Bind Shell Attack Detection

US 20190319981A1
Filed: 04/11/2018
Published: 10/17/2019
Est. Priority Date: 04/11/2018
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

collecting data packets transmitted between multiple entities over a network;

grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong;

identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window;

generating sets of features for the identified pairs of the connections;

evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating malicious activity; and

generating an alert for the malicious activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

17 Citations

View as Search Results

43 Claims

1. A method, comprising:
- collecting data packets transmitted between multiple entities over a network;
  
  grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong;
  
  identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window;
  
  generating sets of features for the identified pairs of the connections;
  
  evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating malicious activity; and
  
  generating an alert for the malicious activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method according to claim 1, wherein the malicious activity comprises a bind shell attack.
  - 3. The method according to claim 1, wherein evaluating the features comprises determining a baseline of the features, and comparing the features in the pairs of connections to the baseline of the features.
  - 4. The method according to claim 1, wherein each given pair of connections comprises first and second connections, and wherein each of the features are selected from a list consisting of respective ports used during the first and the second connections, respective start times of the first and the second connections, respective end times of the first and the second connections, respective durations of the first and the second connections, respective volumes of the first and the second connections, respective reverse volumes of the first and the second connections, a source IP address for the first and the second connections, a destination IP address for the first and the second connections and a protocol for the first and the second connections.
  - 5. The method according to claim 4, wherein detecting the malicious activity comprises detecting that the first and the second ports are different for the given pair of connections.
  - 6. The method according to claim 1, wherein each given pair of connections comprises first and second connections, wherein a given feature comprises a difference between respective start times of the first and the second connections.
  - 7. The method according to claim 1, wherein each given pair of connections comprises first and second connections, wherein a given feature comprises a difference between an end time of the first connection and a start time of the second connection.
  - 8. The method according to claim 1, wherein each given pair of connections comprises first and second connections, wherein a given feature comprises a volume of data transmitted from the source entity to the destination entity during the first connection divided by a volume of data transmitted from the destination entity to the source entity during the first connection.
  - 9. The method according to claim 1, wherein each given pair of connections comprises first and second connections, wherein evaluating the features comprises applying a plurality rules to the features, and wherein detecting the given pair of connections indicating malicious activity comprises detecting that at least a predetermined number of the rules vote true.
  - 10. The method according to claim 9, wherein a given rule votes false if a duration of the second connection is less than a small value, if a volume of data transmitted in the second connection is less than a negligible value, and wherein the given rule votes true otherwise.
  - 11. The method according to claim 9, wherein a given rule votes true if a volume of data transmitted in the first connection is less than a small value, and wherein the given rule votes false otherwise.
  - 12. The method according to claim 9, wherein a given rule votes true if a difference between a start time of the first connection and a start time of the second connection is greater than a negligible value and less than a minimal value, and wherein the given rule votes false otherwise.
  - 13. The method according to claim 9, wherein a given rule votes true if a difference between an end time of the first connection and a start time of the second connection is a negligible value that can be positive or negative, and wherein the given rule votes false otherwise.
  - 14. The method according to claim 9, wherein a given rule votes true if a protocol used for the first connection is in a specified set of protocols, and wherein the given rule votes false otherwise.
  - 15. The method according to claim 9, wherein a given rule votes true if a protocol used for the second connection is either unknown or is in a specified set of protocols, and wherein the given rule votes false otherwise.
  - 16. The method according to claim 9, wherein a given rule votes false if a count of distinct IP addresses of the entities that communicated with ports used during the first and the second connections is greater than a small value, and wherein the given rule votes true otherwise.
  - 17. The method according to claim 9, wherein a given rule votes false if, for a given pair of connections comprising a given destination entity, a count of unique source entities that accessed the given destination entity using a first given port during the first connection and a second given port during the second connection is greater than a high value, and wherein the given rule votes true otherwise.
  - 18. The method according to claim 1, wherein each given pair of connections comprises first and second connections, wherein evaluating the features comprises applying, to the features, a plurality of noise detectors comprising respective entries, wherein the noise detector votes false if the features from the given pair of connections are in accordance with one of the entries, wherein the given noise detector votes true otherwise, and wherein detecting the given pair of connections indicating malicious activity comprises detecting that at least a predetermined number of the noise detectors vote true.
  - 19. The method according to claim 18, wherein each of the entries comprises a specified internet protocol (IP) address for the destination entity, and a specified port number on the destination entity used by the first connection.
  - 20. The method according to claim 19, wherein each of the entries also comprises a second specified port number on the destination entity used by the second connection.
  - 21. The method according to claim 18, wherein each of the entries comprises a specified internet protocol (IP) address for the source entity and a specified port on the destination entity used by the first connection.

