Classifying sets of malicious indicators for detecting command and control communications associated with malware

US 9,635,039 B1
Filed: 05/15/2013
Issued: 04/25/2017
Est. Priority Date: 05/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting callbacks from malicious code in a network communication based on operations conducted by one or more processors, comprising:

performing a first analysis of a first portion of information within a network communication to determine one or more high quality indicators, each of the one or more high quality indicators includes a value that signifies a strong correlation of the network communication with callbacks;

performing a second analysis of a second portion of information within the network communication to determine one or more supplemental indicators that are different from the one or more high quality indicators, each of the one or more supplemental indicators being associated with a protocol anomaly and includes a value that signifies a lower correlation of the network communication with callbacks than the one or more high quality indicators;

storing the values assigned to the one or more high quality indicators and the one or more supplemental indicators in a memory, the memory communicatively coupled to the one or more processors; and

classifying the network communication as to whether the network communication constitutes a callback by (i) classifying the network communication as a callback from malicious code when the one or more high quality indicators constitutes a value exceeding a predetermined threshold without consideration of the values associated with the one or more supplemental indicators, and in response to the value of the one or more high quality indicators failing to exceed the predetermined threshold, (ii) using the values associated with the one or more supplemental indicators in conjunction with the one or more high quality indicators to classify the network communication,wherein the first portion of the information includes at least one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using an approach employing both a set of high quality indicators and a set of supplemental indicators. The high quality indicators are selected since they provide a strong correlation with callbacks, and may be sufficient for the techniques to determine that the network outbound communications actually constitute callbacks. If not, the supplemental indicators may be used in conjunction with the high quality indicators to declare the outbound communications as callbacks.

508 Citations

25 Claims

1. A computer implemented method for detecting callbacks from malicious code in a network communication based on operations conducted by one or more processors, comprising:
- performing a first analysis of a first portion of information within a network communication to determine one or more high quality indicators, each of the one or more high quality indicators includes a value that signifies a strong correlation of the network communication with callbacks;
  
  performing a second analysis of a second portion of information within the network communication to determine one or more supplemental indicators that are different from the one or more high quality indicators, each of the one or more supplemental indicators being associated with a protocol anomaly and includes a value that signifies a lower correlation of the network communication with callbacks than the one or more high quality indicators;
  
  storing the values assigned to the one or more high quality indicators and the one or more supplemental indicators in a memory, the memory communicatively coupled to the one or more processors; and
  
  classifying the network communication as to whether the network communication constitutes a callback by (i) classifying the network communication as a callback from malicious code when the one or more high quality indicators constitutes a value exceeding a predetermined threshold without consideration of the values associated with the one or more supplemental indicators, and in response to the value of the one or more high quality indicators failing to exceed the predetermined threshold, (ii) using the values associated with the one or more supplemental indicators in conjunction with the one or more high quality indicators to classify the network communication,wherein the first portion of the information includes at least one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the determining of the one or more high quality indicators comprises:
    - parsing packets of the first portion of the information within the network communication being an outbound network communication;
      
      extracting at least one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain from the outbound network communication;
      
      determining a reputation indicator associated with the at least one of the URL, the IP address, or the domain; and
      
      including one or more reputation indicators in the one or more high quality indicators used to classify the outbound network communication.
  - 3. The method of claim 2, wherein the determining of the one or more high quality indicators further comprising assigning a weight and a score to each reputation indicator.
  - 4. The method of claim 1, wherein the determining of the one or more supplemental indicators comprises:
    - inspecting packet headers associated with the network communication to identify the one or more protocol anomalies; and
      
      assigning a weight to each of the one or more identified protocol anomalies being part of the one or more supplemental indicators used to classify the network communication.
  - 5. The method of claim 1, further comprising:
    - forming a malware marker from each network communication constituting a callback; and
      
      performing a database look-up using the malware marker to identify a malware name associated therewith.
  - 6. The method of claim 5, further comprising:
    - identifying a malware name having a high correlation with the malware marker and classifying the callback as associated with a family related to the malware name.
  - 7. The method of claim 1, further comprising:
    - issuing an alert in response to classifying the network communication as a callback.
  - 8. The method of claim 1, further comprising:
    - extracting select fields of a packet header of the network communication classified as a callback; and
      
      identifying, based on the select fields, a malware name corresponding to the callback.
  - 9. The method of claim 1, further comprising:
    - selecting network communications comprising network communication candidates based on a look-up in both a history database of previously analyzed network communications and a whitelist repository of destinations for network communications perceived to be safe, and sending the network communication candidates for classification.
  - 10. The method of claim 1, wherein the classifying of the network communication further comprising:
    - determining whether the network communication corresponds to a previously classified network communication; and
      
      reporting the network communication as a callback if the network communication corresponds to a previously classified network communication which was classified as callback.
  - 11. The method of claim 1, wherein the classifying of the network communication further comprising:
    - determining whether a destination address of the network communication corresponds to an entry in a destination whitelist database; and
      
      classifying the network communication as not being a callback if the network communication has a corresponding entry of the destination whitelist database.
  - 12. The method of claim 1, wherein the determining of the one or more high quality indicators and the one or more supplemental indicators comprises assigning a weight to each of the one or more high quality indicators and the one or more supplemental indicators, and a first score to the one or more high quality indicators and a second score to the one or more supplemental indicators;
    - and wherein the classifying comprises classifying the network communication in response to a comparison of each of the first and second scores with a corresponding threshold.
  - 13. The method of claim 2, wherein the determining of the one or more reputation indicators includes retrieving, from the indicator database, either (i) a level of perceived maliciousness associated with the IP address, (ii) a level of perceived maliciousness associated with the domain, or (iii) a level of perceived maliciousness associated with the URL.
  - 14. The method of claim 13, wherein the level of perceived maliciousness associated with the domain is based on one or more of information from a publically available database, information regarding a top level domain, or information regarding traffic rates or rank for the domain.
  - 15. The method of claim 13, wherein the level of perceived maliciousness associated with at least one of the IP address, the domain or the URL is based on one or more of (i) a length of time the domain for a web site has been registered, (ii) an age of the website, (iii) a country in which the IP address for the website is located, (iv) a name of Internet Service Provider (ISP) hosting the website and whether the website is hosted as a consumer or business website, (v) whether the website uses Secure Socket Layer (SSL) to protect transactions and a name of a SSL certificate vendor used, (vi) a number of pages on the website, of grammatical errors on the web site, of links away from of the web site, of links to the web site, and of scripts present on the website, (vii) ActiveX controls used by the website, (viii) whether the website loads client side JavaScript or other scripting code from other domains, (ix) whether the website advertises through spam messages or through adware programs, (x) whether a name of an owner of the website is withheld or obfuscated by the ISP, or (xi) a remaining life of the domain or website.
  - 16. The method of claim 1, wherein the one or more high quality indicators is determined by assigning a weight to each of (i) a reputation indicator of an IP address, (ii) a reputation indicator of a domain, and (iii) a reputation indicator of a URL and developing an overall score from the reputation indicator of the IP address, the reputation indicator of the domain, and the reputation indicator of the URL.
  - 17. The method of claim 1, wherein generating the one or more supplemental indicators includes inspecting one or more fields of a packet header in light of one or more protocol templates extracted from a protocol template database to detect the protocol anomaly in the one or more fields.

18. A non-transitory machine readable medium storing instructions, which when executed by a processor, causes the processor to perform a method of detecting callbacks from malicious code, the method comprising:
- generating one or more high quality indicators and supplemental indicators associated with network communication, the one or more high quality indicators having a strong correlation with callbacks from malicious code; and
  
  generating one or more supplemental indicators associated with the network communication separately from the one or more high quality indicators, the one or more supplemental indicators being associated with a protocol anomaly within the network communication and having a lower correlation with callbacks from malicious code than the one or more high quality indicators;
  
  classifying the network communication as to whether the network communication constitutes a callback by at least (i) classifying the network communication as a callback when the one or more high quality indicators constitutes a value exceeding a predetermined threshold, and (ii) using the one or more supplemental indicators in conjunction with the one or more high quality indicators to classify the network communication in response to the value of the one or more high quality indicators failing to exceed the predetermined threshold,wherein each of the one or more high quality indicators includes a reputation indicator, the reputation indicator being information specifying a level of perceived maliciousness associated with one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain.

19. A system for detecting callbacks from malicious code in a plurality of network communications, comprising:
- one or more processors;
  
  a memory communicatively coupled to the one or more processors;
  
  a recommending engine that, when executed by the one or more processors, is configured to detect one or more high quality indicators associated with each of the plurality of network communications, each of the one or more high quality indicators having a strong correlation with callbacks from malicious code and including at least one reputation indicator, the at least one reputation indicator being information specifying a level of perceived maliciousness associated with one of a Uniform Resource Locator (URL), an Internet Protocol (IP) address, or a domain;
  
  a supplemental indicator generator that, when executed by the one or more processors, is configured to detect one or more supplemental indicators associated with one or more protocol anomalies in any of the plurality of network communications, the one or more supplemental indicators having a lower correlation with callbacks from malicious code than the one or more high quality indicators; and
  
  a classifying engine that, when executed by the one or more processors, is configured to classify a network communication of the plurality of network communications by (i) classifying the network communication as a callback when the one or more high quality indicators constitute a value exceeding a predetermined threshold, and (ii) using the one or more supplemental indicators in conjunction with the one or more high quality indicators to classify the network communication when the value of the one or more high quality indicators does not exceed the predetermined threshold.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The system of claim 19, further comprising:
    - a report generator that, when executed by the one or more processors, is configured to issue an alert in response to the classifying engine classifying the network communication as a callback.
  - 21. The system of claim 19, further comprising:
    - a report generator comprising a naming engine that, executed by the one or more processors, is configured to extract select fields of a packet header of a network communication classified as a callback;
      
      to identify, based on the select fields, a malware name corresponding to the callback; and
      
      to generate a report including the malware name.
  - 22. The system of claim 19, further comprising:
    - —
      
      a network communication pre-processing engine that, when executed by the one or more processors, is configured to select the plurality of network communications comprising network candidates based on a look-up in both a history database of previously analyzed network communications and a whitelist repository of destinations for network communications perceived to be safe.
  - 23. The system of claim 22, further comprising:
    - a reporting engine;
      
      wherein the preprocessing engine comprises a similarity detector that, when executed by the one or more processors, is configured to determine whether each network communication corresponds to a previously classified network communication; and
      
      wherein the reporting engine is configured to report each network communication as a callback if a corresponding previously classified network communication constituted a callback.
  - 24. The system of claim 22, further comprising:
    - a destination whitelist repository storing a destination whitelist database comprising a plurality of entries identifying destinations perceived to be safe; and
      
      wherein the pre-processing engine comprises a pre-filtering engine that, when executed by the one or more processors, is configured to determine whether the destination address of each network communication corresponds to an entry in a destination whitelist database; and
      
      wherein the classifying engine is configured to receive a network communication for classifying only if the network communication does not correspond to an entry in the destination whitelist database.
  - 25. The system of claim 19, further comprising:
    - an evaluation engine that, executed by the one or more processors, is configured to assign a weight to each of the one or more high quality indicators and the one or more supplemental indicators, and a first score to the one or more high quality indicators and a second score to the one or more supplemental indicators; and
      
      wherein the classifying engine is further configured to classify each network communication in response to a comparison of each of the first and second scores with a corresponding threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Bu, Zheng, Islam, Ali
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Callahan, Paul

Application Number

US13/895,271
Time in Patent Office

1,441 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Classifying sets of malicious indicators for detecting command and control communications associated with malware

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

508 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Classifying sets of malicious indicators for detecting command and control communications associated with malware

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

508 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links