METHODS AND SYSTEMS FOR MALWARE HOST CORRELATION

US 20170149804A1
Filed: 11/20/2015
Published: 05/25/2017
Est. Priority Date: 11/20/2015
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting malicious network activity, the method comprising:

monitoring execution of malicious code on an infected network node;

detecting a control interaction between the infected network node and a first remote network node;

recording, in a knowledge base, first information representative of one or more actions taken by the malicious code subsequent to the control interaction;

monitoring execution of suspect code on a protected network node;

recording, in a communication log, second information representative of a second network interaction between the protected network node and a second remote network node;

detecting one or more actions taken by the suspect code consistent with the one or more actions taken by the malicious code represented in the recorded first information; and

based on detecting the one or more actions taken by the suspect code;

(a) classifying the protected network node as infected,(b) identifying the second remote network node as a malicious end node, and(c) recording, in the knowledge base, a traffic model based on the recorded second information representative of the second network interaction.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious network activity can be detected using methods and systems that monitor execution of code on computing nodes. The computing nodes may be network-connected nodes, may be infected with malicious code or malware, and/or may be protected by the monitor to prevent such infection or to mitigate impact of such infection. In some implementations, a monitoring system monitors execution of malicious code on an infected network node, detects an interaction between the infected network node and a remote node, and records information representative of actions taken by the malicious code subsequent to the interaction. In some implementations, the monitoring system monitors execution of suspect code on a protected computing node, records information representative of a network interaction between the protected computing node and a remote node, and detects actions taken by the suspect code consistent with the actions taken by the malicious code represented in the recorded information recorded.

Citations

20 Claims

1. A method of detecting malicious network activity, the method comprising:
- monitoring execution of malicious code on an infected network node;
  
  detecting a control interaction between the infected network node and a first remote network node;
  
  recording, in a knowledge base, first information representative of one or more actions taken by the malicious code subsequent to the control interaction;
  
  monitoring execution of suspect code on a protected network node;
  
  recording, in a communication log, second information representative of a second network interaction between the protected network node and a second remote network node;
  
  detecting one or more actions taken by the suspect code consistent with the one or more actions taken by the malicious code represented in the recorded first information; and
  
  based on detecting the one or more actions taken by the suspect code;
  
  (a) classifying the protected network node as infected,(b) identifying the second remote network node as a malicious end node, and(c) recording, in the knowledge base, a traffic model based on the recorded second information representative of the second network interaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprisingmaintaining a watch-list of malicious end nodes, the watch-list containing network addresses corresponding to network nodes identified as one or more of:
    - malware controllers, components of malware control infrastructure, and malware information sinks;
      
      adding, to the watch-list, an identification including at least a network address for the second remote network node; and
      
      selectively blocking the protected network node from establishing network connections with network nodes identified in the list.
  - 3. The method of claim 2, further comprisingdetecting an attempt by the protected network node to establish a network connection to a third remote network node identified by a third network address in the watch-list;
    - allowing the protected network node to send a network packet to the third remote network node;
      
      determining that the network packet fails to reach the third remote network node; and
      
      removing identification of the third remote network node from the watch-list.
  - 4. The method of claim 1, wherein the infected network node and the protected network node are the same network node.
  - 5. The method of claim 1, wherein the first remote network node is one of:
    - a command and control center, an exploit delivery site, a malware distribution site, a malware information sink, or a bot in a peer-to-peer botnet.
  - 6. The method of claim 1, wherein recording information for the first network interaction comprises sniffing packets on a network and recording a pattern satisfied by the sniffed packets.
  - 7. The method of claim 1, wherein recording the first information representative of the one or more actions taken by the malicious code subsequent to the first network interaction comprises:
    - generating a behavioral model of the one or more actions taken by the malicious code subsequent to the first network interaction; and
      
      recording the behavioral model in the knowledge base.
  - 8. The method of claim 1, wherein the one or more actions taken by the suspect code cause a first result and the one or more actions taken by the malicious code cause a second result, wherein the one or more actions taken by the suspect code are consistent with the one or more actions taken by the malicious code when the first result is equivalent to the second result.
  - 9. The method of claim 8, wherein the first result is one or more of:
    - an operating system setting is changed, an operating system feature is disabled, or a network connection is established.
  - 10. The method of claim 1, wherein the one or more actions taken by the suspect code include at least one of:
    - modification of a Basic Input/Output System (BIOS);
      
      modification of an operating system file;
      
      modification of an operating system library file;
      
      modification of a library file shared between multiple software applications;
      
      modification of a configuration file;
      
      modification of an operating system registry;
      
      modification of a device driver;
      
      modification of a compiler;
      
      injection of code into a software process mid-execution;
      
      execution of an installed software application;
      
      installation of a software application;
      
      modification of an installed software application;
      
      orexecution of a software package installer.

