System and method for bot detection
First Claim
Patent Images
1. A method for detecting a communication channel of a bot, comprising:
- detecting a presence of the communication channel between a first network device and a second network device;
scanning data associated with a data flow within the detected channel for a suspected bot communication, the scanning including analyzing content of the data associated with the data flow to detect whether the first network device is propagating malware;
determining whether a potential bot communication exists within the data associated with the data flow;
buffering at least a portion of the data associated with the data flow;
providing at least the portion of the data associated with the data flow to a first simulation module of a plurality of simulation modules to determine whether a bot communication exists;
generating an activity signature based on analysis by the first simulation module;
storing the activity signature for use in subsequent analyses; and
performing a recovery process when either the potential bot communication or the bot communication is detected, the recovery process including, determining one or more network devices that participated in communications using the communication channel operating as a command and control communication channel, the one or more network devices include at least the first network device.
8 Assignments
0 Petitions
Accused Products
Abstract
Exemplary systems and methods for detecting a communication channel of a bot. In exemplary embodiments, presence of a communication channel between a first network device and a second network device is detected. Data from the communication channel is scanned and used to determine if a suspected bot communication exists. If a bot communication is detected, then a recovery process may be initiated.
-
Citations
43 Claims
-
1. A method for detecting a communication channel of a bot, comprising:
-
detecting a presence of the communication channel between a first network device and a second network device; scanning data associated with a data flow within the detected channel for a suspected bot communication, the scanning including analyzing content of the data associated with the data flow to detect whether the first network device is propagating malware; determining whether a potential bot communication exists within the data associated with the data flow; buffering at least a portion of the data associated with the data flow; providing at least the portion of the data associated with the data flow to a first simulation module of a plurality of simulation modules to determine whether a bot communication exists; generating an activity signature based on analysis by the first simulation module; storing the activity signature for use in subsequent analyses; and performing a recovery process when either the potential bot communication or the bot communication is detected, the recovery process including, determining one or more network devices that participated in communications using the communication channel operating as a command and control communication channel, the one or more network devices include at least the first network device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A controller comprising:
-
one or more processors; and a storage device communicatively coupled to the one or more processors, the storage device including; a first module that detects network data transmitted between a first network device and a second network device over a network, a second module that scans at least a portion of the network data for suspicious activity, the scan including analyzing content of at least the portion of the network data, a buffer for buffering at least the portion of the network data, a plurality of simulation modules, each in communication with the second module, each simulation module comprises a virtual machine that is configured with one or more ports and capabilities, each simulation module to (i) receive at least the portion of the network data, (ii) monitor one or more subsequent responses of the virtual machine while processing at least the portion of the network data for unauthorized activity, and (iii) responsive to detecting the unauthorized activity, level generate an activity signature based on the detected unauthorized activity, and a signature module that stores generated activity signatures. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A controller comprising:
-
a processor; and a storage system in communication with the processor, the storage system includes a bot detection logic that, when executed by the processor, (i) detects a presence of a communication channel that permits control of a network device without authorization by a user of the network device, (ii) buffers at least a portion of the data routed over the communication channel, (iii) provides at least the portion of the data to a first simulation module of a plurality of simulation modules, (iv) analyzes, by the first simulation module, at least a response of a virtual machine associated with the first simulation module based on processing of at least the portion of the data, and (v) generates and stores an activity signature based on analysis by the virtual machine for use in subsequent analyses. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43)
-
Specification