System and method for detecting a malicious command and control channel

US 8,677,487 B2
Filed: 10/18/2011
Issued: 03/18/2014
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting repetitive connections within a predetermined time period from a source node to a destination node;

determining the source node is idle and the repetitive connections indicate suspect activity, wherein the determining includes;

determining the repetitive connections include more than a threshold value X of resource identifiers requested by the source node, wherein the threshold value X is selected to indicate a minimum number of connections sufficient for determining whether the source node is idle;

determining the repetitive connections include less than a threshold value Y of unique domain names; and

determining the repetitive connections include less than a threshold value Z of unique resource identifiers associated with at least one of the unique domain names,wherein the threshold values X, Y and Z are numerical values selected to be indicative of a pattern consistent with connections not generated by a human user;

calculating a score for the idle source node based on behavior of the repetitive connections during the predetermined time period; and

taking a policy action if the score exceeds a threshold value.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware.

Citations

23 Claims

1. A method, comprising:
- detecting repetitive connections within a predetermined time period from a source node to a destination node;
  
  determining the source node is idle and the repetitive connections indicate suspect activity, wherein the determining includes;
  
  determining the repetitive connections include more than a threshold value X of resource identifiers requested by the source node, wherein the threshold value X is selected to indicate a minimum number of connections sufficient for determining whether the source node is idle;
  
  determining the repetitive connections include less than a threshold value Y of unique domain names; and
  
  determining the repetitive connections include less than a threshold value Z of unique resource identifiers associated with at least one of the unique domain names,wherein the threshold values X, Y and Z are numerical values selected to be indicative of a pattern consistent with connections not generated by a human user;
  
  calculating a score for the idle source node based on behavior of the repetitive connections during the predetermined time period; and
  
  taking a policy action if the score exceeds a threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the repetitive connections use a hypertext transfer protocol.
  - 3. The method of claim 1, wherein calculating the score comprises using heuristics to identify behavior indicative of a threat.
  - 4. The method of claim 1, wherein calculating the score comprises using heuristics to identify behavior indicative of a bot command and control channel.
  - 5. The method of claim 1, wherein calculating the score comprises increasing the score if the destination node is associated with a domain registered within a year.
  - 6. The method of claim 1, wherein calculating the score comprises increasing the score if at least one of the repetitive connections does not have a referrer field and does not have a root resource identifier.
  - 7. The method of claim 1, wherein calculating the score comprises increasing the score if at least one of the repetitive connections does not identify a known user agent.
  - 8. The method of claim 1, wherein calculating the score comprises increasing the score if at least one of the repetitive connections identifies the destination node by a public network address.
  - 9. The method of claim 1, wherein calculating the score comprises increasing the score if the repetitive connections have less than an average number of request header lines, wherein the average number is a parameter indicative of a malware connection to the destination node.
  - 10. The method of claim 1, wherein calculating the score comprises increasing the score if the repetitive connections have less than an average response size, wherein the average response size is a parameter indicative of responses from a command and control server.
  - 11. The method of claim 1, wherein calculating the score comprises requesting a reputation value associated with the destination node and increasing the score if the reputation value indicates the destination node is associated with a threat.
  - 12. The method of claim 1, wherein calculating the score comprises increasing the score if the destination node has a network address in a zone associated with a threat.

13. At least one non-transitory computer readable medium having instructions stored therein and when executed, the instructions cause one or more processors to:
- detect repetitive connections within a predetermined time period from a source node to a destination node;
  
  determine the source node is idle and the repetitive connections indicate suspect activity, wherein the determination is made by;
  
  determining the repetitive connections include more than a threshold value X of resource identifiers requested by the source node, wherein the threshold value X is selected to indicate a minimum number of connections sufficient for determining whether the source node is idle;
  
  determining the repetitive connections include less than a threshold value Y of unique network addresses; and
  
  determining the repetitive connections include less than a threshold value Z of unique resource identifiers associated with at least one of the unique network addresses,wherein the threshold values X, Y, and Z are numerical values selected to be indicative of a pattern consistent with connections not generated by a human user;
  
  calculate a score for the idle source node based on behavior of the repetitive connections during the predetermined time period; and
  
  take a policy action if the score exceeds a threshold value.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The at least one non-transitory computer readable medium of claim 13, wherein the repetitive connections use a hypertext transfer protocol.
  - 15. The at least one non-transitory computer readable medium of claim 13, wherein calculating the score comprises using heuristics to identify behavior indicative of the threat.
  - 16. The method at least one non-transitory computer readable medium of claim 13, wherein:
    - the threat is a bot connecting to a command and control server using a hypertext transfer protocol;
      
      X is greater than or equal to 10, Y is less than or equal to 5, and Z is less than or equal to 5;
      
      the time period is at least eight hours;
      
      calculating the score comprises using heuristics to identify behavior indicative of the threat; and
      
      the policy action is sending an alert to an administrator.
  - 17. The at least one non-transitory computer readable medium of claim 13, wherein calculating the score comprises increasing the score if at least one of the repetitive connections does not have a referrer field and does not have a root resource identifier.
  - 18. The at least one non-transitory computer readable medium of claim 13, wherein calculating the score comprises increasing the score if at least one of the repetitive connections does not identify a known user agent.
  - 19. The at least one non-transitory computer readable medium of claim 13, wherein calculating the score comprises increasing the score if at least one of the repetitive connections identifies the destination node by a public network address.
  - 20. The at least one non-transitory computer readable medium of claim 13, wherein calculating the score comprises increasing the score if the repetitive connections have less than an average number of request header lines, wherein the average number is a parameter indicative of a malware connection to the destination node.
  - 21. The at least one non-transitory computer readable medium of claim 13, wherein calculating the score comprises increasing the score if the repetitive connections have less than an average response size, wherein the average response size is a parameter indicative of responses from a command and control server.
  - 22. The at least one non-transitory computer readable medium of claim 13, wherein calculating the score comprises requesting a reputation value associated with the destination node and increasing the score if the reputation value indicates the destination node is associated with a threat.
  - 23. The at least one non-transitory computer readable medium of claim 13, wherein calculating the score comprises increasing the score if the destination node has a network address in a zone associated with a threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Balupari, Ravindra, Mahadik, Vinay, Madhusudan, Bharath, Shah, Chintan H.
Primary Examiner(s)
Tabor, Amare F
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US13/276,244
Publication Number

US 20130097699A1
Time in Patent Office

882 Days
Field of Search

726/22, 726/23
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 2463/144   Detection or countermeasure...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

System and method for detecting a malicious command and control channel

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting a malicious command and control channel

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links