Systems and methods for detecting communication channels of bots

US 8,561,177 B1
Filed: 11/30/2007
Issued: 10/15/2013
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a communication channel of a bot, comprising:

detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication;

identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising;

scanning data flow within the detected suspected command and control communication channel for a bot communication;

determining a first of a plurality of protocols and corresponding ports associated with the data flow; and

determining if a suspected bot communication exists within the data flow by analyzing a response of a virtual machine to the data flow, the virtual machine being configurable with ports corresponding to any of the plurality of protocols including the first protocol associated with the data flow, the virtual machine configured with the corresponding ports associated with the data flow; and

if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary systems and methods for detecting a communication channel of a bot. In exemplary embodiments, presence of a communication channel between a first network device and a second network device is detected. Data from the communication channel is scanned and used to determine if a suspected bot communication exists. If a bot communication is detected, then a recovery process may be initiated.

Citations

31 Claims

1. A method for detecting a communication channel of a bot, comprising:
- detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication;
  
  identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising;
  
  scanning data flow within the detected suspected command and control communication channel for a bot communication;
  
  determining a first of a plurality of protocols and corresponding ports associated with the data flow; and
  
  determining if a suspected bot communication exists within the data flow by analyzing a response of a virtual machine to the data flow, the virtual machine being configurable with ports corresponding to any of the plurality of protocols including the first protocol associated with the data flow, the virtual machine configured with the corresponding ports associated with the data flow; and
  
  if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 22, 23)
- - 2. The method of claim 1 wherein detecting presence of the suspected command and control communication channel occurs via a packet level analysis.
  - 3. The method of claim 1 wherein detecting presence of the suspected command and control communication channel occurs via a virtual machine level analysis.
  - 4. The method of claim 1 wherein determining if a suspected bot communication exists comprises detecting if any peer-to-peer (P2P) anomaly communication chains are present.
  - 5. The method of claim 4 wherein the detecting if any peer-to-peer (P2P) anomaly communication chains are present comprises determining if any chain of nodes communicating to non-standard ports exceeds a predetermined threshold.
  - 6. The method of claim 1 where determining if a suspected bot communication exists comprises identifying and scanning at least one network device.
  - 7. The method of claim 1 wherein determining if a suspected bot communication exists comprises identifying an internet relay chat (IRC) channel establishment command.
  - 8. The method of claim 1 wherein determining if a suspected bot communication exists comprises simulating data flow between a replayer and a virtual machine and analyzing a response of the virtual machine.
  - 9. The method of claim 1 wherein determining if a suspected bot communication exists comprises analyzing a response of a virtual machine.
  - 10. The method of claim 1 wherein performing the recovery process comprises providing notification to at least one administrator.
  - 11. The method of claim 1 wherein performing the recovery process comprises assigning color codes for review by an administrator.
  - 12. The method of claim 1 wherein performing the recovery process comprises performing infection propagation analysis on nodes associated with the bot communication.
  - 13. The method of claim 1 wherein performing the recovery process comprises determining an identity of the first network device.
  - 14. The method of claim 1 wherein performing the recovery process comprises redirecting all communications from the first network device to a virtual machine.
  - 22. The method of claim 1 being conducted by a hardware processor within a controller.
  - 23. The method of claim 1, wherein the first of the plurality of protocols includes transmission control protocol/internet protocol (TCP/IP).

15. A system for detecting communication channels of a bot, comprising:
- a processor;
  
  a tap configured to access data from a detected suspected command and control communication channel, the detected suspected command and control communication channel having an increased probability of being used for bot communication; and
  
  a bot detector comprising instructions executable by the processor, the bot detector being configured to identify the communication channels of the bot each communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising instructions to;
  
  scan the data from the detected suspected command and control communication channel for bot communication;
  
  determining a first of a plurality of protocols and corresponding ports associated with the data flow; and
  
  determine if the data from the detected suspected command and control communication channel comprises a bot communication by analyzing a response of a virtual machine to the data flow, the virtual machine being configurable with ports corresponding to any of the plurality of protocols including the first protocol associated with the data flow, the virtual machine configured with the corresponding ports associated with the data flow.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15 further comprising a router.
  - 17. The system of claim 15 further comprising an interceptor module.
  - 18. The system of claim 15 wherein the bot detector comprises a protocol fingerprint module configured to determine if the data comprises a control and command message.
  - 19. The system of claim 15 wherein the bot detector comprises a port module configured to determine if the data is being sent from a non-standard port.
  - 20. The system of claim 15 wherein the bot detector comprises a heuristic module configured to determine using a virtual machine whether the data comprises a bot communication.

