Detecting malicious behaviour on a network
First Claim
1. A computer implemented method of detecting malicious behaviour on a local network, the method comprising:
- identifying incoming service requests received by a target device forming part of the local network as either harmless or potentially suspicious and, in respect of each incoming service request identified as being potentially suspicious, andmonitoring the behaviour of the target device for a predetermined time for behaviour indicative of the target device operating as a proxy server, and, in the event that the monitored behaviour is indicative of the device acting as a proxy server generating a notification indicative of the observed behaviour,wherein said monitoring includes performing repeated DNS lookups of any fully qualified domain name specified in the identified potentially suspicious service request and analysing the results of such lookups for signs of the fully qualified domain name being associated with a fast flux proxy network.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection device (61) for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices. The intrusion detection device has an interface arrangement (61, 10) comprising one or more interfaces (6110) for receiving inward bound traffic destined for the one or more target devices and outward bound traffic originating from the one or more target devices. The intrusion detection device (61) also includes categorization means (6140) for categorizing incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious; monitoring means (6150) operable, in respect of each incoming service request identified as being potentially suspicious, to monitor the behavior of the associated target device for behavior indicative of the target device operating as a proxy server; and a notifier (6160) for generating a notification in the event that the monitored behavior is indicative of the device acting as a proxy server.
48 Citations
11 Claims
-
1. A computer implemented method of detecting malicious behaviour on a local network, the method comprising:
-
identifying incoming service requests received by a target device forming part of the local network as either harmless or potentially suspicious and, in respect of each incoming service request identified as being potentially suspicious, and monitoring the behaviour of the target device for a predetermined time for behaviour indicative of the target device operating as a proxy server, and, in the event that the monitored behaviour is indicative of the device acting as a proxy server generating a notification indicative of the observed behaviour, wherein said monitoring includes performing repeated DNS lookups of any fully qualified domain name specified in the identified potentially suspicious service request and analysing the results of such lookups for signs of the fully qualified domain name being associated with a fast flux proxy network. - View Dependent Claims (2, 3, 5, 6)
-
-
4. An intrusion detection device for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices, the intrusion detection device comprising:
-
a processor; at least one interface arrangement comprising one or more interfaces suitable, in operation, for receiving inward bound traffic received by the one or more target devices and outward bound traffic originating from the one or more target devices; a categoriser configured to categorize incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious; a monitor configured to, in respect of each incoming service request identified as being potentially suspicious, monitor the behaviour of the associated target device for behaviour indicative of the target device operating as a proxy server; and a notifier configured to generate a notification in the event that the monitored behaviour is indicative of the device acting as a proxy server; wherein said monitor is further configured to perform repeated DNS lookups of any fully qualified domain name specified in the identified potentially suspicious service request and analyze the results of such lookups for signs of the fully qualified domain name being associated with a fast flux proxy network. - View Dependent Claims (7, 8)
-
-
9. An intrusion detection device for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices, the intrusion detection device having:
-
at least one interface arrangement comprising one or more interfaces suitable, in operation, for receiving inward bound traffic received by the one or more target devices and outward bound traffic originating from the one or more target devices; and a processing system, having at least one processor, configured to; categorize incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious; monitor, in respect of each incoming service request identified as being potentially suspicious, the behaviour of the associated target device for behaviour indicative of the target device operating as a proxy server; and generate a notification in the event that the monitored behaviour is indicative of the device acting as a proxy server; wherein the processing system is further configured to perform repeated DNS lookups of any fully qualified domain name specified in the identified potentially suspicious service recquest and analyze the results of such lookups for signs of the fully qualified domain name being associated with a fast flux proxy network. - View Dependent Claims (10, 11)
-
Specification