Detecting malicious behaviour on a network

US 9,003,526 B2
Filed: 11/19/2010
Issued: 04/07/2015
Est. Priority Date: 11/20/2009
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of detecting malicious behaviour on a local network, the method comprising:

identifying incoming service requests received by a target device forming part of the local network as either harmless or potentially suspicious and, in respect of each incoming service request identified as being potentially suspicious, andmonitoring the behaviour of the target device for a predetermined time for behaviour indicative of the target device operating as a proxy server, and, in the event that the monitored behaviour is indicative of the device acting as a proxy server generating a notification indicative of the observed behaviour,wherein said monitoring includes performing repeated DNS lookups of any fully qualified domain name specified in the identified potentially suspicious service request and analysing the results of such lookups for signs of the fully qualified domain name being associated with a fast flux proxy network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection device (61) for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices. The intrusion detection device has an interface arrangement (61, 10) comprising one or more interfaces (6110) for receiving inward bound traffic destined for the one or more target devices and outward bound traffic originating from the one or more target devices. The intrusion detection device (61) also includes categorization means (6140) for categorizing incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious; monitoring means (6150) operable, in respect of each incoming service request identified as being potentially suspicious, to monitor the behavior of the associated target device for behavior indicative of the target device operating as a proxy server; and a notifier (6160) for generating a notification in the event that the monitored behavior is indicative of the device acting as a proxy server.

48 Citations

View as Search Results

11 Claims

1. A computer implemented method of detecting malicious behaviour on a local network, the method comprising:
- identifying incoming service requests received by a target device forming part of the local network as either harmless or potentially suspicious and, in respect of each incoming service request identified as being potentially suspicious, andmonitoring the behaviour of the target device for a predetermined time for behaviour indicative of the target device operating as a proxy server, and, in the event that the monitored behaviour is indicative of the device acting as a proxy server generating a notification indicative of the observed behaviour,wherein said monitoring includes performing repeated DNS lookups of any fully qualified domain name specified in the identified potentially suspicious service request and analysing the results of such lookups for signs of the fully qualified domain name being associated with a fast flux proxy network.
- View Dependent Claims (2, 3, 5, 6)
- - 2. The method according to claim 1 wherein said identifying incoming service requests includes identifying if the incoming service request is in a proxy format and categorising the service request as potentially suspicious if it is in a proxy format.
  - 3. The method according to claim 1 wherein said monitoring includes monitoring outbound service requests issued from the target device and identifying any correlated outbound service requests as indicative of potentially suspicious behaviour by the target device.
  - 5. A non-transitory computer-readable storage medium storing a computer program or suite of computer programs for causing an intrusion detection system to carry out the method claim 1.
  - 6. A non-transitory computer-readable storage medium storing a computer program or suite of computer programs which upon execution by a computer system performs the method of claim 1.

4. An intrusion detection device for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices, the intrusion detection device comprising:
- a processor;
  
  at least one interface arrangement comprising one or more interfaces suitable, in operation, for receiving inward bound traffic received by the one or more target devices and outward bound traffic originating from the one or more target devices;
  
  a categoriser configured to categorize incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious;
  
  a monitor configured to, in respect of each incoming service request identified as being potentially suspicious, monitor the behaviour of the associated target device for behaviour indicative of the target device operating as a proxy server; and
  
  a notifier configured to generate a notification in the event that the monitored behaviour is indicative of the device acting as a proxy server;
  
  wherein said monitor is further configured to perform repeated DNS lookups of any fully qualified domain name specified in the identified potentially suspicious service request and analyze the results of such lookups for signs of the fully qualified domain name being associated with a fast flux proxy network.
- View Dependent Claims (7, 8)
- - 7. The device according to claim 4 wherein the categoriser is configured to identify if the incoming service request is in a proxy format and categorize the service request as potentially suspicious if it is in a proxy format.
  - 8. The device according to claim 4 wherein the monitor is configured to monitor outbound service requests issued from the target device and identify any correlated outbound service requests as indicative of potentially suspicious behaviour by the target device.

9. An intrusion detection device for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices, the intrusion detection device having:
- at least one interface arrangement comprising one or more interfaces suitable, in operation, for receiving inward bound traffic received by the one or more target devices and outward bound traffic originating from the one or more target devices; and
  
  a processing system, having at least one processor, configured to;
  
  categorize incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious;
  
  monitor, in respect of each incoming service request identified as being potentially suspicious, the behaviour of the associated target device for behaviour indicative of the target device operating as a proxy server; and
  
  generate a notification in the event that the monitored behaviour is indicative of the device acting as a proxy server;
  
  wherein the processing system is further configured to perform repeated DNS lookups of any fully qualified domain name specified in the identified potentially suspicious service recquest and analyze the results of such lookups for signs of the fully qualified domain name being associated with a fast flux proxy network.
- View Dependent Claims (10, 11)
- - 10. The device according to claim 9 wherein the processing system is further configured to identify if the incoming service request is in a proxy format and categorize the service request as potentially suspicious if it is in a proxy format.
  - 11. The device according to claim 9 wherein the processing system is further configured to monitor outbound service requests issued from the target device and identify any correlated outbound service requests as indicative of potentially suspicious behaviour by the target device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
El-Moussa, Fadi J
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US13/510,545
Publication Number

US 20120278889A1
Time in Patent Office

1,600 Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

Detecting malicious behaviour on a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious behaviour on a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links