Detection of computer network data streams from a malware and its variants

US 8,595,840 B1
Filed: 05/24/2011
Issued: 11/26/2013
Est. Priority Date: 06/01/2010
Status: Active Grant

First Claim

Patent Images

1. A method of detecting computer network data streams generated by a malware, the method comprising:

receiving a relevance pattern in a client computer, the relevance pattern indicating computer network traffic characteristics of a Trojan program and one or more variants of the Trojan program;

detecting a computer network data stream in the client computer;

determining whether the computer network data stream matches computer network traffic characteristics of the Trojan program or the one or more of the variants of the Trojan program indicated in the relevance pattern; and

preventing the Trojan program from communicating with the malicious server computer when the computer network data stream matches the network traffic characteristics of the Trojan program or the one or more of variants of the Trojan program indicated in the relevance pattern.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer network data streams generated by a Trojan program and its variants are detected by receiving a relevance pattern in a client computer. An antivirus in the client computer detects a computer network data stream from the Trojan program communicating with an associated malicious server computer. The antivirus checks the computer network data stream for network characteristics of the Trojan program and one or more of its variants indicated in the relevance pattern. The network characteristics may include the order that HTTP headers and/or commands appear in network communications from the Trojan program and its variants.

Citations

20 Claims

1. A method of detecting computer network data streams generated by a malware, the method comprising:
- receiving a relevance pattern in a client computer, the relevance pattern indicating computer network traffic characteristics of a Trojan program and one or more variants of the Trojan program;
  
  detecting a computer network data stream in the client computer;
  
  determining whether the computer network data stream matches computer network traffic characteristics of the Trojan program or the one or more of the variants of the Trojan program indicated in the relevance pattern; and
  
  preventing the Trojan program from communicating with the malicious server computer when the computer network data stream matches the network traffic characteristics of the Trojan program or the one or more of variants of the Trojan program indicated in the relevance pattern.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the computer network traffic characteristics include an order HTTP (Hypertext Transfer Protocol) headers appear in the computer network data stream.
  - 3. The method of claim 1 wherein the computer network traffic characteristics include an order in which HTTP commands and headers appear in the computer network data stream.
  - 4. The method of claim 1 wherein the computer network data stream comprises a TCP (Transmission Control Protocol) stream.
  - 5. The method of claim 1 wherein the relevance pattern comprises a regular expression describing an order that HTTP headers appear in the computer network data stream.
  - 6. The method of claim 1 wherein the relevance pattern comprises characteristics that are common across the variants of the Trojan program.
  - 7. The method of claim 6 wherein the characteristics include presence of binary data in the computer network data stream.
  - 8. The method of claim 7 wherein the characteristics include size of the binary data.
  - 9. The method of claim 6 wherein the characteristics include content-length.
  - 10. The method of claim 1 wherein the variants of the Trojan program have different malicious server URL (uniform resource locator).

11. A method of detecting computer network data streams generated by a malware, the method comprising:
- receiving a single relevance pattern in a client computer, the single relevance pattern indicating computer network traffic characteristics of a Trojan program and one or more variants of the Trojan program; and
  
  detecting a TCP (transport control protocol) stream from a Trojan program running in the client computer, the TCP stream being sent by the Trojan program to a corresponding malicious server computer configured to receive confidential information stolen by the Trojan program in the client computer, the TCP stream being detected as being generated by the Trojan program based on an order that HTTP (Hypertext Transfer Protocol) commands and headers appear in the TCP stream.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 wherein the single relevance pattern is configured to detect the variants of the Trojan program that have different malicious server computer URL (uniform resource locator).
  - 13. The method of claim 11 wherein the single relevance pattern is configured to detect variants of the Trojan program that have different binary data.
  - 14. The method of claim 11 wherein the HTTP commands include a POST command.
  - 15. The method of claim 11 wherein the HTTP headers include a Host header.

16. A method of detecting computer network data streams generated by a malware, the method comprising:
- receiving a relevance pattern in a client computer, the relevance pattern indicating computer network traffic characteristics of a Trojan program and one or more variants of the Trojan program, the Trojan program and the one or more variants of the Trojan program having different malicious server URL (uniform resource locator) and different binary data;
  
  detecting a TCP (transport control protocol) stream generated by a variant of the Trojan program based on an order HTTP (hypertext transport protocol) commands appear in the TCP stream; and
  
  preventing the Trojan program from communicating with the malicious server computer in response to detecting the TCP stream generated by the variant of the Trojan program.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 wherein the HTTP commands include a POST command.
  - 18. The method of claim 16 wherein the TCP (transport control protocol) stream is detected to be generated by the variant of the Trojan program based on an order HTTP headers appear in the TCP stream.
  - 19. The method of claim 16 wherein the HTTP headers include a Host header.
  - 20. The method of claim 16 wherein the computer network characteristics include size of the binary data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Malibiran, Ed Israel Santos, Bautista, Ronald Castro, Bennett, James Thomas Jr.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US13/114,881
Time in Patent Office

917 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/145   the attack involving the pr...

Detection of computer network data streams from a malware and its variants

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of computer network data streams from a malware and its variants

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links