22. An apparatus, comprising:
- a probe configured to collect data packets transmitted between multiple entities over a network; and
  
  at least one processor configured;
  
  to group the collected packets at least according to their source and destination entities and their times, into connections to which the packets belong,to identify pairs of the connections having identical source and destination entities and times that are together within a specified time window, to generate sets of features for the identified pairs of the connections,to evaluate the features of the pairs in order to detect a given pair of connections indicating malicious activity, andto generate an alert for the malicious activity.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 23. The apparatus according to claim 22, wherein the malicious activity comprises a bind shell attack.
  - 24. The apparatus according to claim 22, wherein a given processor is configured to evaluate the features by determining a baseline of the features, and comparing the features in the pairs of connections to the baseline of the features.
  - 25. The apparatus according to claim 22, wherein each given pair of connections comprises first and second connections, and wherein each of the features are selected from a list consisting of respective ports used during the first and the second connections, respective start times of the first and the second connections, respective end times of the first and the second connections, respective durations of the first and the second connections, respective volumes of the first and the second connections, respective reverse volumes of the first and the second connections, a source IP address for the first and the second connections, a destination IP address for the first and the second connections and a protocol for the first and the second connections.
  - 26. The apparatus according to claim 25, wherein a given processor is configured to detect the malicious activity by detecting that the first and the second ports are different for the given pair of connections.
  - 27. The apparatus according to claim 22, wherein each given pair of connections comprises first and second connections, wherein a given feature comprises a difference between respective start times of the first and the second connections.
  - 28. The apparatus according to claim 22, wherein each given pair of connections comprises first and second connections, wherein a given feature comprises a difference between an end time of the first connection and a start time of the second connection.
  - 29. The apparatus according to claim 22, wherein each given pair of connections comprises first and second connections, wherein a given feature comprises a volume of data transmitted from the source entity to the destination entity during the first connection divided by a volume of data transmitted from the destination entity to the source entity during the first connection.
  - 30. The apparatus according to claim 22, wherein each given pair of connections comprises first and second connections, wherein a given processor is configured to evaluate the features by applying a plurality rules to the features, and wherein a given processor is configured to detect the given pair of connections indicating malicious activity by detecting that at least a predetermined number of the rules vote true.
  - 31. The apparatus according to claim 30, wherein a given rule votes false if a duration of the first connection is less than a small value, if a volume of data transmitted in the second connection is less than a negligible value, and wherein the given rule votes true otherwise.
  - 32. The apparatus according to claim 30, wherein a given rule votes true if a volume of data transmitted in the first connection is less than a small value, and wherein the given rule votes false otherwise.
  - 33. The apparatus according to claim 30, wherein a given rule votes true if a difference between a start time of the first connection and a start time of the second connection is greater than a negligible value and less than a minimal value, and wherein the given rule votes false otherwise.
  - 34. The apparatus according to claim 30, wherein a given rule votes true if a difference between an end time of the first connection and a start time of the second connection is a negligible value that can be positive or negative, and wherein the given rule votes false otherwise.
  - 35. The apparatus according to claim 30, wherein a given rule votes true if a protocol used for the first connection is in a specified set of protocols, and wherein the given rule votes false otherwise.
  - 36. The apparatus according to claim 30, wherein a given rule votes true if a protocol used for the second connection is either unknown or is in a specified set of protocols, and wherein the given rule votes false otherwise.
  - 37. The apparatus according to claim 30, wherein a given rule votes false if a count of distinct IP addresses of the entities that communicated with ports used during the first and the second connections is greater than a small value, and wherein the given rule votes true otherwise.
  - 38. The apparatus according to claim 30, wherein a given rule votes false if, for a given pair of connections comprising a given destination entity, a count of unique source entities that accessed the given destination entity using a first given port during the first connection and a second given port during the second connection is greater than a high value, and wherein the given rule votes true otherwise.
  - 39. The apparatus according to claim 22, wherein each given pair of connections comprises first and second connections, wherein a given processor is configured to evaluate the features by applying, to the features, a plurality of noise detectors comprising respective entries, wherein the noise detector votes false if the features from the given pair of connections are in accordance with one of the entries, wherein the given noise detector votes true otherwise, and wherein a given processor is configured to detect the given pair of connections indicating malicious activity by detecting that at least a predetermined number of the noise detectors vote false.
  - 40. The apparatus according to claim 39, wherein each of the entries comprises a specified internet protocol (IP) address for the destination entity, and a specified port number on the destination entity used by the first connection.
  - 41. The apparatus according to claim 40, wherein each of the entries also comprises a second specified port number on the destination entity used by the second connection.
  - 42. The apparatus according to claim 39 wherein each of the entries comprises a specified internet protocol (IP) address for the destination entity and a specified port on the destination entity used by the first connection.

43. A computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
- to collect data packets transmitted between multiple entities over a network;
  
  to group the packets at least according to their source and destination entities and their times, into connections to which the packets belong;
  
  to identify pairs of the connections having identical source and destination entities and times that are together within a specified time window;
  
  to generate sets of features for the identified pairs of the connections;
  
  to evaluate, by a processor, the features in the pairs in order to detect a given pair of connections indicating malicious activity; and
  
  to generate an alert for the malicious activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Inventors
Meshi, Yinnon, Amit, Idan, Firstenberg, Eyal, Allon, Jonathan, Neuman, Yaron

Granted Patent

US 10,999,304 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

Bind Shell Attack Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Bind Shell Attack Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links