Method and system for detecting malware

US 8,578,497 B2
Filed: 01/05/2011
Issued: 11/05/2013
Est. Priority Date: 01/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method of analysis, comprising:

performing processing associated with collecting, using at least one processor circuit in communication with at least one database, at least one pre-defined number of NX domain names from at least one asset in at least one real network, the NX domain names being domain names that are not registered;

performing processing associated with utilizing, using the at least one processor circuit in communication with the at least one database, the statistical information about the at least one set of NX domain names to create testing vectors;

performing processing associated with classifying, using at least one processor circuit in communication with at least one database, the testing vectors as benign vectors or malicious vectors by comparing the statistical information in the testing vectors to statistical information in training vectors using at least one meta-classifier comprising at least two classifiers; and

performing processing associated with classifying, using at least one processor circuit in communication with at least one database, the at least one asset in the at least one real network as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector;

wherein the training vectors and the testing vectors are created by;

computing the statistical information for at least one set of NX domain names; and

collecting the statistical information for each set of NX domain names in at least one vector.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector.

203 Citations

18 Claims

1. A method of analysis, comprising:
- performing processing associated with collecting, using at least one processor circuit in communication with at least one database, at least one pre-defined number of NX domain names from at least one asset in at least one real network, the NX domain names being domain names that are not registered;
  
  performing processing associated with utilizing, using the at least one processor circuit in communication with the at least one database, the statistical information about the at least one set of NX domain names to create testing vectors;
  
  performing processing associated with classifying, using at least one processor circuit in communication with at least one database, the testing vectors as benign vectors or malicious vectors by comparing the statistical information in the testing vectors to statistical information in training vectors using at least one meta-classifier comprising at least two classifiers; and
  
  performing processing associated with classifying, using at least one processor circuit in communication with at least one database, the at least one asset in the at least one real network as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector;
  
  wherein the training vectors and the testing vectors are created by;
  
  computing the statistical information for at least one set of NX domain names; and
  
  collecting the statistical information for each set of NX domain names in at least one vector.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising classifying previously unclassified malware from the NX domain names.
  - 3. The method of claim 1, wherein only DNS NX domain name information is utilized to classify the at least one asset as infected.
  - 4. The method of claim 1, wherein only NX domain traffic is utilized.
  - 5. The method of claim 1, wherein the meta-classifier provides intelligence for identifying new malware.
  - 6. The method of claim 1, further comprising classifying previously classified malware from the NX domain names.
  - 7. The method of claim 1, wherein the NX domain names collected from the at least one honeypot and the at least one real network are grouped into sets of 10 using absolute timing sequence information.
  - 8. The method of claim 1, wherein the statistical information comprises:
    - an average of domain name length;
      
      a standard deviation of a domain name length;
      
      a number of different top level domains;
      
      a length of a domain name excluding a top level domain;
      
      a median of a number of unique characters;
      
      an average of a number of unique characters;
      
      a standard deviation of a number of unique characters;
      
      a median of unique 2-grams;
      
      an average of unique 2-grams;
      
      a standard deviation of unique 2-grams;
      
      a frequency of ,com top level domains over frequency of remaining to level domains;
      
      a median of unique 3-grams;
      
      an average of unique 3-grams;
      
      a standard deviation of unique 3-grams;
      
      a median count of unique top level domains;
      
      an average count of unique top level domains;
      
      or a standard deviation count of to level domains;
      
      or any combination thereof.
  - 9. The method of claim 1, wherein NX domain names from honeypots are used to create the training vectors.

10. A system of analysis, comprising:
- at least one processor circuit in communication with at least one database, the at least one processor circuit connected to at least one network and configured for;
  
  performing processing associated with collecting at least one pre-defined number of NX domain names from at least one asset comprising at least one processor in at least one real network, the NX domain names being domain names that are not registered;
  
  performing processing associated with using statistical information about the pre-defined number of -NX domain names to create testing vectors;
  
  performing processing associated with classifying the testing vectors as benign vectors or malicious vectors by comparing the statistical information in the testing vectors to statistical information in training vectors using at least one meta-classifier comprising at least two classifiers; and
  
  performing processing associated with classifying the at least one asset in the at least one real network as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector;
  
  wherein the training vectors and the testing vectors are created by;
  
  computing the statistical information for at least one set of NX domain names; and
  
  collecting the statistical information for each set of NX domain names in at least one vector.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the at least one application is further configured for classifying previously unclassified malware from the NX domain names.
  - 12. The system of claim 10, wherein only DNS NX domain name information is utilized to classify the at least one asset as infected.
  - 13. The system of claim 10, wherein only NX domain traffic is utilized.
  - 14. The system of claim 10, wherein the meta-classifier provides intelligence for identifying new malware.
  - 15. The system of claim 10, wherein the at least one application is further configured for classifying previously classified malware from the NX domain names.
  - 16. The system of claim 10, wherein the NX domain names collected from the at least one honeypot and the at least one real network are grouped into sets of 10 using absolute timing sequence information.
  - 17. The system of claim 10, wherein the statistical information comprises:
    - an average of domain name length;
      
      a standard deviation of a domain name length;
      
      a number of different top level domains;
      
      a length of a domain name excluding a top level domain;
      
      a median of a number of unique characters;
      
      an average of a number of unique characters;
      
      a standard deviation of a number of unique characters;
      
      a median of unique 2-grams;
      
      an average of unique 2-grams;
      
      a standard deviation of unique 2-grams;
      
      a frequency of .com top level domains over frequency of remaining to level domains;
      
      a median of unique 3-grams;
      
      an average of unique 3-grams;
      
      a standard deviation of unique 3-grams;
      
      a median count of unique top level domains;
      
      an average count of unique top level domains;
      
      or a standard deviation count of to level domains;
      
      or any combination thereof.
  - 18. The system of claim 10, wherein NX domain names from honeypots are used to create the training vectors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Perdisci, Roberto, Lee, Wenke, Ollmann, Gunter, Antonakakis, Emmanouil
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US12/985,140
Publication Number

US 20110167495A1
Time in Patent Office

1,035 Days
Field of Search

726 22- 24, 726/3, 709224-225
US Class Current

726/24
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 9/45508   Runtime interpretation or e...

G06N 20/00   Machine learning

H04L 61/4511   using domain name system [DNS]

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 9/40   Network security protocols

Method and system for detecting malware

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

203 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting malware

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links