21. A non-transitory computer readable medium having embodied thereon instructions executable by a processor for performing a method operations for detecting communication channels of a bot, comprising:
- detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication;
  
  identifying the communication channel of the bot the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising;
  
  scanning data flow within the detected suspected command and control communication channel for a bot communication;
  
  determining a first of a plurality of protocols and corresponding ports associated with the data flow; and
  
  determining if a suspected bot communication exists within the data flow by analyzing a response of a virtual machine to the data flow, the virtual machine being configurable with ports corresponding to any of the plurality of protocols including the first protocol associated with the data flow, the virtual machine configured with the corresponding ports associated with the data flow; and
  
  if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process.

24. A method for detecting a communication channel of a bot, comprising:
- detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication;
  
  identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising;
  
  scanning data flow within the detected suspected command and control communication channel for a bot communication; and
  
  determining if a suspected bot communication exists within the data flow; and
  
  if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process, wherein performing a recovery process comprises determining suspicious nodes by identifying nodes that have participated in communications associated with the suspected command and control communication channel.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, wherein the determining of the suspicious nodes by identifying nodes that have participated in communications associated with the suspected command and control communication channel further comprises identifying nodes that have participated in an internet relay chat (IRC) communication with a potential bot server.
  - 26. The method of claim 24, wherein the determining of the suspicious nodes by identifying nodes that have participated in communications associated with the suspected command and control communication channel further comprises identifying nodes that have participated in a suspicious P2P network.
  - 27. The method of claim 24, wherein the determining of the suspicious nodes by identifying nodes that have participated in communications associated with the suspected command and control communication channel further comprises identifying nodes that have made an outbound DNS request for a DNS name associated with a suspected command and control communication channel.

28. A method for detecting a communication channel of a bot, comprising:
- detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication;
  
  identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising;
  
  organizing network data within the detected suspected command and control communication channel into one or more data flows by utilizing protocol implementation information identified by a protocol fingerprint module;
  
  scanning the one or more data flows within the detected suspected command and control communication channel for a bot communication; and
  
  determining if a suspected bot communication exists within the data flow; and
  
  if a suspected bot communication is detected indicating existence of the communication channel of the bot, performing a recovery process.
- View Dependent Claims (29, 30)
- - 29. The method of claim 28, wherein the organizing of the network data within the detected suspected command and control communication channel into one or more data flows by utilizing protocol implementation information identified by a protocol fingerprint module further comprises organizing the network data into one or more internet relay chat (IRC) communication data flows.
  - 30. The method of claim 28, wherein the organizing of the network data within the detected suspected command and control communication channel into one or more data flows by utilizing protocol implementation information identified by a protocol fingerprint module further comprises organizing the network data into one or more P2P communication data flows.

31. A method for detecting a communication channel of a bot, comprising:
- detecting presence of a suspected command and control communication channel between a first network device and a second network device, the suspected command and control communication channel having an increased probability of being used for bot communication;
  
  identifying the communication channel of the bot, the communication channel of the bot being a command and control communication channel permitting remote control of all or a portion of the second network device without authorization by a user of the second network device, the identifying comprising;
  
  scanning data flow within the detected suspected command and control communication channel for a bot communication;
  
  determining protocols and ports associated with the data flow; and
  
  determining if a suspected bot communication exists within the data flow by analyzing a response of a virtual machine configured with the protocols and ports to receive and respond to the data flow;
  
  if a suspected bot communication is detectedindicating existence of the communication channel of the bot; and
  
  performing a recovery process, wherein performing a recovery process comprises determining suspicious nodes by identifying nodes that have participated in communications associated with the suspected command and control communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Lai, Wei-Lung, Manni, Jayaraman
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US11/998,605
Time in Patent Office

2,146 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 2463/144   Detection or countermeasure...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Systems and methods for detecting communication channels of bots

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting communication channels of bots

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links