Heuristic botnet detection

US 9,143,522 B2
Filed: 09/04/2013
Issued: 09/22/2015
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor network traffic to identify suspicious network traffic, wherein the monitoring of the network traffic includes;

identify a uniform resource locator (URL) in the network traffic;

determine whether the network traffic includes a malware URL, an unclassified URL, or a combination thereof; and

in the event that the network traffic includes the malware URL, the unclassified URL, or a combination thereof, assign the network traffic as the suspicious network traffic;

detect a bot based on a heuristic analysis of the suspicious network traffic behavior, wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master;

monitor behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, communicating using an intrusion prevention system evasion technique, communicating unclassified traffic over an HTTP port, visiting a dynamic DNS domain, or any combination thereof; and

monitor visited domain related behavior to identify a malicious domain based on whether a visited domain is a dynamic DNS domain; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.

119 Citations

16 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor network traffic to identify suspicious network traffic, wherein the monitoring of the network traffic includes;
  
  identify a uniform resource locator (URL) in the network traffic;
  
  determine whether the network traffic includes a malware URL, an unclassified URL, or a combination thereof; and
  
  in the event that the network traffic includes the malware URL, the unclassified URL, or a combination thereof, assign the network traffic as the suspicious network traffic;
  
  detect a bot based on a heuristic analysis of the suspicious network traffic behavior, wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master;
  
  monitor behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, communicating using an intrusion prevention system evasion technique, communicating unclassified traffic over an HTTP port, visiting a dynamic DNS domain, or any combination thereof; and
  
  monitor visited domain related behavior to identify a malicious domain based on whether a visited domain is a dynamic DNS domain; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system recited in claim 1, wherein the suspicious behavior is a malware download.
  - 3. The system recited in claim 1, wherein the suspicious behavior is a command and control communication determined using a plurality of heuristics.
  - 4. The system recited in claim 1, wherein the suspicious network traffic includes HTTP traffic, IRC traffic, and unclassified application traffic.
  - 5. The system recited in claim 1, wherein the suspicious network traffic includes firewall logs.
  - 6. The system recited in claim 1, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - identify generic command and control traffic patterns; and
      
      identify specific command and control traffic patterns.
  - 7. The system recited in claim 1, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - classify the monitored network traffic as command and control traffic associated with a bot master.
  - 8. The system recited in claim 1, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - correlate the suspicious network traffic behavior with a plurality of other suspicious behaviors.
  - 9. The system recited in claim 1, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - correlate the suspicious network traffic behavior with a plurality of other suspicious behaviors associated with a client or a plurality of clients.
  - 10. The system recited in claim 1, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - assign a score to the monitored network traffic, wherein the score corresponds to a botnet risk characterization of the monitored network traffic.
  - 11. The system recited in claim 1, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - assign a score to the monitored network traffic, wherein the score corresponds to a botnet risk characterization of the monitored network traffic; and
      
      increase the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic.
  - 12. The system recited in claim 1, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - assign a score to the monitored network traffic, wherein the score corresponds to a botnet risk characterization of the monitored network traffic;
      
      increase the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic; and
      
      determine the suspicious behavior is associated with a botnet based on the score.

13. A method, comprising:
- monitoring network traffic to identify suspicious network traffic, wherein the monitoring of the network traffic includes;
  
  identifying a uniform resource locator (URL) in the network traffic;
  
  determining whether the network traffic includes a malware URL, an unclassified URL, or a combination thereof; and
  
  in the event that the network traffic includes the malware URL, the unclassified URL, or a combination thereof, assigning the network traffic as the suspicious network traffic;
  
  detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor;
  
  wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master;
  
  monitoring behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, communicating using an intrusion prevention system evasion technique, communicating unclassified traffic over an HTTP port, visiting a dynamic DNS domain, or any combination thereof; and
  
  monitoring visited domain related behavior to identify a malicious domain based on whether a visited domain is a dynamic DNS domain.
- View Dependent Claims (14)
- - 14. The method of claim 13 further comprising:
    - assigning a score to the monitored network traffic, wherein the score corresponds to a botnet risk characterization of the monitored network traffic;
      
      increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic; and
      
      determining the suspicious behavior is associated with a botnet based on the score.

15. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring network traffic to identify suspicious network traffic, wherein the monitoring of the network traffic includes;
  
  identifying a uniform resource locator (URL) in the network traffic;
  
  determining whether the network traffic includes a malware URL, an unclassified URL, or a combination thereof; and
  
  in the event that the network traffic includes the malware URL, the unclassified URL, or a combination thereof, assigning the network traffic as the suspicious network traffic;
  
  detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor;
  
  wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master;
  
  monitoring behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, communicating using an intrusion prevention system evasion technique, communicating unclassified traffic over an HTTP port, visiting a dynamic DNS domain, or any combination thereof; and
  
  monitoring visited domain related behavior to identify a malicious domain based on whether a visited domain is a dynamic DNS domain.
- View Dependent Claims (16)
- - 16. The computer program product recited in claim 15, further comprising computer instructions for:
    - assigning a score to the monitored network traffic, wherein the score corresponds to a botnet risk characterization of the monitored network traffic;
      
      increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic; and
      
      determining the suspicious behavior is associated with a botnet based on the score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Wang, Xinran, Xie, Huagang
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US14/018,323
Publication Number

US 20140090059A1
Time in Patent Office

748 Days
Field of Search

726 22- 24, 709/224
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 2463/144   Detection or countermeasure...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

Heuristic botnet detection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Heuristic botnet detection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links