Detection of malware beaconing activities
First Claim
Patent Images
1. A malware beaconing detection system, comprising:
- a processor configured to;
identify a plurality of conversations between an internal device and one or more external destinations, wherein at least some of the plurality of conversations are determined from stored logs associated with communication between one or more internal devices associated with an enterprise network and the one or more external destinations, wherein identifying a first conversation of the plurality of conversations between a pair comprising the internal device and a first external destination of the one or more external destination comprises to;
obtain a plurality of communication events among the stored logs that includes the pair comprising the internal device and the first external destination, wherein to obtain a communication event that includes the pair comprising the internal device and the first external destination includes to;
identify traffic between a dynamically assigned Internal Protocol (IP) address and the first external destination; and
determine that the dynamically assigned IP address maps to a statically assigned address associated with the internal device; and
generate the first conversation between the pair comprising the internal device and the first external destination based at least in part on the plurality of communication events;
extract feature sets based at least in part on the plurality of conversations; and
determine that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets; and
a memory coupled to the processor and configured to store the extracted feature sets.
9 Assignments
0 Petitions
Accused Products
Abstract
Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.
-
Citations
18 Claims
-
1. A malware beaconing detection system, comprising:
-
a processor configured to; identify a plurality of conversations between an internal device and one or more external destinations, wherein at least some of the plurality of conversations are determined from stored logs associated with communication between one or more internal devices associated with an enterprise network and the one or more external destinations, wherein identifying a first conversation of the plurality of conversations between a pair comprising the internal device and a first external destination of the one or more external destination comprises to; obtain a plurality of communication events among the stored logs that includes the pair comprising the internal device and the first external destination, wherein to obtain a communication event that includes the pair comprising the internal device and the first external destination includes to; identify traffic between a dynamically assigned Internal Protocol (IP) address and the first external destination; and determine that the dynamically assigned IP address maps to a statically assigned address associated with the internal device; and generate the first conversation between the pair comprising the internal device and the first external destination based at least in part on the plurality of communication events; extract feature sets based at least in part on the plurality of conversations; and determine that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets; and a memory coupled to the processor and configured to store the extracted feature sets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for malware beaconing detection, comprising:
-
identifying a plurality of conversations between an internal device and one or more external destinations, wherein at least some of the plurality of conversations are determined from stored logs associated with communication between one or more internal devices associated with an enterprise network and the one or more external destinations, wherein identifying a first conversation of the plurality of conversations between a pair comprising the internal device and a first external destination of the one or more external destination comprises; obtaining a plurality of communication events among the stored logs that includes the pair comprising the internal device and the first external destination, wherein to obtain a communication event that includes the pair comprising the internal device and the first external destination includes; identifying traffic between a dynamically assigned Internal Protocol (IP) address and the first external destination; and determining that the dynamically assigned IP address maps to a statically assigned address associated with the internal device; and generating the first conversation between the pair comprising the internal device and the first external destination based at least in part on the plurality of communication events; extracting feature sets based at least in part on the plurality of conversations; and determining, using a processor, that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A computer program product for malware beaconing detection, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
identifying a plurality of conversations between an internal device and one or more external destinations, wherein at least some of the plurality of conversations are determined from stored logs associated with communication between one or more internal devices associated with an enterprise network and the one or more external destinations, wherein identifying a first conversation of the plurality of conversations between a pair comprising the internal device and a first external destination of the one or more external destination comprises; obtaining a plurality of communication events among the stored logs that includes the pair comprising the internal device and the first external destination, wherein to obtain a communication event that includes the pair comprising the internal device and the first external destination includes; identifying traffic between a dynamically assigned Internal Protocol (IP) address and the first external destination; and determining that the dynamically assigned IP address maps to a statically assigned address associated with the internal device; and generating the first conversation between the pair comprising the internal device and the first external destination based at least in part on the plurality of communication events; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.
-
Specification