Detection of computer network data streams from a malware and its variants
First Claim
Patent Images
1. A method of detecting computer network data streams generated by a malware, the method comprising:
- receiving a relevance pattern in a client computer, the relevance pattern indicating computer network traffic characteristics of a Trojan program and one or more variants of the Trojan program;
detecting a computer network data stream in the client computer;
determining whether the computer network data stream matches computer network traffic characteristics of the Trojan program or the one or more of the variants of the Trojan program indicated in the relevance pattern; and
preventing the Trojan program from communicating with the malicious server computer when the computer network data stream matches the network traffic characteristics of the Trojan program or the one or more of variants of the Trojan program indicated in the relevance pattern.
1 Assignment
0 Petitions
Accused Products
Abstract
Computer network data streams generated by a Trojan program and its variants are detected by receiving a relevance pattern in a client computer. An antivirus in the client computer detects a computer network data stream from the Trojan program communicating with an associated malicious server computer. The antivirus checks the computer network data stream for network characteristics of the Trojan program and one or more of its variants indicated in the relevance pattern. The network characteristics may include the order that HTTP headers and/or commands appear in network communications from the Trojan program and its variants.
-
Citations
20 Claims
-
1. A method of detecting computer network data streams generated by a malware, the method comprising:
-
receiving a relevance pattern in a client computer, the relevance pattern indicating computer network traffic characteristics of a Trojan program and one or more variants of the Trojan program; detecting a computer network data stream in the client computer; determining whether the computer network data stream matches computer network traffic characteristics of the Trojan program or the one or more of the variants of the Trojan program indicated in the relevance pattern; and preventing the Trojan program from communicating with the malicious server computer when the computer network data stream matches the network traffic characteristics of the Trojan program or the one or more of variants of the Trojan program indicated in the relevance pattern. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of detecting computer network data streams generated by a malware, the method comprising:
-
receiving a single relevance pattern in a client computer, the single relevance pattern indicating computer network traffic characteristics of a Trojan program and one or more variants of the Trojan program; and detecting a TCP (transport control protocol) stream from a Trojan program running in the client computer, the TCP stream being sent by the Trojan program to a corresponding malicious server computer configured to receive confidential information stolen by the Trojan program in the client computer, the TCP stream being detected as being generated by the Trojan program based on an order that HTTP (Hypertext Transfer Protocol) commands and headers appear in the TCP stream. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method of detecting computer network data streams generated by a malware, the method comprising:
-
receiving a relevance pattern in a client computer, the relevance pattern indicating computer network traffic characteristics of a Trojan program and one or more variants of the Trojan program, the Trojan program and the one or more variants of the Trojan program having different malicious server URL (uniform resource locator) and different binary data; detecting a TCP (transport control protocol) stream generated by a variant of the Trojan program based on an order HTTP (hypertext transport protocol) commands appear in the TCP stream; and preventing the Trojan program from communicating with the malicious server computer in response to detecting the TCP stream generated by the variant of the Trojan program. - View Dependent Claims (17, 18, 19, 20)
-
Specification