Methods and apparatus to detect risks using application layer protocol headers

US 9,135,439 B2
Filed: 03/15/2013
Issued: 09/15/2015
Est. Priority Date: 10/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method to analyze network communications, the method comprising:

extracting characteristics from a header of a received hypertext transport protocol (HTTP) request;

determining a length of a user agent field of the header as a first characteristic of the characteristics;

determining, via a processor, a first score as a first value when the length of the user agent field is less than a length threshold, wherein the first value indicates that the received HTTP request is more likely to be malware;

determining a second score corresponding to a second characteristic of the characteristics;

adding the first score and the second score to determine a combined score; and

indicating that the received HTTP request is malware when the combined score meets a threshold.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, systems and articles of manufacture to detect risks using application protocol headers are disclosed. An example method includes extracting characteristics from a header of a received hypertext transport protocol (HTTP) request, determining a first score corresponding to a first characteristic of the characteristics, determining a second score corresponding to a second characteristic of the characteristics, adding the first score and the second score to determine a combined score, and indicating that the received HTTP request is malware when the combined score meets a threshold.

Citations

27 Claims

1. A method to analyze network communications, the method comprising:
- extracting characteristics from a header of a received hypertext transport protocol (HTTP) request;
  
  determining a length of a user agent field of the header as a first characteristic of the characteristics;
  
  determining, via a processor, a first score as a first value when the length of the user agent field is less than a length threshold, wherein the first value indicates that the received HTTP request is more likely to be malware;
  
  determining a second score corresponding to a second characteristic of the characteristics;
  
  adding the first score and the second score to determine a combined score; and
  
  indicating that the received HTTP request is malware when the combined score meets a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as defined in claim 1, further including:
    - determining a number of fields in the header;
      
      determining the second score as a first value for the second score when the number of fields is less than a number threshold; and
      
      determining the second score as a second value for the second score when the number of fields is greater than the number threshold, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 3. A method as defined in claim 1, further including:
    - determining a protocol version identified in the header;
      
      determining the second score as a first value for the second score when the header includes a field not associated with the protocol version; and
      
      determining the second score as a second value for the second score when the header does not include fields that are not associated with the protocol version, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 4. A method as defined in claim 1, further including:
    - determining if the header identifies a uniform resource identifier having a file extension identified as being more likely to be associated with malware;
      
      determining the second score as a first value for the second score when the header identifies the file extension; and
      
      determining the second score as a second value for the second score when the header does not identify the file extension, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 5. A method as defined in claim 1, further including:
    - determining if the header identifies a cookie;
      
      determining the second score as a first value for the second score when the header identifies the cookie; and
      
      determining the second score as a second value for the second score when the header does not include the cookie, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 6. A method as defined in claim 1, further including:
    - determining an application that sent the received HTTP request based on a user agent field of the header;
      
      determining a known ordering of header fields associated with the application;
      
      determining the second score as a first value for the second score when an order of fields of the header of the received HTTP request does not match the known ordering; and
      
      determining the second score as a second value for the second score when the order of the fields of the header of the received HTTP request matches the known ordering, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 7. A method as defined in claim 1, wherein the received HTTP request utilizes secure socket layer.
  - 8. A method as defined in claim 1, further including, in response to indicating that the received HTTP request is malware, preventing the received HTTP request from reaching a destination identified in the received HTTP request.
  - 9. A method as defined in claim 1, the method further including:
    - determining the first score as a second value when length of the user agent field is greater than the length threshold.

10. An apparatus to analyze network communications, the apparatus comprising:
- a header extractor to extract characteristics from a header of a received hypertext transport protocol (HTTP) request, wherein a user agent field is a first characteristic of the characteristics;
  
  a score generator to determine a first score as a first value when a length of the user agent field is less than a length threshold, wherein the first value indicates that the received HTTP request is more likely to be malware, determine a second score corresponding to a second characteristic of the characteristics;
  
  adding the first score and the second score to determine a combined score;
  
  a combiner to add the first score and the second score to determine a combined score; and
  
  a risk detector to indicate that the received HTTP request is malware when the combined score meets a threshold, wherein at least one of the header extractor, the score generator, or the risk detector is implemented via a logic circuit.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. An apparatus as defined in claim 10, the score generator is to determine the second score by:
    - determining a number of fields in the header;
      
      determining the second score as a first value for the second score when the number of fields is less than a number threshold; and
      
      determining the second score as a second value for the second score when the number of fields is greater than the number threshold, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 12. An apparatus as defined in claim 10, the score generator is to determine the second score by:
    - determining a protocol version identified in the header;
      
      determining the second score as a first value for the second score when the header includes a field not associated with the protocol version; and
      
      determining the second score as a second value for the second score when the header does not include fields that are not associated with the protocol version, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 13. An apparatus as defined in claim 10, the score generator is to determine the second score by:
    - determining if the header identifies a uniform resource identifier having a file extension identified as being more likely to be associated with malware;
      
