Behavioral detection of malware agents
First Claim
1. A computing apparatus, implemented by a hardware processor and memory, for detecting behavior of a malware agent, comprising:
- a network interface operable for connecting to a data network; and
one or more logic elements, including at least the hardware processor and memory, comprising a detection engine operable for;
inspecting an HTTP request provided on the network interface;
identifying a domain name server (DNS) request associated with the HTTP request, the DNS request having a time-to-live;
determining that the time-to-live of the DNS request is expired;
designating the HTTP request as suspicious based at least in part on the expiration of the DNS request; and
determining that the DNS request occurred before an intervening DNS request, and designating the HTTP request as not malware;
wherein the detection engine is further operable for designating a parent process of the HTTP request as suspicious.
10 Assignments
0 Petitions
Accused Products
Abstract
In an example, a detection engine identifies potential malware objects according to behavior. In order to circumvent blacklists and fingerprint-based detection, a malware server may frequently change domain names, and change the fingerprints of distributed malware agents. A malware agent may perform only an initial DNS lookup, and thereafter communicate with the malware command-and-control server via “naked” HTTP packets using the raw IP address of the server. The detection engine identifies malware agents by this behavior. In one example, if an executable object makes repeated HTTP requests to an address after the DNS lookup “time to live” has expired, the object may be flagged as potential malware.
-
Citations
17 Claims
-
1. A computing apparatus, implemented by a hardware processor and memory, for detecting behavior of a malware agent, comprising:
- a network interface operable for connecting to a data network; and
one or more logic elements, including at least the hardware processor and memory, comprising a detection engine operable for;
inspecting an HTTP request provided on the network interface;
identifying a domain name server (DNS) request associated with the HTTP request, the DNS request having a time-to-live;
determining that the time-to-live of the DNS request is expired;
designating the HTTP request as suspicious based at least in part on the expiration of the DNS request; and
determining that the DNS request occurred before an intervening DNS request, and designating the HTTP request as not malware;
wherein the detection engine is further operable for designating a parent process of the HTTP request as suspicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- a network interface operable for connecting to a data network; and
-
10. One or more non-transitory computer-readable mediums for detecting behavior of a malware agent having stored thereon executable instructions for providing a detection engine operable for:
- inspecting an HTTP request;
identifying a domain name server (DNS) request associated with the HTTP request, the DNS request having a time-to-live;
determining that the time-to-live of the DNS request is expired;
designating the HTTP request as suspicious based at least in part on the expiration of the DNS request; and
determining that the DNS request occurred before an intervening DNS request, and designating the HTTP request as not malware;
wherein the detection engine is further operable for designating a parent process of the HTTP request as suspicious. - View Dependent Claims (11, 12, 13, 14, 15)
- inspecting an HTTP request;
-
16. A computer-implemented method of detecting behavior of a malware agent, comprising:
- inspecting an HTTP request provided in a network packet received on a network interface;
identifying a domain name server (DNS) request associated with the HTTP request, the DNS request having a time-to-live;
determining that the time-to-live of the DNS request is expired;
designating the HTTP request and a parent process of the network packet as suspicious based at least in part on the expiration of the DNS request; and
determining that the DNS request occurred before an intervening DNS request, and designating the HTTP request as not malware;
designating a parent process of the HTTP request as suspicious. - View Dependent Claims (17)
- inspecting an HTTP request provided in a network packet received on a network interface;
Specification