System and method for detection of targeted attack based on information from multiple sources

US 9,860,272 B2
Filed: 05/26/2016
Issued: 01/02/2018
Est. Priority Date: 09/12/2014
Status: Active Grant

First Claim

Patent Images

1. A method for detecting targeted attacks from a network resource, comprising:

obtaining, by a processor of a computing device, data from multiple computer systems and devices connected with one another in a communications network to determine a possibility of a targeted attack from the network resource, the data comprising information relating to the network resource and a set of parameters of each computer system or device in accessing the network resource;

detecting discrepancies in the obtained data relating to the possibility of the targeted attack from the network resource from the multiple computer systems and devices;

forming and sending queries, by the processor, to a group of computer systems and devices detecting the possibility of the targeted attack with the set of parameters of the group of computer systems and devices in accessing the network resource, wherein the parameters are varied at least until one parameter or set of parameters is identified that is common to the computer systems in the group for which presence of the discrepancy is confirmed; and

calculating a probability of the targeted attack from the network resource based at least upon information received from the group of computer systems and devices in response to the queries.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are methods, systems, and computer programs for detecting targeted attacks on compromised computer from multiple sources. An example method includes obtaining data from multiple computer systems and devices connected with one another in a communications network to determine a possibility of a targeted attack from a network resource, the data comprising information relating to the network resource and a set of parameters of each computer system or device in accessing the network resource; detecting discrepancies in the obtained data; forming and sending queries to a group of computer systems and devices detecting the possibility of the targeted attack with the set of parameters of the group of computer systems and devices in accessing the network resource; and calculating a probability of the targeted attack from the network resource based at least upon information received from the group of computer systems and devices in response to the queries.

Citations

20 Claims

1. A method for detecting targeted attacks from a network resource, comprising:
- obtaining, by a processor of a computing device, data from multiple computer systems and devices connected with one another in a communications network to determine a possibility of a targeted attack from the network resource, the data comprising information relating to the network resource and a set of parameters of each computer system or device in accessing the network resource;
  
  detecting discrepancies in the obtained data relating to the possibility of the targeted attack from the network resource from the multiple computer systems and devices;
  
  forming and sending queries, by the processor, to a group of computer systems and devices detecting the possibility of the targeted attack with the set of parameters of the group of computer systems and devices in accessing the network resource, wherein the parameters are varied at least until one parameter or set of parameters is identified that is common to the computer systems in the group for which presence of the discrepancy is confirmed; and
  
  calculating a probability of the targeted attack from the network resource based at least upon information received from the group of computer systems and devices in response to the queries.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the multiple computer systems and devices comprise at least one of:
    - user computer systems;
      
      trusted domain name resolution services;
      
      Internet service providers; and
      
      search systems.
  - 3. The method of claim 1, wherein the data comprise at least one of:
    - parameters of resolving responses from domain name resolution services containing information about a queried domain;
      
      a DNS cache time to live (TTL);
      
      an IP address;
      
      a destination URL address;
      
      a public key certificate; and
      
      a file.
  - 4. The method of claim 1, wherein the set of parameters of each computer system or device in accessing the network resource comprises information relating to at least one of:
    - an operating system;
      
      a communication method;
      
      an Internet service provider;
      
      a mobile operator;
      
      a client application; and
      
      a geographic region.
  - 5. The method of claim 1, wherein the detecting discrepancies in the obtained data comprises detecting at least one of:
    - a previously unknown IP address for a known resource;
      
      a negative change of security rating of a resource;
      
      a change of a DNS server and/or of an Internet provider for a known resource; and
      
      differences in the information obtained from a known resource through different sources.
  - 6. The method of claim 1, further comprising identifying at least one common parameter among the set of parameters of each of the group of computer systems and devices in accessing the network resource.
  - 7. The method of claim 1, further comprising comparing the probability of the targeted attack against a selected threshold value.

8. A system for detecting targeted attacks from a network resource, comprising:
- a hardware processor configured to;
  
  obtain data from multiple computer systems and devices connected with one another in a communications network to determine a possibility of a targeted attack from the network resource, the data comprising information relating to the network resource and a set of parameters of each computer system or device in accessing the network resource;
  
  detect discrepancies in the obtained data relating to the possibility of the targeted attack from the network resource from the multiple computer systems and devices;
  
  form and send queries to a group of computer systems and devices detecting the possibility of the targeted attack with the set of parameters of the group of computer systems and devices in accessing the network resource, wherein the parameters are varied at least until one parameter or set of parameters is identified that is common to the computer systems in the group for which presence of the discrepancy is confirmed; and
  
  calculate a probability of the targeted attack from the network resource based at least upon information received from the group of computer systems and devices in response to the queries.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the multiple computer systems and devices comprise at least one of:
    - user computer systems;
      
      trusted domain name resolution services;
      
      Internet service providers; and
      
      search systems.
  - 10. The system of claim 8, wherein the data comprise at least one of:
    - parameters of resolving responses from domain name resolution services containing information about a queried domain;
      
      a DNS cache time to live (TTL);
      
      an IP address;
      
      a destination URL address;
      
      a public key certificate; and
      
      a file.
  - 11. The system of claim 8, wherein the set of parameters of each computer system or device in accessing the network resource comprises information relating to at least one of:
    - an operating system;
      
      a communication method;
      
      an Internet service provider;
      
      a mobile operator;
      
      a client application; and
      
      a geographic region.
  - 12. The system of claim 8, wherein the detecting discrepancies in the obtained data comprises detecting at least one of:
    - a previously unknown IP address for a known resource;
      
      a negative change of security rating of a resource;
      
      a change of a DNS server and/or of an Internet provider for a known resource; and
      
      differences in the information obtained from a known resource through different sources.
  - 13. The system of claim 8, wherein the processor is further configured to identify at least one common parameter among the set of parameters of each of the group of computer systems and devices in accessing the network resource.
  - 14. The system of claim 8, wherein the processor is further configured to compare the probability of the targeted attack against a selected threshold value.

15. A non-transitory computer-readable storage medium comprising computer-executable instructions for detecting targeted attacks from a network resource, including instructions for:
- obtaining data from multiple computer systems and devices connected with one another in a communications network to determine a possibility of a targeted attack from the network resource, the data comprising information relating to the network resource and a set of parameters of each computer system or device in accessing the network resource;
  
  detecting discrepancies in the obtained data relating to the possibility of the targeted attack from the network resource from the multiple computer systems and devices;
  
  forming and sending queries to a group of computer systems and devices detecting the possibility of the targeted attack with the set of parameters of the group of computer systems and devices in accessing the network resource, wherein the parameters are varied at least until one parameter or set of parameters is identified that is common to the computer systems in the group for which presence of the discrepancy is confirmed; and
  
  calculating a probability of the targeted attack from the network resource based at least upon information received from the group of computer systems and devices in response to the queries.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable storage medium of claim 15, wherein the multiple computer systems and devices comprise at least one of:
    - user computer systems;
      
      trusted domain name resolution services;
      
      Internet service providers; and
      
      search systems.
  - 17. The computer-readable storage medium of claim 15, wherein the data comprise at least one of:
    - parameters of resolving responses from domain name resolution services containing information about a queried domain;
      
      a DNS cache time to live (TTL);
      
      an IP address;
      
      a destination URL address;
      
      a public key certificate; and
      
      a file.
  - 18. The computer-readable storage medium of claim 15, wherein the set of parameters of each computer system or device in accessing the network resource comprises information relating to at least one of:
    - an operating system;
      
      a communication method;
      
      an Internet service provider;
      
      a mobile operator;
      
      a client application; and
      
      a geographic region.
  - 19. The computer-readable storage medium of claim 15, wherein the detecting discrepancies in the obtained data comprises detecting at least one of:
    - a previously unknown IP address for a known resource;
      
      a negative change of security rating of a resource;
      
      a change of a DNS server and/or of a Internet provider for a known resource; and
      
      differences in the information obtained from a known resource through different sources.
  - 20. The computer-readable storage medium of claim 15, further comprising instructions to cause the processor to:
    - identify at least one common parameter among the set of parameters of each of the group of computer systems and devices in accessing the network resource; and
      
      compare the probability of the targeted attack against a selected threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Yablokov, Victor V.
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/165,636
Publication Number

US 20160277442A1
Time in Patent Office

586 Days
Field of Search

726 22
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

System and method for detection of targeted attack based on information from multiple sources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection of targeted attack based on information from multiple sources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links