System and method for detecting a malicious command and control channel
First Claim
Patent Images
1. A method, comprising:
- detecting repetitive connections within a predetermined time period from a source node to a destination node;
determining the source node is idle and the repetitive connections indicate suspect activity, wherein the determining includes;
determining the repetitive connections include more than a threshold value X of resource identifiers requested by the source node, wherein the threshold value X is selected to indicate a minimum number of connections sufficient for determining whether the source node is idle;
determining the repetitive connections include less than a threshold value Y of unique domain names; and
determining the repetitive connections include less than a threshold value Z of unique resource identifiers associated with at least one of the unique domain names,wherein the threshold values X, Y and Z are numerical values selected to be indicative of a pattern consistent with connections not generated by a human user;
calculating a score for the idle source node based on behavior of the repetitive connections during the predetermined time period; and
taking a policy action if the score exceeds a threshold value.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware.
-
Citations
23 Claims
-
1. A method, comprising:
-
detecting repetitive connections within a predetermined time period from a source node to a destination node; determining the source node is idle and the repetitive connections indicate suspect activity, wherein the determining includes; determining the repetitive connections include more than a threshold value X of resource identifiers requested by the source node, wherein the threshold value X is selected to indicate a minimum number of connections sufficient for determining whether the source node is idle; determining the repetitive connections include less than a threshold value Y of unique domain names; and determining the repetitive connections include less than a threshold value Z of unique resource identifiers associated with at least one of the unique domain names, wherein the threshold values X, Y and Z are numerical values selected to be indicative of a pattern consistent with connections not generated by a human user; calculating a score for the idle source node based on behavior of the repetitive connections during the predetermined time period; and taking a policy action if the score exceeds a threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. At least one non-transitory computer readable medium having instructions stored therein and when executed, the instructions cause one or more processors to:
-
detect repetitive connections within a predetermined time period from a source node to a destination node; determine the source node is idle and the repetitive connections indicate suspect activity, wherein the determination is made by; determining the repetitive connections include more than a threshold value X of resource identifiers requested by the source node, wherein the threshold value X is selected to indicate a minimum number of connections sufficient for determining whether the source node is idle; determining the repetitive connections include less than a threshold value Y of unique network addresses; and determining the repetitive connections include less than a threshold value Z of unique resource identifiers associated with at least one of the unique network addresses, wherein the threshold values X, Y, and Z are numerical values selected to be indicative of a pattern consistent with connections not generated by a human user; calculate a score for the idle source node based on behavior of the repetitive connections during the predetermined time period; and take a policy action if the score exceeds a threshold value. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification