METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION
0 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, the present invention is a method and apparatus for detecting malware infection. One embodiment of a method for detecting a malware infection at a local host in a network, includes monitoring communications between the local host and one or more entities external to the network, generating a dialog warning if the communications include a transaction indicative of a malware infection, declaring a malware infection if, within a predefined period of time, the dialog warnings includes at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection, and outputting an infection profile for the local host.
-
Citations
40 Claims
-
1-20. -20. (canceled)
-
21. A method for detecting a self-propagating malware (“
- bot”
) infection on a computer network, the method performed by a computing device, the method comprising;monitoring a plurality of network communication flows between local host computers of the network and external entities on the Internet; generating an alert if a subset of the network communication flows is indicative of a malware infection; accessing a bot infection dialog model, the bot infection dialog model comprising a plurality of partially ordered combinations of network dialog transactions, wherein each partially ordered combination of network dialog transactions is associated with a different type of bot infection; and outputting a bot infection profile if a combination of generated alerts evidences a type of bot infection modeled by the bot infection dialog model. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- bot”
-
30. A self-propagating malware (“
- bot”
) infection detection module embodied in a computing device, the bot infection detection module comprising;one or more network event detection engines configured to, periodically, over time;
(i) monitor a plurality of network communication flows between local host computers of the network and external entities on the Internet; and
(ii) generate an alert if a subset of the network communication flows is indicative of a malware infection;a bot infection dialog model configured to define a plurality of partially ordered combinations of different types of network dialog transactions, wherein each partially ordered combination of network dialog transactions is associated with a different type of bot infection; and a dialog correlation engine configured to output a bot infection profile if a combination of generated alerts evidences a partially ordered combination of network dialog transactions associated with a type of bot infection modeled by the bot infection dialog model. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- bot”
-
38. A dialog correlation engine embodied in one or more non-transitory computer readable storage media and configured to cause a computing device to:
-
over a time interval, receive a plurality of alerts from one or more network event detection engines monitoring a plurality of network communication flows between local host computers of a computer network and external entities on the Internet, each alert generated by a network event detection engine in response to a subset of the network communication flows being indicative of a malware infection; access a bot infection dialog model, the bot infection dialog model comprising a plurality of partially ordered combinations of network dialog transactions, wherein each partially ordered combination of network dialog transactions is associated with a different type of self-propagating malware (“
bot”
) infection; andoutput a bot infection profile if a combination of generated alerts evidences a type of bot infection modeled by the bot infection dialog model. - View Dependent Claims (39, 40)
-
Specification