Distributed system for Bot detection
First Claim
1. A method comprising:
- providing, on a computer system, an engagement module and a sinkhole module executing a plurality of virtual machines executing a plurality of services on a plurality of ports;
detecting, by the engagement module, suspicious activities by a source with respect to one or more of the plurality of ports of the engagement module;
allowing, by the engagement module, installation by the source of a malicious module in a virtual machine of the plurality of virtual machines of the engagement module;
executing, by the engagement module, the malicious module in the virtual machine while capturing a plurality of first events describing execution of the malicious module by the engagement module, the executing the malicious module resulting in generation of traffic;
forwarding, by the engagement module, the traffic generated by the malicious module, to the sinkhole module;
responding, by the sinkhole module, to the traffic by processing the traffic, the processing the traffic including both of (a) transmitting a response to the malicious module executed by the engagement module according to a service of the plurality of services of the sinkhole module and (b) capturing a plurality of second events describing processing of the traffic by the sinkhole module;
transmitting, by the engagement module, the plurality of first events to a characterizing module;
transmitting, by the sinkhole module, the plurality of second events to the characterizing module;
correlating, by the characterizing module, the plurality of first events to the malicious module;
correlating, by the characterizing module, the plurality of second events to the malicious module;
generating, by the characterizing module, a descriptor of the malicious module according to both the plurality of first events and the plurality of second events;
using by one of the computer system and a different computer system, the descriptor to at least one of detect an attempt to install the malicious module and remove an instance of the malicious module on the one of the computer system and the different computer system;
detecting generation of the traffic by the malicious module;
identifying a requested service requested by the traffic; and
instantiating the sinkhole module and provisioning the sinkhole module with the requested service in response to detecting generation of the traffic and identifying the service;
wherein transmitting the response to the malicious module executed by the engagement module according to the service of the plurality of services of the sinkhole module comprises processing the traffic using the requested service.
3 Assignments
0 Petitions
Accused Products
Abstract
A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. The Sinkhole module may implement a proxy mode in which traffic received by the Sinkhole module is transmitted to a destination specified in the traffic but modified to reference the Sinkhole as the source. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.
76 Citations
8 Claims
-
1. A method comprising:
-
providing, on a computer system, an engagement module and a sinkhole module executing a plurality of virtual machines executing a plurality of services on a plurality of ports; detecting, by the engagement module, suspicious activities by a source with respect to one or more of the plurality of ports of the engagement module; allowing, by the engagement module, installation by the source of a malicious module in a virtual machine of the plurality of virtual machines of the engagement module; executing, by the engagement module, the malicious module in the virtual machine while capturing a plurality of first events describing execution of the malicious module by the engagement module, the executing the malicious module resulting in generation of traffic; forwarding, by the engagement module, the traffic generated by the malicious module, to the sinkhole module; responding, by the sinkhole module, to the traffic by processing the traffic, the processing the traffic including both of (a) transmitting a response to the malicious module executed by the engagement module according to a service of the plurality of services of the sinkhole module and (b) capturing a plurality of second events describing processing of the traffic by the sinkhole module; transmitting, by the engagement module, the plurality of first events to a characterizing module; transmitting, by the sinkhole module, the plurality of second events to the characterizing module; correlating, by the characterizing module, the plurality of first events to the malicious module; correlating, by the characterizing module, the plurality of second events to the malicious module; generating, by the characterizing module, a descriptor of the malicious module according to both the plurality of first events and the plurality of second events; using by one of the computer system and a different computer system, the descriptor to at least one of detect an attempt to install the malicious module and remove an instance of the malicious module on the one of the computer system and the different computer system; detecting generation of the traffic by the malicious module; identifying a requested service requested by the traffic; and instantiating the sinkhole module and provisioning the sinkhole module with the requested service in response to detecting generation of the traffic and identifying the service; wherein transmitting the response to the malicious module executed by the engagement module according to the service of the plurality of services of the sinkhole module comprises processing the traffic using the requested service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
Specification