Detection of malware beaconing activities

US 9,038,178 B1
Filed: 06/25/2012
Issued: 05/19/2015
Est. Priority Date: 06/25/2012
Status: Active Grant

First Claim

Patent Images

1. A malware beaconing detection system, comprising:

a processor configured to;

identify a plurality of conversations between an internal device and one or more external destinations, wherein at least some of the plurality of conversations are determined from stored logs associated with communication between one or more internal devices associated with an enterprise network and the one or more external destinations, wherein identifying a first conversation of the plurality of conversations between a pair comprising the internal device and a first external destination of the one or more external destination comprises to;

obtain a plurality of communication events among the stored logs that includes the pair comprising the internal device and the first external destination, wherein to obtain a communication event that includes the pair comprising the internal device and the first external destination includes to;

identify traffic between a dynamically assigned Internal Protocol (IP) address and the first external destination; and

determine that the dynamically assigned IP address maps to a statically assigned address associated with the internal device; and

generate the first conversation between the pair comprising the internal device and the first external destination based at least in part on the plurality of communication events;

extract feature sets based at least in part on the plurality of conversations; and

determine that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets; and

a memory coupled to the processor and configured to store the extracted feature sets.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.

Citations

18 Claims

1. A malware beaconing detection system, comprising:
- a processor configured to;
  
  identify a plurality of conversations between an internal device and one or more external destinations, wherein at least some of the plurality of conversations are determined from stored logs associated with communication between one or more internal devices associated with an enterprise network and the one or more external destinations, wherein identifying a first conversation of the plurality of conversations between a pair comprising the internal device and a first external destination of the one or more external destination comprises to;
  
  obtain a plurality of communication events among the stored logs that includes the pair comprising the internal device and the first external destination, wherein to obtain a communication event that includes the pair comprising the internal device and the first external destination includes to;
  
  identify traffic between a dynamically assigned Internal Protocol (IP) address and the first external destination; and
  
  determine that the dynamically assigned IP address maps to a statically assigned address associated with the internal device; and
  
  generate the first conversation between the pair comprising the internal device and the first external destination based at least in part on the plurality of communication events;
  
  extract feature sets based at least in part on the plurality of conversations; and
  
  determine that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets; and
  
  a memory coupled to the processor and configured to store the extracted feature sets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein at least one of the one or more external destinations comprises an external IP address outside of the enterprise network.
  - 3. The system of claim 1, wherein the at least some of the plurality of conversations are determined based at least in part on stored logs comprising one or more of the following:
    - firewall logs, proxy logs, and dynamic host configuration protocol (DHCP) logs.
  - 4. The system of claim 1, wherein the anomalous conversation is potentially indicative of malware being present at the internal device.
  - 5. The system of claim 1, wherein to determine that the conversation is anomalous includes building a model based at least in part on at least some of the feature sets and a plurality of historical conversations.
  - 6. The system of claim 5, wherein at least some of the extracted feature sets are input into the model and the model is configured to determine that the conversation is anomalous based on the inputted feature sets.
  - 7. The system of claim 1, wherein one of the feature sets includes a feature associated with an age of the internal device.
  - 8. The system of claim 1, wherein one of the feature sets includes a feature associated with an age of one of the one or more external destinations.
  - 9. The system of claim 1, wherein one of the feature sets includes a feature associated with a service associated with one of the one or more external destinations.
  - 10. The system of claim 1, wherein one of the feature sets includes a feature associated with a geolocation of one of the one or more external destinations.
  - 11. The system of claim 1, wherein the processor is further configured to present information associated the anomalous conversation.
  - 12. The system of claim 1, wherein identifying the first conversation further includes the processor being further configured to store attributes associated with the plurality of communication events, the internal device, and the first external destination with the first conversation, and wherein extracting feature sets includes the processor being further configured to extract a feature set from the attributes associated with the first conversation.

13. A method for malware beaconing detection, comprising:
- identifying a plurality of conversations between an internal device and one or more external destinations, wherein at least some of the plurality of conversations are determined from stored logs associated with communication between one or more internal devices associated with an enterprise network and the one or more external destinations, wherein identifying a first conversation of the plurality of conversations between a pair comprising the internal device and a first external destination of the one or more external destination comprises;
  
  obtaining a plurality of communication events among the stored logs that includes the pair comprising the internal device and the first external destination, wherein to obtain a communication event that includes the pair comprising the internal device and the first external destination includes;
  
  identifying traffic between a dynamically assigned Internal Protocol (IP) address and the first external destination; and
  
  determining that the dynamically assigned IP address maps to a statically assigned address associated with the internal device; and
  
  generating the first conversation between the pair comprising the internal device and the first external destination based at least in part on the plurality of communication events;
  
  extracting feature sets based at least in part on the plurality of conversations; and
  
  determining, using a processor, that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein at least some of the plurality of conversations are determined based at least in part on stored logs comprising one or more of the following:
    - firewall logs, proxy logs, and dynamic host configuration protocol (DHCP) logs.
  - 15. The method of claim 13, wherein determining that the conversation is anomalous includes building a model based at least in part on at least some of the feature sets and a plurality of historical conversations.
  - 16. The method of claim 15, wherein at least some of the extracted feature sets are input into the model and the model is configured to determine that the conversation is anomalous based on the inputted feature sets.
  - 17. The method of claim 13, further comprising presenting information associated the anomalous conversation.

18. A computer program product for malware beaconing detection, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- identifying a plurality of conversations between an internal device and one or more external destinations, wherein at least some of the plurality of conversations are determined from stored logs associated with communication between one or more internal devices associated with an enterprise network and the one or more external destinations, wherein identifying a first conversation of the plurality of conversations between a pair comprising the internal device and a first external destination of the one or more external destination comprises;
  
  obtaining a plurality of communication events among the stored logs that includes the pair comprising the internal device and the first external destination, wherein to obtain a communication event that includes the pair comprising the internal device and the first external destination includes;
  
  identifying traffic between a dynamically assigned Internal Protocol (IP) address and the first external destination; and
  
  determining that the dynamically assigned IP address maps to a statically assigned address associated with the internal device; and
  
  generating the first conversation between the pair comprising the internal device and the first external destination based at least in part on the plurality of communication events;
  
  extracting feature sets based at least in part on the plurality of conversations; and
  
  determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Lin, Derek
Primary Examiner(s)
Moorthy, Aravind

Application Number

US13/532,385
Time in Patent Office

1,058 Days
Field of Search

726/23, 726/11, 726/13, 713/153, 713/154, 713/168, 713/170, 709/224, 709/225
US Class Current

726/23
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Detection of malware beaconing activities

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of malware beaconing activities

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links