MEASURING, CATEGORIZING, AND/OR MITIGATING MALWARE DISTRIBUTION PATHS

US 20160285894A1
Filed: 03/25/2015
Published: 09/29/2016
Est. Priority Date: 03/25/2015
Status: Active Grant

First Claim

Patent Images

1. A system for event path traceback comprising:

a processor configured to perform processing associated with receiving network traffic from a network; and

a path traceback and categorization (ATC) module in communication with the processor, the ATC module being configured to perform processing associated with identifying an event within the network traffic, tracing a sequence of network transactions related to the event, and outputting an annotated event path (AMP) including data about the event and the sequence of network transactions related to the event;

wherein performing processing associated with tracing the sequence of network transactions comprises reconstructing a sequence of transactions within the network traffic that led to the event while filtering out unrelated traffic within the network traffic.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for event path traceback may utilize a processor and a path traceback and categorization (ATC) module in communication with the processor. The processor may be configured to perform processing associated with receiving network traffic from a network. The ATC module may be configured to perform processing associated with identifying an event within the network traffic, tracing a sequence of network transactions related to the event, and outputting an annotated event path (AMP) including data about the event and the sequence of network transactions related to the event. Performing processing associated with tracing the sequence of network transactions may comprise reconstructing a sequence of transactions within the network traffic that led to the event while filtering out unrelated traffic within the network traffic.

Citations

26 Claims

1. A system for event path traceback comprising:
- a processor configured to perform processing associated with receiving network traffic from a network; and
  
  a path traceback and categorization (ATC) module in communication with the processor, the ATC module being configured to perform processing associated with identifying an event within the network traffic, tracing a sequence of network transactions related to the event, and outputting an annotated event path (AMP) including data about the event and the sequence of network transactions related to the event;
  
  wherein performing processing associated with tracing the sequence of network transactions comprises reconstructing a sequence of transactions within the network traffic that led to the event while filtering out unrelated traffic within the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the event is caused by an executable download on a computer on the network.
  - 3. The system of claim 2, wherein the ATC module is further configured to perform processing associated with determining a cause of the event based on the sequence of network transactions.
  - 4. The system of claim 3, wherein the cause is an update, a social engineering attack, or a drive-by download.
  - 5. The system of claim 3, wherein performing processing associated with determining the cause of the event comprises analyzing at least one of the following features of at least two nodes within the sequence:
    - download referrer;
      
      candidate exploit domain age;
      
      drive-by URL similarity;
      
      download domain recurrence;
      
      download path length; and
      
      user agent popularity.
  - 6. The system of claim 1, wherein performing processing associated with identifying the event comprises detecting the event within the network traffic and other network traffic conducted by a computer on the network affected by the event within a period of time near the event.
  - 7. The system of claim 1, wherein performing processing associated with outputting the AMP comprises automatically labeling at least one node within the sequence.
  - 8. The system of claim 7, wherein performing processing associated with outputting the AMP further comprises adding each node to the AMP.
  - 9. The system of claim 1, wherein performing processing associated with tracing the sequence of network transactions comprises analyzing at least one of the following features of at least two nodes of the network traffic:
    - location;
      
      referrer;
      
      domain in URL;
      
      URL in content;
      
      same domain;
      
      commonly exploitable content; and
      
      same e2LD.
  - 10. The system of claim 1, further comprising a malware download defense (MDD) module in communication with the processor, the MDD module being configured to perform processing associated with receiving the AMP and creating a countermeasure based on the data in the AMP.
  - 11. The system of claim 10, wherein performing processing associated with creating the countermeasure comprises identifying a landing node, an injection node, and an exploit node for an event within the AMP, wherein the event is caused by a drive-by download.
  - 12. The system of claim 10, wherein performing processing associated with creating the countermeasure comprises generating a report for display, the report comprising at least a portion of the AMP.
  - 13. The system of claim 10, wherein the MDD module is further configured to perform processing associated with transmitting the countermeasure to at least one computer on the network.

14. A method for event path traceback comprising:
- performing processing associated with receiving, with a processor, network traffic from a network;
  
  performing processing associated with identifying, with a path traceback and categorization (ATC) module in communication with the processor, an event within the network traffic;
  
  performing processing associated with tracing, with the ATC module, a sequence of network transactions related to the event; and
  
  performing processing associated with outputting, with the ATC module, an annotated event path (AMP) including data about the event and the sequence of network transactions related to the event;
  
  wherein performing processing associated with tracing the sequence of network transactions comprises reconstructing a sequence of transactions within the network traffic that led to the event while filtering out unrelated traffic within the network traffic.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The method of claim 14, wherein the event is caused by an executable download on a computer on the network.
  - 16. The method of claim 15, further comprising performing processing associated with determining, with the ATC module, a cause of the event based on the sequence of network transactions.
  - 17. The method of claim 16, wherein the cause is an update, a social engineering attack, or a drive-by download.
  - 18. The method of claim 16, wherein performing processing associated with determining the cause of the event comprises analyzing at least one of the following features of at least two nodes within the sequence:
    - download referrer;
      
      candidate exploit domain age;
      
      drive-by URL similarity;
      
      download domain recurrence;
      
      download path length; and
      
      user agent popularity.
  - 19. The method of claim 14, wherein performing processing associated with identifying the event comprises detecting the event within the network traffic and other network traffic conducted by a computer on the network affected by the event within a period of time near the event.
  - 20. The method of claim 14, wherein performing processing associated with outputting the AMP comprises automatically labeling at least one node within the sequence.
  - 21. The method of claim 20, wherein performing processing associated with outputting the AMP further comprises adding each node to the AMP.
  - 22. The method of claim 14, wherein performing processing associated with tracing the sequence of network transactions comprises analyzing at least one of the following features of at least two nodes of the network traffic:
    - location;
      
      referrer;
      
      domain in URL;
      
      URL in content;
      
      same domain;
      
      commonly exploitable content; and
      
      same e2LD.
  - 23. The method of claim 14, further comprising:
    - performing processing associated with receiving, with a malware download defense (MDD) module in communication with the processor, the AMP; and
      
      performing processing associated with creating, with the MDD module, a countermeasure based on the data in the AMP.
  - 24. The method of claim 23, wherein performing processing associated with creating the countermeasure comprises identifying a landing node, an injection node, and an exploit node for an event within the AMP, wherein the event is caused by a drive-by download.
  - 25. The method of claim 23, wherein performing processing associated with creating the countermeasure comprises generating a report for display, the report comprising at least a portion of the AMP.
  - 26. The method of claim 23, further comprising performing processing associated with transmitting, with the MDD module, the countermeasure to at least one computer on the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc., The University of Georgia Research Foundation, Inc.
Original Assignee
Damballa Incorporated, The University of Georgia Research Foundation, Inc.
Inventors
PERDISCI, Roberto, NELMS, Terry Lee

Granted Patent

US 9,930,065 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

MEASURING, CATEGORIZING, AND/OR MITIGATING MALWARE DISTRIBUTION PATHS

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

MEASURING, CATEGORIZING, AND/OR MITIGATING MALWARE DISTRIBUTION PATHS

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links