METHODS AND SYSTEMS FOR MALWARE HOST CORRELATION
First Claim
1. A method of detecting malicious network activity, the method comprising:
- monitoring execution of malicious code on an infected network node;
detecting a control interaction between the infected network node and a first remote network node;
recording, in a knowledge base, first information representative of one or more actions taken by the malicious code subsequent to the control interaction;
monitoring execution of suspect code on a protected network node;
recording, in a communication log, second information representative of a second network interaction between the protected network node and a second remote network node;
detecting one or more actions taken by the suspect code consistent with the one or more actions taken by the malicious code represented in the recorded first information; and
based on detecting the one or more actions taken by the suspect code;
(a) classifying the protected network node as infected,(b) identifying the second remote network node as a malicious end node, and(c) recording, in the knowledge base, a traffic model based on the recorded second information representative of the second network interaction.
2 Assignments
0 Petitions
Accused Products
Abstract
Malicious network activity can be detected using methods and systems that monitor execution of code on computing nodes. The computing nodes may be network-connected nodes, may be infected with malicious code or malware, and/or may be protected by the monitor to prevent such infection or to mitigate impact of such infection. In some implementations, a monitoring system monitors execution of malicious code on an infected network node, detects an interaction between the infected network node and a remote node, and records information representative of actions taken by the malicious code subsequent to the interaction. In some implementations, the monitoring system monitors execution of suspect code on a protected computing node, records information representative of a network interaction between the protected computing node and a remote node, and detects actions taken by the suspect code consistent with the actions taken by the malicious code represented in the recorded information recorded.
-
Citations
20 Claims
-
1. A method of detecting malicious network activity, the method comprising:
-
monitoring execution of malicious code on an infected network node; detecting a control interaction between the infected network node and a first remote network node; recording, in a knowledge base, first information representative of one or more actions taken by the malicious code subsequent to the control interaction; monitoring execution of suspect code on a protected network node; recording, in a communication log, second information representative of a second network interaction between the protected network node and a second remote network node; detecting one or more actions taken by the suspect code consistent with the one or more actions taken by the malicious code represented in the recorded first information; and based on detecting the one or more actions taken by the suspect code; (a) classifying the protected network node as infected, (b) identifying the second remote network node as a malicious end node, and (c) recording, in the knowledge base, a traffic model based on the recorded second information representative of the second network interaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting malicious network activity, the system comprising:
-
a first computer readable memory storing a knowledge base; a second computer readable memory storing a communication log; a monitor comprising at least one computer processor configured to execute instructions, that, when executed by a computer processor, cause the computer processor to; monitor execution of malicious code on an infected network node; detect a control interaction between the infected network node and a first remote network node; record, in the knowledge base, a behavioral model representative of one or more actions taken by the malicious code subsequent to the first network interaction; monitor execution of suspect code on a protected network node; record, in the communication log, information representative of a second network interaction between the protected network node and a second remote network node; detect one or more actions taken by the suspect code consistent with the behavioral model; and based on detecting the one or more actions taken by the suspect code; (a) classify the protected network node as infected, (b) identify the second remote network node as a malicious end node, and (c) record, in the knowledge base, a traffic model based on the recorded information for the second network interaction. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable memory device storing computer-executable instructions that, when executed by a computer processor, cause the computer processor to:
-
monitor execution of malicious code on an infected network node; detect a control interaction between the infected network node and a first remote network node; record, in a knowledge base, a behavioral model representative of one or more actions taken by the malicious code subsequent to the first network interaction; monitor execution of suspect code on a protected network node; record, in a communication log, information representative of a second network interaction between the protected network node and a second remote network node; detect one or more actions taken by the suspect code consistent with the behavioral model; and based on detecting the one or more actions taken by the suspect code; (a) classify the protected network node as infected, (b) add a network address for the second remote network node to a watch-list, and (c) record, in the knowledge base, a traffic model based on the recorded information for the second network interaction. - View Dependent Claims (20)
-
Specification