Method and system for detecting malware
First Claim
Patent Images
1. A method of analysis, comprising:
- collecting, using at least one processor circuit in communication with at least one database, NX domain names from at least one asset in at least one real network, the NX domain names being domain names that are not registered;
utilizing, using the at least one processor circuit in communication with at least one database, statistical information about the NX domain names to create testing vectors; and
classifying, using the at least one processor circuit in communication with at least one database, the testing vectors as benign vectors or malicious vectors based on training vectors by comparing the statistical information in the testing vectors to statistical information in training vectors, the statistical information comprising;
an average of domain name length;
a standard deviation of a domain name length;
a number of different top level domains;
a length of a domain name excluding a top level domain;
a median of a number of unique characters;
an average of a number of unique characters;
a standard deviation of a number of unique characters;
a median of unique 2-grams;
an average of unique 2-grams;
a standard deviation of unique 2-grams;
a frequency of ,com top level domains over frequency of remaining to level domains;
a median of unique 3-grams;
an average of unique 3-grams;
a standard deviation of unique 3-grams;
a median count of unique top level domains;
an average count of unique top level domains;
or a standard deviation count of top level domains;
or any combination thereof.
12 Assignments
0 Petitions
Accused Products
Abstract
A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector.
214 Citations
10 Claims
-
1. A method of analysis, comprising:
-
collecting, using at least one processor circuit in communication with at least one database, NX domain names from at least one asset in at least one real network, the NX domain names being domain names that are not registered; utilizing, using the at least one processor circuit in communication with at least one database, statistical information about the NX domain names to create testing vectors; and classifying, using the at least one processor circuit in communication with at least one database, the testing vectors as benign vectors or malicious vectors based on training vectors by comparing the statistical information in the testing vectors to statistical information in training vectors, the statistical information comprising;
an average of domain name length;
a standard deviation of a domain name length;
a number of different top level domains;
a length of a domain name excluding a top level domain;
a median of a number of unique characters;
an average of a number of unique characters;
a standard deviation of a number of unique characters;
a median of unique 2-grams;
an average of unique 2-grams;
a standard deviation of unique 2-grams;
a frequency of ,com top level domains over frequency of remaining to level domains;
a median of unique 3-grams;
an average of unique 3-grams;
a standard deviation of unique 3-grams;
a median count of unique top level domains;
an average count of unique top level domains;
or a standard deviation count of top level domains;
or any combination thereof. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system of analysis, comprising:
-
at least one processor circuit in communication with at least one database, the at least one processor circuit connected to at least one network and configured for; collecting NX domain names from at least one asset in at least one real network, the NX domain names being domain names that are not registered; utilizing statistical information about the NX domain names to create testing vectors; and classifying the testing vectors as benign vectors or malicious vectors based on training vectors by comparing the statistical information in the testing vectors to statistical information in training vectors, the statistical information comprising;
an average of domain name length;
a standard deviation of a domain name length;
a number of different top level domains;
a length of a domain name excluding a top level domain;
a median of a number of unique characters;
an average of a number of unique characters;
a standard deviation of a number of unique characters;
a median of unique 2-grams;
an average of unique 2-grams;
a standard deviation of unique 2-grams;
a frequency of ,com top level domains over frequency of remaining to level domains;
a median of unique 3-grams;
an average of unique 3-grams;
a standard deviation of unique 3-grams;
a median count of unique top level domains;
an average count of unique top level domains;
or a standard deviation count of top level domains;
or any combination thereof. - View Dependent Claims (7, 8, 9, 10)
-
Specification