to a service of the one or more services of the sinkhole module; transmitting by the engagement module a first plurality of events describing behavior of the malicious module executing within the engagement module; transmitting by the sinkhole module a second plurality of events processing of the traffic by the sinkhole module; correlating, by the characterizing module the first and second plurality of events to generate a descriptor of the malicious module; and using by one of the computer system and a different computer system, the descriptor to at least one of prevent an attempt to install the malicious module and remove an instance of the malicious module on the one of the computer system and the different computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18, 20)
-
-
12. A method comprising:
-
providing, on a computer system, an engagement module and a sinkhole module executing a plurality of virtual machines executing a plurality of services on a plurality of ports; detecting, by the engagement module, suspicious activities by a source with respect to one or more of the plurality of ports of the engagement module; allowing, by the engagement module, installation by the source of a malicious module in a virtual machine of the plurality of virtual machines of the engagement module; forwarding, by the engagement module, traffic generated by the malicious module, to the sinkhole module; responding, by the sinkhole module, to the traffic by processing the traffic and a transmitting a response to the malicious module according to a service of the plurality of services of the sinkhole module; transmitting by the engagement module and sinkhole module a plurality of events describing the suspicious activities, installation of the malicious module, the traffic, and the responses to a characterizing module; generating, by the characterizing module, a descriptor of the malicious module according to the plurality of events; and using by one of the computer system and a different computer system, the descriptor to at least one of detect an attempt to install the malicious module and remove an instance of the malicious module on the one of the computer system and the different computer system. - View Dependent Claims (13, 14, 15, 16, 17, 19)
-
Specification