METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION

US 20160359870A1
Filed: 01/21/2015
Published: 12/08/2016
Est. Priority Date: 04/04/2007
Status: Active Application

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, the present invention is a method and apparatus for detecting malware infection. One embodiment of a method for detecting a malware infection at a local host in a network, includes monitoring communications between the local host and one or more entities external to the network, generating a dialog warning if the communications include a transaction indicative of a malware infection, declaring a malware infection if, within a predefined period of time, the dialog warnings includes at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection, and outputting an infection profile for the local host.

Citations

40 Claims

1-20. -20. (canceled)

21. A method for detecting a self-propagating malware (“
- bot”
  
  ) infection on a computer network, the method performed by a computing device, the method comprising;
  
  monitoring a plurality of network communication flows between local host computers of the network and external entities on the Internet;
  
  generating an alert if a subset of the network communication flows is indicative of a malware infection;
  
  accessing a bot infection dialog model, the bot infection dialog model comprising a plurality of partially ordered combinations of network dialog transactions, wherein each partially ordered combination of network dialog transactions is associated with a different type of bot infection; and
  
  outputting a bot infection profile if a combination of generated alerts evidences a type of bot infection modeled by the bot infection dialog model.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The method of claim 21, comprising outputting a bot infection profile if the combination of generated alerts evidences at least two outbound dialog transactions and does not evidence any inbound dialog transactions.
  - 23. The method of claim 21, comprising outputting the bot infection profile if the combination of generated alerts evidences a sparse sequence of network dialog transactions in the bot infection dialog model.
  - 24. The method of claim 21, comprising defining a weighting and threshold scheme for a network dialog transaction and outputting the bot infection profile if the combination of generated alerts satisfies the weighting and threshold scheme.
  - 25. The method of claim 21, wherein the bot infection dialog model defines a first combination of network dialog transactions as indicative of a command and control botnet, and defines a second combination of network dialog transactions as indicative of a spam bot, and defines a third combination of network dialog transactions as indicative of a peer-to-peer botnet.
  - 26. The method of claim 21, wherein the bot infection dialog model defines a plurality of different malware propagation paths for at least one of the network dialog transactions.
  - 27. The method of claim 21, wherein the bot infection dialog model defines an at least partially ordered sequence of network dialog transactions as indicative of a worm infection.
  - 28. The method of claim 21, comprising determining that a combination of alerts comprises at least two pieces of evidence of outward bot coordination, and outputting the bot infection profile based on the evidence of outward bot coordination.
  - 29. The method of claim 21, comprising determining that a combination of alerts comprises at least two pieces of evidence of attack propagation, and outputting the bot infection profile based on the evidence of attack propagation.

30. A self-propagating malware (“
- bot”
  
  ) infection detection module embodied in a computing device, the bot infection detection module comprising;
  
  one or more network event detection engines configured to, periodically, over time;
  
  (i) monitor a plurality of network communication flows between local host computers of the network and external entities on the Internet; and
  
  (ii) generate an alert if a subset of the network communication flows is indicative of a malware infection;
  
  a bot infection dialog model configured to define a plurality of partially ordered combinations of different types of network dialog transactions, wherein each partially ordered combination of network dialog transactions is associated with a different type of bot infection; and
  
  a dialog correlation engine configured to output a bot infection profile if a combination of generated alerts evidences a partially ordered combination of network dialog transactions associated with a type of bot infection modeled by the bot infection dialog model.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- - 31. The bot infection detection module of claim 30, wherein the one or more network event detection engines comprises an intrusion detection system configured to perform real-time network traffic analysis of the network communication flows, a scan anomaly detection engine configured to monitor the network communication flows for evidence of inbound malware scans, and a payload anomaly detection engine configured to monitor the network communication flows for inbound packets indicative of inbound infection or inbound exploit.
  - 32. The bot infection detection module of claim 31, wherein the dialog correlation engine is configured to detect a bot infection based on a correlation of alerts produced by the intrusion detection system, alerts produced by the scan anomaly detection engine, and alerts produced by the payload anomaly detection engine.
  - 33. The bot infection detection module of claim 30, wherein the dialog correlation engine is configured to detect a combination of generated alerts exceeding a weighted threshold and generate the bot infection profile in response to the combination of generated alerts exceeding the weighted threshold.
  - 34. The bot infection detection module of claim 30, wherein the one or more network event detection engines is configured to generate an alert in response to an application of one or more rules to the subset of network communication flows.
  - 35. The bot infection detection module of claim 30, wherein the one or more network event detection engines is configured to calculate an anomaly score based on a number of failed inbound scan attempts, and generate an alert comprising the anomaly score.
  - 36. The bot infection detection module of claim 30, wherein the one or more network event detection engines is configured to calculate a plurality of anomaly scores based on a number of outbound scan attempts, and generate an alert if one or more of the anomaly scores is greater than or equal to a pre-defined threshold.
  - 37. The bot infection detection module of claim 30, wherein the one or more network event detection engines is configured to analyze a payload of a current packet sent to a local host in relation to a profile of normal traffic to the host, and generate an alert if a deviation distance of the payload of the current packet from the profile of the normal traffic exceeds a pre-defined threshold.

38. A dialog correlation engine embodied in one or more non-transitory computer readable storage media and configured to cause a computing device to:
- over a time interval, receive a plurality of alerts from one or more network event detection engines monitoring a plurality of network communication flows between local host computers of a computer network and external entities on the Internet, each alert generated by a network event detection engine in response to a subset of the network communication flows being indicative of a malware infection;
  
  access a bot infection dialog model, the bot infection dialog model comprising a plurality of partially ordered combinations of network dialog transactions, wherein each partially ordered combination of network dialog transactions is associated with a different type of self-propagating malware (“
  
  bot”
  
  ) infection; and
  
  output a bot infection profile if a combination of generated alerts evidences a type of bot infection modeled by the bot infection dialog model.
- View Dependent Claims (39, 40)
- - 39. The dialog correlation engine of claim 38, configured to cause the computing device to correlate alerts generated by a plurality of different network detection engines and map the alerts generated by the different network detection engines to the network dialog transactions of the bot infection dialog model.
  - 40. The dialog correlation engine of claim 38, configured to cause the computing device to calculate a dialog score based on the alerts received during the time interval, compare the dialog score to a threshold value, and if the dialog score does not exceed the threshold value, discard the alerts without outputting the bot infection profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Gu, Guofei, Porras, Phillip A., Fong, Martin W.

Granted Patent

US 10,270,803 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3495   for systems

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links