Method and system for network-based detecting of malware from behavioral clustering
First Claim
Patent Images
1. A computerized method for performing behavioral clustering of malware samples, comprising:
- executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic;
clustering, using at least one processing device, the malware samples into at least one coarse-grain cluster based on network behavioral information measured from content of the HTTP traffic;
splitting, using the at least one processing device, the at least one coarse-grain cluster into at least two fine-grain cluster;
clustering, using the at least one processing device, the at least two fine-grain cluster into merged clusters; and
extracting, using the at least one processing device, network signatures from the HTTP traffic information for each merged cluster, the network signatures being indicative of malware infection.
12 Assignments
0 Petitions
Accused Products
Abstract
A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection.
-
Citations
16 Claims
-
1. A computerized method for performing behavioral clustering of malware samples, comprising:
-
executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic; clustering, using at least one processing device, the malware samples into at least one coarse-grain cluster based on network behavioral information measured from content of the HTTP traffic; splitting, using the at least one processing device, the at least one coarse-grain cluster into at least two fine-grain cluster; clustering, using the at least one processing device, the at least two fine-grain cluster into merged clusters; and extracting, using the at least one processing device, network signatures from the HTTP traffic information for each merged cluster, the network signatures being indicative of malware infection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computerized system for performing behavioral clustering of malware samples, comprising:
-
at least one application executed by at least one processing device, the at least one application configured for; executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic; clustering, using the at least one processing device, the malware samples into at least one coarse-grain cluster based on network behavioral information measured from content of the HTTP traffic; splitting, using the at least one processing device, the at least one coarse-grain cluster into at least two fine-grain clusters; clustering, using the at least one processing device, the at least two fine-grain clusters into merged clusters; and extracting, using the at least one processing device, network signatures from the HTTP traffic information for each merged cluster, the network signatures being indicative of malware infection. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification