Classifying sets of malicious indicators for detecting command and control communications associated with malware
First Claim
1. A computer implemented method for detecting callbacks from malicious code in a network communication based on operations conducted by one or more processors, comprising:
- performing a first analysis of a first portion of information within a network communication to determine one or more high quality indicators, each of the one or more high quality indicators includes a value that signifies a strong correlation of the network communication with callbacks;
performing a second analysis of a second portion of information within the network communication to determine one or more supplemental indicators that are different from the one or more high quality indicators, each of the one or more supplemental indicators being associated with a protocol anomaly and includes a value that signifies a lower correlation of the network communication with callbacks than the one or more high quality indicators;
storing the values assigned to the one or more high quality indicators and the one or more supplemental indicators in a memory, the memory communicatively coupled to the one or more processors; and
classifying the network communication as to whether the network communication constitutes a callback by (i) classifying the network communication as a callback from malicious code when the one or more high quality indicators constitutes a value exceeding a predetermined threshold without consideration of the values associated with the one or more supplemental indicators, and in response to the value of the one or more high quality indicators failing to exceed the predetermined threshold, (ii) using the values associated with the one or more supplemental indicators in conjunction with the one or more high quality indicators to classify the network communication,wherein the first portion of the information includes at least one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain.
7 Assignments
0 Petitions
Accused Products
Abstract
Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using an approach employing both a set of high quality indicators and a set of supplemental indicators. The high quality indicators are selected since they provide a strong correlation with callbacks, and may be sufficient for the techniques to determine that the network outbound communications actually constitute callbacks. If not, the supplemental indicators may be used in conjunction with the high quality indicators to declare the outbound communications as callbacks.
-
Citations
25 Claims
-
1. A computer implemented method for detecting callbacks from malicious code in a network communication based on operations conducted by one or more processors, comprising:
-
performing a first analysis of a first portion of information within a network communication to determine one or more high quality indicators, each of the one or more high quality indicators includes a value that signifies a strong correlation of the network communication with callbacks; performing a second analysis of a second portion of information within the network communication to determine one or more supplemental indicators that are different from the one or more high quality indicators, each of the one or more supplemental indicators being associated with a protocol anomaly and includes a value that signifies a lower correlation of the network communication with callbacks than the one or more high quality indicators; storing the values assigned to the one or more high quality indicators and the one or more supplemental indicators in a memory, the memory communicatively coupled to the one or more processors; and classifying the network communication as to whether the network communication constitutes a callback by (i) classifying the network communication as a callback from malicious code when the one or more high quality indicators constitutes a value exceeding a predetermined threshold without consideration of the values associated with the one or more supplemental indicators, and in response to the value of the one or more high quality indicators failing to exceed the predetermined threshold, (ii) using the values associated with the one or more supplemental indicators in conjunction with the one or more high quality indicators to classify the network communication, wherein the first portion of the information includes at least one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory machine readable medium storing instructions, which when executed by a processor, causes the processor to perform a method of detecting callbacks from malicious code, the method comprising:
-
generating one or more high quality indicators and supplemental indicators associated with network communication, the one or more high quality indicators having a strong correlation with callbacks from malicious code; and generating one or more supplemental indicators associated with the network communication separately from the one or more high quality indicators, the one or more supplemental indicators being associated with a protocol anomaly within the network communication and having a lower correlation with callbacks from malicious code than the one or more high quality indicators; classifying the network communication as to whether the network communication constitutes a callback by at least (i) classifying the network communication as a callback when the one or more high quality indicators constitutes a value exceeding a predetermined threshold, and (ii) using the one or more supplemental indicators in conjunction with the one or more high quality indicators to classify the network communication in response to the value of the one or more high quality indicators failing to exceed the predetermined threshold, wherein each of the one or more high quality indicators includes a reputation indicator, the reputation indicator being information specifying a level of perceived maliciousness associated with one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain.
-
-
19. A system for detecting callbacks from malicious code in a plurality of network communications, comprising:
-
one or more processors; a memory communicatively coupled to the one or more processors; a recommending engine that, when executed by the one or more processors, is configured to detect one or more high quality indicators associated with each of the plurality of network communications, each of the one or more high quality indicators having a strong correlation with callbacks from malicious code and including at least one reputation indicator, the at least one reputation indicator being information specifying a level of perceived maliciousness associated with one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain; a supplemental indicator generator that, when executed by the one or more processors, is configured to detect one or more supplemental indicators associated with one or more protocol anomalies in any of the plurality of network communications, the one or more supplemental indicators having a lower correlation with callbacks from malicious code than the one or more high quality indicators; and a classifying engine that, when executed by the one or more processors, is configured to classify a network communication of the plurality of network communications by (i) classifying the network communication as a callback when the one or more high quality indicators constitute a value exceeding a predetermined threshold, and (ii) using the one or more supplemental indicators in conjunction with the one or more high quality indicators to classify the network communication when the value of the one or more high quality indicators does not exceed the predetermined threshold. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification