Detecting malware communication on an infected computing device
First Claim
1. A gateway to couple a client device to a data source, the gateway comprising:
- a behavior store including a rule identifying attributes associated with malicious data requests, the attributes including a User Agent field; and
a detection module to, upon receipt of a response to a data request previously received by the gateway, determine whether the data request is a malicious request by comparing a request attribute of the data request to the attributes associated with the malicious data requests, the detection module to, responsive to the identification of the malicious request, prevent transmission of the response to the malicious request, at least one of the behavior store and the detection module is implemented by hardware.
5 Assignments
0 Petitions
Accused Products
Abstract
Rules describing attributes of malicious data requests, commonly generated by malware, are determined and stored. For example, a behavior server executes different types of malware and analyzes the data requests produced by the malware to identify attributes common to different malicious data requests. The rules describing malicious data request attributes are stored and subsequent data requests are compared to the stored rules to identify malicious data requests. If a data request has one or more attributes in common with attributes of malicious data requests, the data request is blocked. This allows attributes of a data request to be used to prevent malware executing on a client device from communicating with a malicious server.
-
Citations
30 Claims
-
1. A gateway to couple a client device to a data source, the gateway comprising:
-
a behavior store including a rule identifying attributes associated with malicious data requests, the attributes including a User Agent field; and a detection module to, upon receipt of a response to a data request previously received by the gateway, determine whether the data request is a malicious request by comparing a request attribute of the data request to the attributes associated with the malicious data requests, the detection module to, responsive to the identification of the malicious request, prevent transmission of the response to the malicious request, at least one of the behavior store and the detection module is implemented by hardware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for identifying malicious data requests, the method comprising:
upon receipt of a response to a forwarded data request; identifying attributes of the data request, the attributes of the data request including a User Agent; determining, with a processor, whether the data request is malicious by comparing the attributes of the data request to a rule identifying attributes associated with malicious data requests, the processor to identify the data request as malicious when a User Agent field includes at least one of a blank user agent, an unknown user agent, or a browser user agent; and responsive to determining the data request is malicious, blocking transmission of the response. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
30. A tangible computer-readable storage disc or storage device comprising instructions which, when executed, cause a machine to at least:
-
identify attributes of a received data request, the identified attributes including a User Agent field; determine whether the data request is malicious by comparing the attributes of the received data request to a rule identifying attributes associated with malicious data requests, the received data request identified as malicious when (1) the User Agent field includes at least one of a blank user agent, an unknown user agent, or a browser user agent, and (2) the received data request includes a payload that is encrypted and includes system configuration information; and responsive to determining the received data request is malicious, block transmission of the response message.
-
Specification