System and method for bot detection

US 9,628,498 B1
Filed: 10/11/2013
Issued: 04/18/2017
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a communication channel of a bot, comprising:

detecting a presence of the communication channel between a first network device and a second network device;

scanning data associated with a data flow within the detected channel for a suspected bot communication, the scanning including analyzing content of the data associated with the data flow to detect whether the first network device is propagating malware;

determining whether a potential bot communication exists within the data associated with the data flow;

buffering at least a portion of the data associated with the data flow;

providing at least the portion of the data associated with the data flow to a first simulation module of a plurality of simulation modules to determine whether a bot communication exists;

generating an activity signature based on analysis by the first simulation module;

storing the activity signature for use in subsequent analyses; and

performing a recovery process when either the potential bot communication or the bot communication is detected, the recovery process including, determining one or more network devices that participated in communications using the communication channel operating as a command and control communication channel, the one or more network devices include at least the first network device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary systems and methods for detecting a communication channel of a bot. In exemplary embodiments, presence of a communication channel between a first network device and a second network device is detected. Data from the communication channel is scanned and used to determine if a suspected bot communication exists. If a bot communication is detected, then a recovery process may be initiated.

679 Citations

43 Claims

1. A method for detecting a communication channel of a bot, comprising:
- detecting a presence of the communication channel between a first network device and a second network device;
  
  scanning data associated with a data flow within the detected channel for a suspected bot communication, the scanning including analyzing content of the data associated with the data flow to detect whether the first network device is propagating malware;
  
  determining whether a potential bot communication exists within the data associated with the data flow;
  
  buffering at least a portion of the data associated with the data flow;
  
  providing at least the portion of the data associated with the data flow to a first simulation module of a plurality of simulation modules to determine whether a bot communication exists;
  
  generating an activity signature based on analysis by the first simulation module;
  
  storing the activity signature for use in subsequent analyses; and
  
  performing a recovery process when either the potential bot communication or the bot communication is detected, the recovery process including, determining one or more network devices that participated in communications using the communication channel operating as a command and control communication channel, the one or more network devices include at least the first network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the data associated with the data flow comprises data obtained from a plurality of data packets forming the data flow.
  - 3. The method of claim 1, wherein the recovery process further comprises redirecting all communications from the first network device to a virtual machine implemented within a controller that is scanning the detected channel.
  - 4. The method of claim 1, wherein the determining the bot communication exists within data associated with the data flow comprises determining if the data that is within the data flow is directed to an unassigned Internet Protocol (IP) address.
  - 5. The method of claim 1, wherein the determining the bot communication exists within data associated with the data flow comprises determining if the data that is within the data flow is directed to an unassigned or unusual port address.
  - 6. The method of claim 1, wherein the determining the bot communication exists within data associated with the data flow comprises configuring a virtual machine with performance characteristics associated with the second network device targeted to receive the data associated with the data flow.
  - 7. The method of claim 6, wherein the virtual machine is configured with the performance characteristics associated with the second network device and the performance characteristics include one or more ports that are to receive the data associated with the data flow.
  - 8. The method of claim 6, wherein the virtual machine is configured with the performance characteristics associated with the second network device and the performance characteristics include one or more device drivers that are to respond to the received data associated with the data flow.
  - 9. The method of claim 1, wherein the recovery processing includes categorizing the one or more network devices that participated in the communications, including placing the one or more network devices into one of at least, a first category corresponding to a first level of association with the communications and a second category corresponding to a second level of association with the communications, the second level representing a greater association than the first level.
  - 10. The method of claim 1, wherein the activity signature includes one or more of (i) information to identify bot related behavior, known bot servers, suspected bot servers, (ii) mechanisms to block attacks, (iii) mechanisms to block bot propagation, or (iv) mechanisms that remove bots from network devices.
  - 11. The method of claim 1, wherein detecting the presence of the communication channel between the first network device and the second network device includes detecting the communication channel operating in accordance with an Internet Relay Chat (IRC) protocol that corresponds to the command and control (C&
    - C) communication channel, the IRC protocol having a tendency of being used for bot command and control.
  - 12. The method of claim 1, further comprising:
    - notifying at least one of a user or a network administrator that either (i) the potential bot communication has been determined to exist within the data associated with the data flow, or (ii) the bot communication has been determined to exist within the data associated with the data flow.
  - 13. The method of claim 1, wherein each of the plurality of simulation modules implements a virtual machine.
  - 14. The method of claim 1, wherein the activity signature identifies one or more of (i) an unauthorized activity detected during analysis by the first simulation module, or (ii) the bot.
  - 15. The method of claim 1 being performed by a controller that comprises a processor, a non-transitory machine-readable memory system and a communication network interface.

16. A controller comprising:
- one or more processors; and
  
  a storage device communicatively coupled to the one or more processors, the storage device including;
  
  a first module that detects network data transmitted between a first network device and a second network device over a network,a second module that scans at least a portion of the network data for suspicious activity, the scan including analyzing content of at least the portion of the network data,a buffer for buffering at least the portion of the network data,a plurality of simulation modules, each in communication with the second module, each simulation module comprises a virtual machine that is configured with one or more ports and capabilities, each simulation module to (i) receive at least the portion of the network data, (ii) monitor one or more subsequent responses of the virtual machine while processing at least the portion of the network data for unauthorized activity, and (iii) responsive to detecting the unauthorized activity, level generate an activity signature based on the detected unauthorized activity, anda signature module that stores generated activity signatures.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 17. The controller of claim 16, wherein the network data comprises data removed from the data flow.
  - 18. The controller of claim 17, wherein the data flow comprises a plurality of data packets.
  - 19. The controller of claim 16, wherein the first module further detects a presence of a command and control (C&
    - C) communication channel between the first network device and the second network device.
  - 20. The controller of claim 19, wherein the first module detects a presence of a channel operating in accordance with an Internet Relay Chat (IRC) protocol that corresponds to the C&
    - C communication channel, the IRC protocol having a tendency of being used for bot command and control.
  - 21. The controller of claim 20, wherein the second module includes a protocol fingerprint module that scans for commands or messages that indicate that the IRC channel is established, the commands or messages constitutes suspicious activity.
  - 22. The controller of claim 20, wherein the second module includes a port module that monitors for communications originating from a non-standard port that constitutes suspicious activity.
  - 23. The controller of claim 19 further performing a recovery process when, after scanning the network data for suspicious activity, a bot communication is detected, the recovery process includes determining one or more network devices that participated in communications associated with the C&
    - C communication channel that routed the network data, including the first network device.
  - 24. The controller of claim 23, wherein the recovery process further comprises redirecting all communications from the first network device to the virtual machine.
  - 25. The controller of claim 23, wherein each simulation module, determines that the bot communication exists within the network data when the network data is directed to an unassigned Internet Protocol (IP) address.
  - 26. The controller of claim 16, wherein each simulation module determines that a bot communication exists within the network data when the network data is directed to an unassigned or unusual port address.
  - 27. The controller of claim 16, wherein the virtual machine of each simulation module is configured with performance characteristics associated with the second network device targeted to receive the network data.
  - 28. The controller of claim 16, wherein the virtual machine of each simulation module is configured with performance characteristics associated with the second network device and the performance characteristics include one or more ports that are to receive the network data.
  - 29. The controller of claim 16, wherein the virtual machine of each simulation module is configured with performance characteristics associated with the second network device and the performance characteristics include one or more device drivers that are to respond to the detected network data.
  - 30. The controller of claim 16, wherein the activity signature includes one or more of (i) information to identify bot related behavior, known bot servers, suspected bot servers, (ii) mechanisms to block attacks, (iii) mechanisms to block bot propagation, or (iv) mechanisms that remove bots from network devices.
  - 31. The controller of claim 16, further comprising:
    - notifying at least one of a user or a network administrator that either (i) suspicious activity has been detected based on analyzing the content of at least the portion of the network data, or (ii) unauthorized activity has been detected by monitoring one or more subsequent responses of the virtual machine while processing at least the portion of the network data.
  - 32. The controller of claim 16, wherein each of the plurality of simulation modules implements a virtual machine.
  - 33. The controller of claim 16, wherein the activity signature identifies one or more of (i) the unauthorized activity, or (ii) a bot associated with the unauthorized activity.

34. A controller comprising:
- a processor; and
  
  a storage system in communication with the processor, the storage system includes a bot detection logic that, when executed by the processor, (i) detects a presence of a communication channel that permits control of a network device without authorization by a user of the network device, (ii) buffers at least a portion of the data routed over the communication channel, (iii) provides at least the portion of the data to a first simulation module of a plurality of simulation modules, (iv) analyzes, by the first simulation module, at least a response of a virtual machine associated with the first simulation module based on processing of at least the portion of the data, and (v) generates and stores an activity signature based on analysis by the virtual machine for use in subsequent analyses.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 35. The controller of claim 34, wherein the storage system further comprises a recovery process that, when executed by the processor, performs a recovery process, the recovery process includes determining one or more network devices that participated in communications associated with a command and control communication channel that routed the network data, including the first network device.
  - 36. The controller of claim 34, wherein the data comprises one or more data flows, the one or more data flows include a plurality of data packets.
  - 37. The controller of claim 34, wherein the at least the portion of data comprises data obtained from one or more data flows, the one or more data flows include a plurality of data packets that are transmitted over a network.
  - 38. The controller of claim 34, further comprising:
    - performing a recovery process when the presence of the communication channel that permits control of the network device without authorization by the used is detected, wherein the recovery process includes categorizing one or more network devices into a first category corresponding to a first level of association with communication over the communication channel and a second category corresponding to a second level of association with communication over the communication channel, the second level representing a greater association than the first level.
  - 39. The controller of claim 34, wherein the activity signature includes one or more of (i) information to identify bot related behavior, known bot servers, suspected bot servers, (ii) mechanisms to block attacks, (iii) mechanisms to block bot propagation, or (iv) mechanisms that remove bots from network devices.
  - 40. The controller of claim 34, wherein the bot detection logic that, when executed by the processor detects the presence of the communication channel between the first network device and the second network device includes detecting the communication channel operating in accordance with an Internet Relay Chat (IRC) protocol that corresponds to a command and control (C&
    - C) communication channel, the IRC protocol having a tendency of being used for bot command and control.
  - 41. The controller of claim 34, further comprising:
    - notifying at least one of the user of the network device or a network administrator that the presence of the communication channel that permits control of the network device without authorization by the user of the network device has been detected.
  - 42. The controller of claim 34, wherein each of the plurality of simulation modules implements a virtual machine.
  - 43. The controller of claim 34, wherein the activity signature identifies one or more of (i) an unauthorized activity detected during analysis by the first simulation module, or (ii) a bot associated with the communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Lai, Wei-Lung, Manni, Jayaraman
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin

Application Number

US14/052,632
Time in Patent Office

1,285 Days
Field of Search
US Class Current
CPC Class Codes

H03K 19/17744   for input/output signals

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and method for bot detection

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

679 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for bot detection

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

679 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links