Behavioral detection of malware agents

US 9,876,806 B2
Filed: 09/25/2014
Issued: 01/23/2018
Est. Priority Date: 09/25/2014
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus, implemented by a hardware processor and memory, for detecting behavior of a malware agent, comprising:

a network interface operable for connecting to a data network; and

one or more logic elements, including at least the hardware processor and memory, comprising a detection engine operable for;

inspecting an HTTP request provided on the network interface;

identifying a domain name server (DNS) request associated with the HTTP request, the DNS request having a time-to-live;

determining that the time-to-live of the DNS request is expired;

designating the HTTP request as suspicious based at least in part on the expiration of the DNS request; and

determining that the DNS request occurred before an intervening DNS request, and designating the HTTP request as not malware;

wherein the detection engine is further operable for designating a parent process of the HTTP request as suspicious.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a detection engine identifies potential malware objects according to behavior. In order to circumvent blacklists and fingerprint-based detection, a malware server may frequently change domain names, and change the fingerprints of distributed malware agents. A malware agent may perform only an initial DNS lookup, and thereafter communicate with the malware command-and-control server via “naked” HTTP packets using the raw IP address of the server. The detection engine identifies malware agents by this behavior. In one example, if an executable object makes repeated HTTP requests to an address after the DNS lookup “time to live” has expired, the object may be flagged as potential malware.

16 Citations

View as Search Results

17 Claims

1. A computing apparatus, implemented by a hardware processor and memory, for detecting behavior of a malware agent, comprising:
- a network interface operable for connecting to a data network; and
  
  one or more logic elements, including at least the hardware processor and memory, comprising a detection engine operable for;
  
  inspecting an HTTP request provided on the network interface;
  
  identifying a domain name server (DNS) request associated with the HTTP request, the DNS request having a time-to-live;
  
  determining that the time-to-live of the DNS request is expired;
  
  designating the HTTP request as suspicious based at least in part on the expiration of the DNS request; and
  
  determining that the DNS request occurred before an intervening DNS request, and designating the HTTP request as not malware;
  
  wherein the detection engine is further operable for designating a parent process of the HTTP request as suspicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computing apparatus of claim 1, wherein the detection engine is further operable for designating the parent process as malware.
  - 3. The computing apparatus of claim 1, wherein the detection engine is further operable for taking remediative action on the parent process.
  - 4. The computing apparatus of claim 1, wherein the detection engine is further operable for:
    - determining that the parent process is designated on a whitelist; and
      
      taking no remediative action on the parent process.
  - 5. The computing apparatus of claim 1, wherein the detection engine is further operable for notifying a security server of the HTTP request.
  - 6. The computing apparatus of claim 5, wherein the detection engine is further operable for receiving threat intelligence from the security server.
  - 7. The computing apparatus of claim 1, wherein the detection engine is further operable for classifying incoming traffic as one of DNS, hypertext transfer protocol (HTTP), and other traffic.
  - 8. The computing apparatus of claim 7, wherein the detection engine is further operable for ignoring traffic classified as other traffic.
  - 9. The computing apparatus of claim 1, wherein the detection engine is further operable for:
    - detecting a DNS request; and
      
      storing response parameters for the DNS request.

10. One or more non-transitory computer-readable mediums for detecting behavior of a malware agent having stored thereon executable instructions for providing a detection engine operable for:
- inspecting an HTTP request;
  
  identifying a domain name server (DNS) request associated with the HTTP request, the DNS request having a time-to-live;
  
  determining that the time-to-live of the DNS request is expired;
  
  designating the HTTP request as suspicious based at least in part on the expiration of the DNS request; and
  
  determining that the DNS request occurred before an intervening DNS request, and designating the HTTP request as not malware;
  
  wherein the detection engine is further operable for designating a parent process of the HTTP request as suspicious.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The one or more computer-readable mediums of claim 10, wherein the detection engine is further operable for designating the parent process as malware.
  - 12. The one or more computer-readable mediums of claim 10, wherein the detection engine is further operable for taking remediative action on the parent process.
  - 13. The one or more computer-readable mediums of claim 10, wherein the detection engine is further operable for:
    - determining that the parent process is designated on a whitelist; and
      
      taking no remediative action on the parent process.
  - 14. The one or more computer-readable mediums of claim 10, wherein the detection engine is further operable for notifying a security server of the HTTP request.
  - 15. The one or more computer-readable mediums of claim 14, wherein the detection engine is further operable for receiving threat intelligence from the security server.

16. A computer-implemented method of detecting behavior of a malware agent, comprising:
- inspecting an HTTP request provided in a network packet received on a network interface;
  
  identifying a domain name server (DNS) request associated with the HTTP request, the DNS request having a time-to-live;
  
  determining that the time-to-live of the DNS request is expired;
  
  designating the HTTP request and a parent process of the network packet as suspicious based at least in part on the expiration of the DNS request; and
  
  determining that the DNS request occurred before an intervening DNS request, and designating the HTTP request as not malware;
  
  designating a parent process of the HTTP request as suspicious.
- View Dependent Claims (17)
- - 17. The method of claim 16, further comprising:
    - determining that the parent process has previously provided at least one other HTTP request with an expired DNS request; and
      
      designating the network packet and the parent process as malware based at least in part on the determining.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Mondiguing, Stephen, Cruz, Benjamin
Primary Examiner(s)
SHAW, PETER C

Application Number

US14/496,158
Publication Number

US 20160094569A1
Time in Patent Office

1,216 Days
Field of Search

726 24
US Class Current
CPC Class Codes

H04L 2463/142   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

Behavioral detection of malware agents

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral detection of malware agents

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links