      determining the second score as a first value for the second score when the header identifies the file extension; and
      
      determining the second score as a second value for the second score when the header does not identify the file extension, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 14. An apparatus as defined in claim 10, the score generator is to determine the second score by:
    - determining if the header identifies a cookie;
      
      determining the second score as a first value for the second score when the header identifies the cookie; and
      
      determining the second score as a second value for the second score when the header does not include the cookie, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 15. An apparatus as defined in claim 10, the score generator is to determine the second score by:
    - determining an application that sent the received HTTP request based on a user agent field of the header;
      
      determining a known ordering of header fields associated with the application;
      
      determining the second score as a first value for the second score when an order of fields of the header of the received HTTP request does not match the known ordering; and
      
      determining the second score as a second value for the second score when the order of the fields of the header of the received HTTP request matches the known ordering, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 16. An apparatus as defined in claim 10, wherein the received HTTP request utilizes secure socket layer.
  - 17. An apparatus as defined in claim 10, an action controller to, in response to the risk detector indicating that the received HTTP request is malware, prevent the received HTTP request from reaching a destination identified in the received HTTP request.
  - 18. An apparatus as defined in claim 10, wherein the score generator is further to:
    - determine the first score as a second value when length of the user agent field is greater than the length threshold.

19. A tangible computer readable storage medium including instructions that, when executed, cause a machine to at least:
- extract characteristics from a header of a received hypertext transport protocol (HTTP) request, wherein a user agent field of the header is a first characteristic of the characteristics;
  
  determine a length of the user agent field of the header;
  
  determine a first score as a first value when the length of the user agent field is less than a length threshold, wherein the first value indicates that the received HTTP request is more likely to be malware;
  
  determine a second score corresponding to a second characteristic of the characteristics;
  
  add the first score and the second score to determine a combined score; and
  
  indicate that the received HTTP request is malware when the combined score meets a threshold.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. A tangible computer readable storage medium as defined in claim 19, wherein the instructions cause the machine to determine the second score by:
    - determining a number of fields in the header;
      
      determining the second score as a first value for the second score when the number of fields is less than a number threshold; and
      
      determining the first score as a second value for the second score when the number of fields is greater than the number threshold, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 21. A tangible computer readable storage medium as defined in claim 19, wherein the instructions cause the machine to determine the second score by:
    - determining a protocol version identified in the header;
      
      determining the second score as a first value for the second score when the header includes a field not associated with the protocol version; and
      
      determining the second score as a second value for the second score when the header does not include fields that are not associated with the protocol version, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 22. A tangible computer readable storage medium as defined in claim 19, wherein the instructions cause the machine to determine the second score by:
    - determining if the header identifies a uniform resource identifier having a file extension identified as being more likely to be associated with malware;
      
      determining the second score as a first value for the second score when the header identifies the file extension; and
      
      determining the second score as a second value for the second score when the header does not identify the file extension, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 23. A tangible computer readable storage medium as defined in claim 19, wherein the instructions cause the machine to determine the second score by:
    - determining if the header identifies a cookie;
      
      determining the second score as a first value for the second score when the header identifies the cookie; and
      
      determining the second score as a second value for the second score when the header does not include the cookie, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 24. A tangible computer readable storage medium as defined in claim 19, wherein the instructions cause the machine to determine the second score by:
    - determining an application that sent the received HTTP request based on a user agent field of the header;
      
      determining a known ordering of header fields associated with the application;
      
      determining the second score as a first value for the second score when an order of fields of the header of the received HTTP request does not match the known ordering; and
      
      determining the second score as a second value for the second score when the order of the fields of the header of the received HTTP request matches the known ordering, wherein the first value for the second score indicates that the received HTTP request is more likely to be malware than the second value for the second score.
  - 25. A tangible computer readable storage medium as defined in claim 19, wherein the received HTTP request utilizes secure socket layer.
  - 26. A tangible computer readable medium as defined in claim 19, wherein the instructions, when executed, cause the machine to, in response to indicating that the received HTTP request is malware, prevent the received HTTP request from reaching a destination identified in the received HTTP request.
  - 27. A tangible computer readable medium as defined in claim 19, wherein the instructions, when executed cause the machine to:
    - determine the first score as a second value when length of the user agent field is greater than the length threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Montoro, Rodrigo Ribeiro
Primary Examiner(s)
LE, CHAU D

Application Number

US13/839,810
Publication Number

US 20140101764A1
Time in Patent Office

914 Days
Field of Search

726 23- 24
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/145   the attack involving the pr...

H04L 67/02   based on web technology, e....

H04W 12/67   Risk-dependent, e.g. select...

Methods and apparatus to detect risks using application layer protocol headers

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus to detect risks using application layer protocol headers

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links