Systems and methods for detecting encrypted bot command and control communication channels
First Claim
Patent Images
1. A system comprising:
- a channel monitoring module configured to monitor a channel between a first network device and a second network device;
an active/inactive detector module configured to detect an active period and an inactive period of the first network device;
a reverse channel detection module comprising instructions stored on a computer readable medium, the reverse channel detection module being configured to detect an establishment of communication by the first network device and a direction for communication over the channel thereafter based on the detected active period and the inactive period of the first network device with respect to the second network device, the reverse channel detection module being further configured to determine the reverse channel based on communications over the channel being substantially in a reverse direction after the detected establishment; and
a flagging module configured to flag the first network device as potentially infected by a bot based on the reverse channel determination.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for detecting encrypted bot command and control communication channels are provided. In the exemplary method, the presence of a communication channel between a first network device and a second network device is monitored. Active and inactive periods of the network device are detected and a reverse channel is determined based on the detection. The first network device may then be flagged as potentially infected or suspected based on the reverse channel determination.
-
Citations
20 Claims
-
1. A system comprising:
-
a channel monitoring module configured to monitor a channel between a first network device and a second network device; an active/inactive detector module configured to detect an active period and an inactive period of the first network device; a reverse channel detection module comprising instructions stored on a computer readable medium, the reverse channel detection module being configured to detect an establishment of communication by the first network device and a direction for communication over the channel thereafter based on the detected active period and the inactive period of the first network device with respect to the second network device, the reverse channel detection module being further configured to determine the reverse channel based on communications over the channel being substantially in a reverse direction after the detected establishment; and a flagging module configured to flag the first network device as potentially infected by a bot based on the reverse channel determination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
monitoring a channel between a first network device and a second network device; detecting an active period and an inactive period of the first network device; determining a reverse channel based on the detected active period and the inactive period of the first network device with respect to the second network device, the determining including detecting establishment of communication by the first network and a direction for communication over the channel thereafter, and detecting communications over the channel being substantially in a reverse direction after the detected establishment; and flagging the first network device as potentially infected by a bot based on the reverse channel determination. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer readable medium having embodied thereon executable instructions, the instructions being executable by a processor for detecting encrypted bot command &
- control communication channels, the method comprising;
monitoring a channel between a first network device and a second network device; detecting an active period and an inactive period of the first network device; determining a reverse channel based on the detected active period and the inactive period of the first network device with respect to the second network device, the determining including detecting establishment of communication by the first network and a direction for communication over the channel thereafter, and detecting communications over the channel being substantially in a reverse direction after the detected establishment; and flagging the first network device as potentially infected by a bot based on the reverse channel determination.
- control communication channels, the method comprising;
Specification