Detection of malware beaconing activities
First Claim
Patent Images
1. A system, comprising:
- a processor configured to;
identify a plurality of communication events between a dynamically assigned address and an external destination;
determine that the dynamically assigned address maps to a statically assigned address associated with an internal device;
generate a conversation between the internal device and the external destination based at least in part on the plurality of communication events;
extract feature sets based at least in part on the conversation between the internal device and the external destination; and
determine whether the conversation between the internal device and the external destination is anomalous based at least in part on the extracted feature sets; and
a memory coupled to the processor and configured to store the extracted feature sets.
9 Assignments
0 Petitions
Accused Products
Abstract
Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.
90 Citations
19 Claims
-
1. A system, comprising:
-
a processor configured to; identify a plurality of communication events between a dynamically assigned address and an external destination; determine that the dynamically assigned address maps to a statically assigned address associated with an internal device; generate a conversation between the internal device and the external destination based at least in part on the plurality of communication events; extract feature sets based at least in part on the conversation between the internal device and the external destination; and determine whether the conversation between the internal device and the external destination is anomalous based at least in part on the extracted feature sets; and a memory coupled to the processor and configured to store the extracted feature sets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method, comprising:
-
identifying a plurality of communication events between a dynamically assigned address and an external destination; determining, using a processor, that the dynamically assigned address maps to a statically assigned address associated with an internal device; generating a conversation between the internal device and the external destination based at least in part on the plurality of communication events; extracting feature sets based at least in part on the conversation between the internal device and the external destination; and determining whether the conversation between the internal device and the external destination is anomalous based at least in part on the extracted feature sets. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification