Method and apparatus for disrupting the command and control infrastructure of hostile programs
First Claim
Patent Images
1. A method for securing a computer, comprising:
- transmitting, by the computer, suspect command and control data to a control center, whereinthe suspect command and control data includes a reference to a domain name server (DNS) service, andthe control center is configured toanalyze the suspect command and control data, andupdate a command and control infrastructure library, if the suspect command and control data is identified as hostile;
detecting by the computer, a hostile program stored on the computer, whereinthe hostile program is identified by detecting that the reference to the DNS service in the suspect command and control data matches information in the command and control infrastructure library,the detecting the reference to the DNS service in the suspect command and control data is performed prior to the suspect command and control data being submitted to a DNS server,the hostile program is configured to be controlled by a hostile command and control infrastructure, andthe hostile command and control infrastructure is associated with a hostile computer; and
disrupting by the computer, the hostile command and control infrastructure, whereinthe disrupting comprises impairing communication with the hostile program.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for securing a computer is described. The method and apparatus comprise detecting one or more hostile programs residing upon a computer using a command and control infrastructure library and disrupting a command and control infrastructure of the one or more hostile programs.
-
Citations
24 Claims
-
1. A method for securing a computer, comprising:
-
transmitting, by the computer, suspect command and control data to a control center, wherein the suspect command and control data includes a reference to a domain name server (DNS) service, and the control center is configured to analyze the suspect command and control data, and update a command and control infrastructure library, if the suspect command and control data is identified as hostile; detecting by the computer, a hostile program stored on the computer, wherein the hostile program is identified by detecting that the reference to the DNS service in the suspect command and control data matches information in the command and control infrastructure library, the detecting the reference to the DNS service in the suspect command and control data is performed prior to the suspect command and control data being submitted to a DNS server, the hostile program is configured to be controlled by a hostile command and control infrastructure, and the hostile command and control infrastructure is associated with a hostile computer; and disrupting by the computer, the hostile command and control infrastructure, wherein the disrupting comprises impairing communication with the hostile program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 21, 22, 23, 24)
-
-
13. An apparatus comprising:
-
a non-transitory computer-readable memory; and a processor coupled to the non-transitory computer-readable memory, wherein the processor is configured to transmit suspect command and control data to a control center, wherein the suspect command and control data includes a reference to a domain name server (DNS) service, and the control center is configured to
analyze the suspect command and control data, and
update a command and control infrastructure library, if the suspect command and control data is identified as hostile;detect a hostile program stored on the non-transitory computer-readable memory, wherein the hostile program is identified by detecting that the reference to the DNS service in the suspect command and control data matches information in the command and control infrastructure library, the processor is configured to perform the detecting the reference to the DNS service in the suspect command and control data prior to the command and control data being submitted to a DNS server, the hostile program is configured to be controlled by a hostile command and control infrastructure, and the hostile command and control infrastructure is associated with a hostile computer; and disrupt the hostile command and control infrastructure, wherein the disrupting the hostile command and control infrastructure comprises impairing communication with the hostile program. - View Dependent Claims (14, 15)
-
-
16. A non-transitory computer-readable storage medium storing instructions executable by a processor, wherein the instructions, when executed, perform a method comprising:
-
transmitting suspect command and control data to a control center, wherein the suspect command and control data includes a reference to a domain name server (DNS) service, and the control center is configured to analyze the suspect command and control data, and update a command and control infrastructure library, if the suspect command and control data is identified as hostile; detecting a hostile program stored on the non-transitory computer-readable storage medium, wherein the hostile program is identified by detecting that the reference to the DNS service in the suspect command and control data matches information in the command and control infrastructure library, the detecting the reference to the DNS service in the suspect command and control data is performed prior to the suspect command and control data being submitted to a DNS server, the hostile program is configured to be controlled by a hostile command and control infrastructure, and the hostile command and control infrastructure is associated with a hostile computer; disrupting the hostile command and control infrastructure, wherein the disrupting comprises impairing communication with the hostile program. - View Dependent Claims (17, 18, 19, 20)
-
Specification