Systems and methods for detecting communication channels of bots
First Claim
Patent Images
1. A method for detecting a communication channel of a bot, comprising:
- detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication;
identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising;
scanning data flow within the detected suspected command and control communication channel for a bot communication;
determining a first of a plurality of protocols and corresponding ports associated with the data flow; and
determining if a suspected bot communication exists within the data flow by analyzing a response of a virtual machine to the data flow, the virtual machine being configurable with ports corresponding to any of the plurality of protocols including the first protocol associated with the data flow, the virtual machine configured with the corresponding ports associated with the data flow; and
if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process.
7 Assignments
0 Petitions
Accused Products
Abstract
Exemplary systems and methods for detecting a communication channel of a bot. In exemplary embodiments, presence of a communication channel between a first network device and a second network device is detected. Data from the communication channel is scanned and used to determine if a suspected bot communication exists. If a bot communication is detected, then a recovery process may be initiated.
-
Citations
31 Claims
-
1. A method for detecting a communication channel of a bot, comprising:
-
detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication; identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising; scanning data flow within the detected suspected command and control communication channel for a bot communication; determining a first of a plurality of protocols and corresponding ports associated with the data flow; and determining if a suspected bot communication exists within the data flow by analyzing a response of a virtual machine to the data flow, the virtual machine being configurable with ports corresponding to any of the plurality of protocols including the first protocol associated with the data flow, the virtual machine configured with the corresponding ports associated with the data flow; and if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 22, 23)
-
-
15. A system for detecting communication channels of a bot, comprising:
-
a processor; a tap configured to access data from a detected suspected command and control communication channel, the detected suspected command and control communication channel having an increased probability of being used for bot communication; and a bot detector comprising instructions executable by the processor, the bot detector being configured to identify the communication channels of the bot each communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising instructions to; scan the data from the detected suspected command and control communication channel for bot communication; determining a first of a plurality of protocols and corresponding ports associated with the data flow; and determine if the data from the detected suspected command and control communication channel comprises a bot communication by analyzing a response of a virtual machine to the data flow, the virtual machine being configurable with ports corresponding to any of the plurality of protocols including the first protocol associated with the data flow, the virtual machine configured with the corresponding ports associated with the data flow. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A non-transitory computer readable medium having embodied thereon instructions executable by a processor for performing a method operations for detecting communication channels of a bot, comprising:
-
detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication; identifying the communication channel of the bot the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising; scanning data flow within the detected suspected command and control communication channel for a bot communication; determining a first of a plurality of protocols and corresponding ports associated with the data flow; and determining if a suspected bot communication exists within the data flow by analyzing a response of a virtual machine to the data flow, the virtual machine being configurable with ports corresponding to any of the plurality of protocols including the first protocol associated with the data flow, the virtual machine configured with the corresponding ports associated with the data flow; and if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process.
-
-
24. A method for detecting a communication channel of a bot, comprising:
-
detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication; identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising; scanning data flow within the detected suspected command and control communication channel for a bot communication; and determining if a suspected bot communication exists within the data flow; and if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process, wherein performing a recovery process comprises determining suspicious nodes by identifying nodes that have participated in communications associated with the suspected command and control communication channel. - View Dependent Claims (25, 26, 27)
-
-
28. A method for detecting a communication channel of a bot, comprising:
-
detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication; identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising; organizing network data within the detected suspected command and control communication channel into one or more data flows by utilizing protocol implementation information identified by a protocol fingerprint module; scanning the one or more data flows within the detected suspected command and control communication channel for a bot communication; and determining if a suspected bot communication exists within the data flow; and if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process. - View Dependent Claims (29, 30)
-
-
31. A method for detecting a communication channel of a bot, comprising:
-
detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication; identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising; scanning data flow within the detected suspected command and control communication channel for a bot communication; determining protocols and ports associated with the data flow; and determining if a suspected bot communication exists within the data flow by analyzing a response of a virtual machine configured with the protocols and ports to receive and respond to the data flow; if a suspected bot communication is detected indicating existence of the communication channel of the bot; and performing a recovery process, wherein performing a recovery process comprises determining suspicious nodes by identifying nodes that have participated in communications associated with the suspected command and control communication channel.
-
Specification