Method and system for detecting malware
First Claim
Patent Images
1. A method of analysis, comprising:
- performing processing associated with collecting, using at least one processor circuit in communication with at least one database, at least one pre-defined number of NX domain names from at least one asset in at least one real network, the NX domain names being domain names that are not registered;
performing processing associated with utilizing, using the at least one processor circuit in communication with the at least one database, the statistical information about the at least one set of NX domain names to create testing vectors;
performing processing associated with classifying, using at least one processor circuit in communication with at least one database, the testing vectors as benign vectors or malicious vectors by comparing the statistical information in the testing vectors to statistical information in training vectors using at least one meta-classifier comprising at least two classifiers; and
performing processing associated with classifying, using at least one processor circuit in communication with at least one database, the at least one asset in the at least one real network as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector;
wherein the training vectors and the testing vectors are created by;
computing the statistical information for at least one set of NX domain names; and
collecting the statistical information for each set of NX domain names in at least one vector.
12 Assignments
0 Petitions
Accused Products
Abstract
A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector.
203 Citations
18 Claims
-
1. A method of analysis, comprising:
-
performing processing associated with collecting, using at least one processor circuit in communication with at least one database, at least one pre-defined number of NX domain names from at least one asset in at least one real network, the NX domain names being domain names that are not registered; performing processing associated with utilizing, using the at least one processor circuit in communication with the at least one database, the statistical information about the at least one set of NX domain names to create testing vectors; performing processing associated with classifying, using at least one processor circuit in communication with at least one database, the testing vectors as benign vectors or malicious vectors by comparing the statistical information in the testing vectors to statistical information in training vectors using at least one meta-classifier comprising at least two classifiers; and performing processing associated with classifying, using at least one processor circuit in communication with at least one database, the at least one asset in the at least one real network as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector; wherein the training vectors and the testing vectors are created by;
computing the statistical information for at least one set of NX domain names; and
collecting the statistical information for each set of NX domain names in at least one vector. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system of analysis, comprising:
-
at least one processor circuit in communication with at least one database, the at least one processor circuit connected to at least one network and configured for; performing processing associated with collecting at least one pre-defined number of NX domain names from at least one asset comprising at least one processor in at least one real network, the NX domain names being domain names that are not registered; performing processing associated with using statistical information about the pre-defined number of -NX domain names to create testing vectors; performing processing associated with classifying the testing vectors as benign vectors or malicious vectors by comparing the statistical information in the testing vectors to statistical information in training vectors using at least one meta-classifier comprising at least two classifiers; and performing processing associated with classifying the at least one asset in the at least one real network as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector; wherein the training vectors and the testing vectors are created by;
computing the statistical information for at least one set of NX domain names; and
collecting the statistical information for each set of NX domain names in at least one vector. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification