Distributed systems and methods for automatically detecting unknown bots and botnets

US 9,430,646 B1
Filed: 03/14/2013
Issued: 08/30/2016
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting callbacks from malicious code, comprising:

A) local analyzers including a first local analyzer and a second local analyzer, the first local analyzer capturing packets of outbound communications, generating a signature from header information obtained from each of the captured packets, determining whether the signature matches a stored signature within a local signature cache, and, if a match is not found, analyzing the captured packet associated with the signature, including performing deep packet inspection; and

B) a central analyzer receiving at least the signature and results of analysis associated with the captured packet from the first local analyzer;

determining whether the signature matches a callback signature stored within a global signature cache; and

coordinating, when the signature matches the callback signature, a sharing of the signature with the second local analyzer; and

, when the signature fails to match any callback signature in the global signature cache, (i) performing an analysis on information contained in the captured packet;

(ii) generating a callback probability score associated with the captured packet;

(iii) declaring the captured packet having the callback probability score exceeding a predetermined threshold as associated with callbacks; and

(iv) storing a designation of malware status with the signature associated with the captured packet having the callback probability score exceeding the predetermined threshold in the global signature cache.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using a distributed approach employing one or more local analyzers and a central analyzer. The local analyzers capture packets of outbound communications, generate header signatures, and analyze the captured packets using various techniques. The techniques may include packet header signature matching against verified callback signatures, deep packet inspection. The central analyzer receives the header signatures and related header information from the local analyzers, may perform further analysis (for example, on-line host reputation analysis); determines using a heuristics analysis whether the signatures correspond to callbacks; and generally coordinates among the local analyzers.

796 Citations

20 Claims

1. A computer implemented method for detecting callbacks from malicious code, comprising:
- A) local analyzers including a first local analyzer and a second local analyzer, the first local analyzer capturing packets of outbound communications, generating a signature from header information obtained from each of the captured packets, determining whether the signature matches a stored signature within a local signature cache, and, if a match is not found, analyzing the captured packet associated with the signature, including performing deep packet inspection; and
  
  B) a central analyzer receiving at least the signature and results of analysis associated with the captured packet from the first local analyzer;
  
  determining whether the signature matches a callback signature stored within a global signature cache; and
  
  coordinating, when the signature matches the callback signature, a sharing of the signature with the second local analyzer; and
  
  , when the signature fails to match any callback signature in the global signature cache, (i) performing an analysis on information contained in the captured packet;
  
  (ii) generating a callback probability score associated with the captured packet;
  
  (iii) declaring the captured packet having the callback probability score exceeding a predetermined threshold as associated with callbacks; and
  
  (iv) storing a designation of malware status with the signature associated with the captured packet having the callback probability score exceeding the predetermined threshold in the global signature cache.

2. A computer implemented method for detecting callbacks from malicious code, comprising:
- A) performing, by a local analyzer,(i) signature matching of a generated header signature, based on information from a header obtained from a captured packet of a plurality of captured packets, against a plurality of packet header signatures corresponding to verified callbacks stored in a local cache, and(ii) first stage filtering of the header to detect whether the header corresponds to a suspect header upon detecting that the header includes header anomalies; and
  
  B) performing, by a central analyzer,(i) signature matching of the header signature for the suspect header received from the local analyzer against a plurality of header signatures corresponding to verified callbacks stored in a central cache,(ii) second stage filtering of the suspect header to detect suspicious characteristics associated with the suspect header, the suspect header detected to have suspicious characteristics being a suspicious suspect header,(iii) generating a probability score based on the suspicious characteristics for each of the suspicious suspect header,(iv) comparing the probability score with a threshold to verify whether the suspicious suspect header corresponds to a callback, and(v) storing the header signature of the suspicious suspect header verified as corresponding to a callback in the central cache, and sending a message to the local analyzer to update the local cache.

