×

Heuristic botnet detection

  • US 8,555,388 B1
  • Filed: 05/24/2011
  • Issued: 10/08/2013
  • Est. Priority Date: 05/24/2011
  • Status: Active Grant
First Claim
Patent Images

1. A system, comprising:

  • a processor configured to;

    monitor network traffic to identify suspicious network traffic, wherein the monitored network traffic includes HTTP traffic, IRC traffic, and unclassified application traffic;

    monitor behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;

    connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using HTTP header with a shorter than common length, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, and communicating unclassified traffic over an HTTP port; and

    detect a bot based on a heuristic analysis of the suspicious network traffic behavior, wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master; and

    a memory coupled to the processor and configured to provide the processor with instructions.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×