Distributed system for Bot detection

US 9,769,204 B2
Filed: 08/12/2014
Issued: 09/19/2017
Est. Priority Date: 05/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing, on a computer system, an engagement module and a sinkhole module executing a plurality of virtual machines executing a plurality of services on a plurality of ports;

detecting, by the engagement module, suspicious activities by a source with respect to one or more of the plurality of ports of the engagement module;

allowing, by the engagement module, installation by the source of a malicious module in a virtual machine of the plurality of virtual machines of the engagement module;

executing, by the engagement module, the malicious module in the virtual machine while capturing a plurality of first events describing execution of the malicious module by the engagement module, the executing the malicious module resulting in generation of traffic;

forwarding, by the engagement module, the traffic generated by the malicious module, to the sinkhole module;

responding, by the sinkhole module, to the traffic by processing the traffic, the processing the traffic including both of (a) transmitting a response to the malicious module executed by the engagement module according to a service of the plurality of services of the sinkhole module and (b) capturing a plurality of second events describing processing of the traffic by the sinkhole module;

transmitting, by the engagement module, the plurality of first events to a characterizing module;

transmitting, by the sinkhole module, the plurality of second events to the characterizing module;

correlating, by the characterizing module, the plurality of first events to the malicious module;

correlating, by the characterizing module, the plurality of second events to the malicious module;

generating, by the characterizing module, a descriptor of the malicious module according to both the plurality of first events and the plurality of second events;

using by one of the computer system and a different computer system, the descriptor to at least one of detect an attempt to install the malicious module and remove an instance of the malicious module on the one of the computer system and the different computer system;

detecting generation of the traffic by the malicious module;

identifying a requested service requested by the traffic; and

instantiating the sinkhole module and provisioning the sinkhole module with the requested service in response to detecting generation of the traffic and identifying the service;

wherein transmitting the response to the malicious module executed by the engagement module according to the service of the plurality of services of the sinkhole module comprises processing the traffic using the requested service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. The Sinkhole module may implement a proxy mode in which traffic received by the Sinkhole module is transmitted to a destination specified in the traffic but modified to reference the Sinkhole as the source. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

76 Citations

View as Search Results

8 Claims

1. A method comprising:
- providing, on a computer system, an engagement module and a sinkhole module executing a plurality of virtual machines executing a plurality of services on a plurality of ports;
  
  detecting, by the engagement module, suspicious activities by a source with respect to one or more of the plurality of ports of the engagement module;
  
  allowing, by the engagement module, installation by the source of a malicious module in a virtual machine of the plurality of virtual machines of the engagement module;
  
  executing, by the engagement module, the malicious module in the virtual machine while capturing a plurality of first events describing execution of the malicious module by the engagement module, the executing the malicious module resulting in generation of traffic;
  
  forwarding, by the engagement module, the traffic generated by the malicious module, to the sinkhole module;
  
  responding, by the sinkhole module, to the traffic by processing the traffic, the processing the traffic including both of (a) transmitting a response to the malicious module executed by the engagement module according to a service of the plurality of services of the sinkhole module and (b) capturing a plurality of second events describing processing of the traffic by the sinkhole module;
  
  transmitting, by the engagement module, the plurality of first events to a characterizing module;
  
  transmitting, by the sinkhole module, the plurality of second events to the characterizing module;
  
  correlating, by the characterizing module, the plurality of first events to the malicious module;
  
  correlating, by the characterizing module, the plurality of second events to the malicious module;
  
  generating, by the characterizing module, a descriptor of the malicious module according to both the plurality of first events and the plurality of second events;
  
  using by one of the computer system and a different computer system, the descriptor to at least one of detect an attempt to install the malicious module and remove an instance of the malicious module on the one of the computer system and the different computer system;
  
  detecting generation of the traffic by the malicious module;
  
  identifying a requested service requested by the traffic; and
  
  instantiating the sinkhole module and provisioning the sinkhole module with the requested service in response to detecting generation of the traffic and identifying the service;
  
  wherein transmitting the response to the malicious module executed by the engagement module according to the service of the plurality of services of the sinkhole module comprises processing the traffic using the requested service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the plurality of virtual machines of the engagement module and sinkhole module each hosts an operating system instance.
  - 3. The method of claim 1, wherein the engagement module and sinkhole module are executed within a single host operating system instance.
  - 4. The method of claim 1, further comprising:
    - transforming the traffic, by the sinkhole module, to obtain transformed data;
      
      forwarding, by the sinkhole module, the transformed data to a destination specified in the traffic; and
      
      receiving, by the sinkhole module, an external response to the transformed data; and
      
      wherein the second plurality of events include the external response.
  - 5. The method of claim 4, further comprising substituting an address of the sinkhole module in the transformed data for a source address included in the traffic.
  - 6. The method of claim 1, wherein the descriptor of the malicious module includes at least one of:
    - actions and corresponding times of actions taken by the malicious module; and
      
      a signature of the executable code defining the malicious module.
  - 7. The method of claim 1, wherein:
    - the traffic includes a request for an address for a command and control module; and
      
      the response includes an address of the sinkhole module.
  - 8. The method of claim 1, wherein the plurality of first events include at least one of:
    - scanning, by the malicious module, of ports of one or more addresses in a network of the computer system;
      
      downloading of additional executable code by the malicious module;
      
      attempting to upload payload data by the malicious module to one of the computer system and the other computer system;
      
      attempting to contact a command and control module; and
      
      generating malicious traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SentinelOne Inc.
Original Assignee
Attivo Networks, Inc.
Inventors
Vissamsetty, Venu, Buruganahalli, Shivakumar
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US14/458,026
Publication Number

US 20150326587A1
Time in Patent Office

1,134 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/142   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Distributed system for Bot detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed system for Bot detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links