3. A computer implemented method performed by a local analyzer for detecting callbacks from malicious code, the local analyzer comprises one or more processors and software stored in a memory accessible to the one or more processors, and is configured for communications over a network with a central analyzer, the method comprising:
- A) generating a header signature based on information from a header obtained from a captured packet of a plurality of captured packets;
  
  B) signature matching of the header signature against a plurality of packet header signatures corresponding to verified callbacks stored in a local cache of the local analyzer;
  
  C) responsive to the header signature corresponding to none of the plurality of packet header signatures, performing a first stage filtering of the captured packet headers of the plurality of captured packets to detect whether the captured packet header includes with header anomalies, the captured packet header identified as having header anomalies being a suspect header;
  
  D) sending the suspect header and the header signature to the central analyzer, and receiving from the central analyzer a message providing information for the suspect header verified through a second stage filtering by the central analyzer as corresponding to a callback; and
  
  E) updating the local cache with the information received from the central analyzer, thereby storing in the local cache an updated listing for the plurality of packet header signatures corresponding to verified callbacks.
- View Dependent Claims (4, 5, 6, 7, 8)
- - 4. The computer implemented method of claim 3, wherein the generating of the header signature comprises generating a header signature from a partially masked header.
  - 5. The computer implemented method of claim 3, further comprising issuing an alert in the event the signature matching of the header signature against the plurality of packet header signatures results in a match;
    - and performing the sending of the suspect header and the updating of the local cache in response to the signature matching of the header signature does not result in a match.
  - 6. The computer implemented method of claim 3, wherein the first stage filtering comprises performing a dark IP address analysis on the suspect headers that identifies suspicious destination IP addresses contained within fields of the suspect headers.
  - 7. The computer implemented method of claim 3, wherein the first stage filtering comprises performing a dark analysis on the suspect headers that identifies suspicious domain identifiers contained within fields of the suspect headers.
  - 8. The computer implemented method of claim 3, wherein the performing of the first stage filtering of the captured packet headers to detect the captured packet header includes header anomalies comprises determining whether the captured packet header is non-compliant with a communication protocol.

9. A computer implemented method performed by a central analyzer for detecting callbacks from malicious code, the central analyzer configured for communication over a network with a plurality of local analyzers, the method comprising:
- A) receiving information identifying anomalies within a plurality of suspect headers from a local analyzer;
  
  B) comparing a header signature for each of the plurality of suspect headers received from the local analyzer against a plurality of header signatures corresponding to verified callbacks stored in a global cache associated with central analyzer;
  
  C) conducting an analysis of each of the plurality of suspect headers to detect whether any of the plurality of suspect headers has at least one suspicious attribute, the suspect headers detected to have suspicious attributes being suspicious suspect headers;
  
  D) verifying whether any of suspicious suspect headers correspond to callbacks, wherein the verifying comprises generating a probability score based on the anomalies and the at least one suspicious attribute for each of the suspicious suspect headers, and comparing the probability score with a threshold in determining whether any of the suspicious suspect headers should be classified as a callback;
  
  E) storing the header signatures of the suspicious suspect headers verified as corresponding to callbacks in the global cache; and
  
  F) sending a message to the local analyzer containing information with respect to the suspicious suspect headers verified as corresponding to callbacks.
- View Dependent Claims (10, 11)
- - 10. The computer implemented method of claim 9, wherein the analysis of each of the plurality of suspect headers comprises conducting a second stage filtering that comprises performing an on-line host reputation analysis based on the plurality of suspect headers.
  - 11. The computer implemented method of claim 9, wherein the anomalies are detected by the local analyzer.

12. A local analyzer for detecting callbacks from malicious code and configured for communication over a network with a central analyzer, the local analyzer comprising:
- one or more processors; and
  
  a persistent storage device coupled to the one or more processors, the persistent storage device comprisesa signature generating logic that, when executed by the one or more processors, is configured to generate a header signature based on information from a header obtained from a captured packet of a plurality of captured packets,a signature matching logic that, when executed by the one or more processors, is configured to match the header signature against a plurality of packet header signatures corresponding to verified callbacks stored in a local cache of the local analyzer,a first stage filter that, when executed by the one or more processors and in response to the header signature failing to match any of the plurality of packet header signatures, is configured to detect whether the captured packet header includes one or more header anomalies, the captured packet header identified as having one or more header anomalies being a suspect header; and
  
