Heuristic botnet detection
First Claim
1. A system, comprising:
- a processor configured to;
monitor network traffic to identify suspicious network traffic, wherein the monitored network traffic includes HTTP traffic, IRC traffic, and unclassified application traffic;
monitor behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using HTTP header with a shorter than common length, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, and communicating unclassified traffic over an HTTP port; and
detect a bot based on a heuristic analysis of the suspicious network traffic behavior, wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.
-
Citations
19 Claims
-
1. A system, comprising:
-
a processor configured to; monitor network traffic to identify suspicious network traffic, wherein the monitored network traffic includes HTTP traffic, IRC traffic, and unclassified application traffic; monitor behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using HTTP header with a shorter than common length, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, and communicating unclassified traffic over an HTTP port; anddetect a bot based on a heuristic analysis of the suspicious network traffic behavior, wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 19)
-
-
15. A method, comprising:
-
monitoring network traffic to identify suspicious network traffic, wherein the monitored network traffic includes HTTP traffic, IRC traffic, and unclassified application traffic; monitoring behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using HTTP header with a shorter than common length, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, and communicating unclassified traffic over an HTTP port; anddetecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor;
wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master. - View Dependent Claims (16)
-
-
17. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
monitoring network traffic to identify suspicious network traffic, wherein the monitored network traffic includes HTTP traffic, IRC traffic, and unclassified application traffic; monitoring behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using HTTP header with a shorter than common length, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, and communicating unclassified traffic over an HTTP port; anddetecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor;
wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master. - View Dependent Claims (18)
-
Specification