11. A system for detecting malicious network activity, the system comprising:
- a first computer readable memory storing a knowledge base;
  
  a second computer readable memory storing a communication log;
  
  a monitor comprising at least one computer processor configured to execute instructions, that, when executed by a computer processor, cause the computer processor to;
  
  monitor execution of malicious code on an infected network node;
  
  detect a control interaction between the infected network node and a first remote network node;
  
  record, in the knowledge base, a behavioral model representative of one or more actions taken by the malicious code subsequent to the first network interaction;
  
  monitor execution of suspect code on a protected network node;
  
  record, in the communication log, information representative of a second network interaction between the protected network node and a second remote network node;
  
  detect one or more actions taken by the suspect code consistent with the behavioral model; and
  
  based on detecting the one or more actions taken by the suspect code;
  
  (a) classify the protected network node as infected,(b) identify the second remote network node as a malicious end node, and(c) record, in the knowledge base, a traffic model based on the recorded information for the second network interaction.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, the instructions, when executed, further causing the at least one computer processor to:
    - maintain a watch-list of malicious end nodes, the watch-list containing network addresses corresponding to network nodes identified as one or more of;
      
      malware controllers, components of malware control infrastructure, and malware information sinks;
      
      add, to the watch-list, an identification including at least a network address for the second remote network node; and
      
      selectively block the protected network node from establishing network connections with network nodes identified in the list.
  - 13. The system of claim 12, the instructions, when executed, further causing the at least one computer processor to:
    - detect an attempt by the protected network node to establish a network connection to a third remote network node identified by a third network address in the watch-list;
      
      allow the protected network node to send a network packet to the third remote network node;
      
      determine that the network packet fails to reach the third remote network node; and
      
      remove identification of the third remote network node from the watch-list.
  - 14. The system of claim 11, wherein the infected network node and the protected network node are the same network node.
  - 15. The system of claim 11, wherein the first remote network node is one of:
    - a command and control center, an exploit delivery site, a malware distribution site, a malware information sink, or a bot in a peer-to-peer botnet.
  - 16. The system of claim 11, the instructions, when executed, further causing the at least one computer processor to record information for the first network interaction by sniffing packets on a network and recording a pattern satisfied by the sniffed packets.
  - 17. The system of claim 11, wherein the one or more actions taken by the suspect code cause a first result and the one or more actions taken by the malicious code cause a second result, wherein the one or more actions taken by the suspect code are consistent with the one or more actions taken by the malicious code when the first result is equivalent to the second result.
  - 18. The system of claim 17, wherein the first result is one or more of:
    - an operating system setting is changed, an operating system feature is disabled, or a network connection is established.

19. A computer-readable memory device storing computer-executable instructions that, when executed by a computer processor, cause the computer processor to:
- monitor execution of malicious code on an infected network node;
  
  detect a control interaction between the infected network node and a first remote network node;
  
  record, in a knowledge base, a behavioral model representative of one or more actions taken by the malicious code subsequent to the first network interaction;
  
  monitor execution of suspect code on a protected network node;
  
  record, in a communication log, information representative of a second network interaction between the protected network node and a second remote network node;
  
  detect one or more actions taken by the suspect code consistent with the behavioral model; and
  
  based on detecting the one or more actions taken by the suspect code;
  
  (a) classify the protected network node as infected,(b) add a network address for the second remote network node to a watch-list, and(c) record, in the knowledge base, a traffic model based on the recorded information for the second network interaction.
- View Dependent Claims (20)
- - 20. The computer-readable memory device of claim 19, further storing computer-executable instructions that, when executed by a computer processor, cause the computer processor to detect the control interaction between the infected network node and the first remote network node based on one or both of:
    - the control interaction satisfying a traffic model for a malicious network interaction; and
      
      the first remote network node is identified in the watch-list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
Lastline, Inc. (Broadcom, Inc.)
Inventors
Vasilenko, Roman, Kolbitsch, Clemens

Application Number

US14/947,397
Publication Number

US 20170149804A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

METHODS AND SYSTEMS FOR MALWARE HOST CORRELATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR MALWARE HOST CORRELATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links