  a network interface configured to send suspect header and the header signature to the central analyzer, and to receive from the central analyzer a message providing information for each suspect header verified through a second stage filter by the central analyzer as corresponding to a callback,wherein the persistent storage device further comprises caching control logic that, when executed by the one or more processors, is configured to update the local cache with the information received from the central analyzer, thereby storing in the local cache an updated listing for packet header signatures corresponding to verified callbacks.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The local analyzer of claim 12, wherein the signature generating logic, when executed by the one or more processors, is configured to generate the header signature from a partially masked header.
  - 14. The local analyzer of claim 12, further comprising an alert generator that, when executed by the one or more processors, is configured, in the event of a signature match, to generate an alert being a warning to a user or a security administrator that the captured packet may be associated with malware.
  - 15. The local analyzer of claim 12, wherein the first stage filterer comprises logic configured to perform a dark IP address analysis on the suspect header that identifies suspicious destination IP addresses contained within fields of the suspect header.
  - 16. The local analyzer of claim 12, wherein the first stage filterer comprises logic configured to perform a dark top level domain (TLD) analysis on the suspect header that identifies a suspicious domain identifier contained within fields of the suspect header.
  - 17. The local analyzer of claim 12, wherein the first stage filter, when executed by the one or more processors, is configured to detect whether the captured packet header includes one or more header anomalies by determining whether the captured packet header is non-compliant with a communication protocol.

18. A central analyzer for detecting callbacks from malicious code and for communication over a network with a plurality of local analyzers, the central analyzer comprising:
- a network interface operable to receive information identifying a number of anomalies from a local analyzer;
  
  one or more processors; and
  
  a persistent storage device coupled to the one or more processors, the persistent storage device comprisesa signature matching logic that, when executed by the one or more processors, is configured to match a header signature for each of a plurality of suspect headers received from the local analyzer against a plurality of header signatures corresponding to verified callbacks stored in a global cache associated with the central analyzer,a stage filter of the central analyzer that, when executed by the one or more processors, is configured to filter the plurality of suspect headers to detect suspicious attributes related thereto, the plurality of suspect headers detected to have suspicious attributes being suspicious suspect headers, andlogic that, when executed by the one or more processors, is configured to generate a probability score based on the received anomalies and the suspicious attributes for a corresponding suspicious suspect header, to compare the probability score with a threshold in determining whether the suspicious suspect header should be classified as a callback, and to store the header signature of the corresponding suspicious suspect header classified as a callback in the global cache, whereinthe network interface further operable to output a message containing information with respect to the suspicious suspect header verified as corresponding to a callback.
- View Dependent Claims (19)
- - 19. The central analyzer of claim 18, wherein the stage filter, when executed by the one or more processors, is configured to perform an on-line reputation analysis based on the suspect headers.

20. A non-transitory machine readable medium storing instructions, which when executed by a processor, causes the processor to perform operations for detecting callbacks from malicious code at a central analyzer, comprising:
- A) generating a header signature based on information from a header obtained from each of a plurality of captured packets;
  
  B) signature matching of the header signature against a plurality of packet header signatures corresponding to verified callbacks stored in a local cache of the local analyzer;
  
  C) first stage filtering of the captured packet headers to detect those with header anomalies, the packet headers identified as having header anomalies being suspect headers;
  
  D) sending suspect headers and the header signatures to the central analyzer;
  
  E) generating a probability score based on the header anomalies for each of the suspect headers;
  
  F) comparing the probability score with a threshold to verify whether the suspicious network header corresponds to a callback;
  
  G) receiving from the central analyzer a message providing information for each of the suspect headers verified by the central analyzer as corresponding to a callback; and
  
  H) updating the local cache with the information received from the central analyzer, thereby storing in the local cache an updated listing for packet header signatures corresponding to verified callbacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Mushtaq, Atif, Rosenberry, Todd, Islam, Ali, Aziz, Ashar
Primary Examiner(s)
Abedin, Shanto M

Application Number

US13/830,573
Time in Patent Office

1,265 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/57   Certifying or maintaining t...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 67/02   based on web technology, e....

Distributed systems and methods for automatically detecting unknown bots and botnets

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

796 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed systems and methods for automatically detecting unknown bots and botnets

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

796 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links