Method and apparatus for detecting malware infection
First Claim
1. A method for detecting a malware infection at a local host, the method comprising:
- monitoring network communications between the local host and one or more entities external to the local host;
generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host;
declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least;
an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by;
calculating a rate of outbound connections from the local host; and
generating the outbound dialog warning based at least partly on the rate of outbound connections from the local host exceeding a predefined threshold;
and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and
outputting an infection profile for the local host,wherein at least one of;
the monitoring, the generating the at least one dialog warning, the declaring, the calculating, the generating the outbound dialog warning or the outputting is performed by a processor.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, the present invention is a method and apparatus for detecting malware infection. One embodiment of a method for detecting a malware infection at a local host in a network, includes monitoring communications between the local host and one or more entities external to the network, generating a dialog warning if the communications include a transaction indicative of a malware infection, declaring a malware infection if, within a predefined period of time, the dialog warnings includes at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection, and outputting an infection profile for the local host.
-
Citations
16 Claims
-
1. A method for detecting a malware infection at a local host, the method comprising:
-
monitoring network communications between the local host and one or more entities external to the local host; generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host; declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least; an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by; calculating a rate of outbound connections from the local host; and generating the outbound dialog warning based at least partly on the rate of outbound connections from the local host exceeding a predefined threshold; and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and outputting an infection profile for the local host, wherein at least one of;
the monitoring, the generating the at least one dialog warning, the declaring, the calculating, the generating the outbound dialog warning or the outputting is performed by a processor. - View Dependent Claims (2, 3, 4)
-
-
5. A computer readable storage device containing an executable program for detecting a malware infection at a local host, where the program performs the steps of:
-
monitoring network communications between the local host and one or more entities external to the local host; generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host; declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least; an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by; calculating a failure rate of outbound connections from the local host; and generating the outbound dialog warning based at least partly on the failure rate of outbound connections from the local host exceeding a predefined threshold; and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and outputting an infection profile for the local host. - View Dependent Claims (6, 7, 8)
-
-
9. A system for detecting a malware infection at a local host, the system comprising:
-
one or more processors for monitoring network communications between the local host and one or more entities external to the local host and for generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host; a correlator for declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least; an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by; calculating a rate of outbound connections from the local host; and generating the outbound dialog warning based at least partly on the rate of outbound connections from the local host exceeding a predefined threshold; and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and an output device for outputting an infection profile for the local host. - View Dependent Claims (10, 11, 12)
-
-
13. A method for detecting a malware infection at a local host, the method comprising:
-
monitoring network communications between the local host and one or more entities external to the local host; generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host; declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least; an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by; calculating a failure rate of outbound connections from the local host; and generating the outbound dialog warning based at least partly on the failure rate of outbound connections from the local host exceeding a predefined threshold; and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and outputting an infection profile for the local host, wherein at least one of;
the monitoring, the generating the at least one dialog warning, the declaring, the calculating, the generating the outbound dialog warning, or the outputting is performed by a processor. - View Dependent Claims (14, 15, 16)
-
Specification