Measuring, categorizing, and/or mitigating malware distribution paths

US 9,930,065 B2
Filed: 03/25/2015
Issued: 03/27/2018
Est. Priority Date: 03/25/2015
Status: Active Grant

First Claim

Patent Images

1. A system for event path traceback comprising:

at least one processor; and

a data storage device having computer readable program code embodied therewith;

the at least one processor configured to execute the computer readable program code to perform processing associated with receiving network traffic from a network; and

an attack path traceback and categorization module in communication with the at least one processor, the attack path traceback and categorization module being configured to perform processing associated with identifying an event within the network traffic;

tracing a sequence of network transactions related to the event; and

outputting an annotated malware path including data about the event and the sequence of network transactions related to the event;

wherein performing processing associated with tracing the sequence of network transactions comprises;

reconstructing a sequence of transactions within the network traffic that led to the event based on a download referrer, at least one surrogate referrer indicator, and at least one of a drive-by uniform resource identifier similarity and a download domain recurrence, wherein the at least one surrogate referrer indicator is not the download referrer, andfiltering out unrelated traffic within the network traffic.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for event path traceback may utilize a processor and a path traceback and categorization (ATC) module in communication with the processor. The processor may be configured to perform processing associated with receiving network traffic from a network. The ATC module may be configured to perform processing associated with identifying an event within the network traffic, tracing a sequence of network transactions related to the event, and outputting an annotated event path (AMP) including data about the event and the sequence of network transactions related to the event. Performing processing associated with tracing the sequence of network transactions may comprise reconstructing a sequence of transactions within the network traffic that led to the event while filtering out unrelated traffic within the network traffic.

Citations

25 Claims

1. A system for event path traceback comprising:
- at least one processor; and
  
  a data storage device having computer readable program code embodied therewith;
  
  the at least one processor configured to execute the computer readable program code to perform processing associated with receiving network traffic from a network; and
  
  an attack path traceback and categorization module in communication with the at least one processor, the attack path traceback and categorization module being configured to perform processing associated with identifying an event within the network traffic;
  
  tracing a sequence of network transactions related to the event; and
  
  outputting an annotated malware path including data about the event and the sequence of network transactions related to the event;
  
  wherein performing processing associated with tracing the sequence of network transactions comprises;
  
  reconstructing a sequence of transactions within the network traffic that led to the event based on a download referrer, at least one surrogate referrer indicator, and at least one of a drive-by uniform resource identifier similarity and a download domain recurrence, wherein the at least one surrogate referrer indicator is not the download referrer, andfiltering out unrelated traffic within the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the attack path traceback and categorization module is further configured to perform processing associated with determining a cause of the event based on the sequence of network transactions.
  - 3. The system of claim 2, wherein the cause is an update, a social engineering attack, or a drive-by download.
  - 4. The system of claim 2, wherein the at least one surrogate referrer indicator comprises at least one of:
    - a candidate exploit domain age;
      
      a download path length; and
      
      a user agent popularity.
  - 5. The system of claim 1, wherein performing processing associated with identifying the event comprises detecting the event within the network traffic and other network traffic conducted by a computer on the network affected by the event within a period of time near the event.
  - 6. The system of claim 1, wherein performing processing associated with outputting the annotated malware path comprises automatically labeling at least one node within the sequence.
  - 7. The system of claim 6, wherein performing processing associated with outputting the annotated malware path further comprises adding each node to the annotated malware path.
  - 8. The system of claim 1, wherein performing processing associated with tracing the sequence of network transactions comprises analyzing at least one of the following features of at least two nodes of the network traffic:
    - location;
      
      referrer;
      
      domain in uniform resource identifier;
      
      uniform resource identifier in content;
      
      same domain;
      
      commonly exploitable content; and
      
      same effective second level domains.
  - 9. The system of claim 1, further comprising a malware download defense module in communication with the processor, the malware download defense module being configured to perform processing associated with receiving the annotated malware path and creating a countermeasure based on statistical data in the annotated malware path.
  - 10. The system of claim 9, wherein performing processing associated with creating the countermeasure comprises identifying a landing node, an injection node, and an exploit node for an event within the annotated malware path, wherein the event is caused by a drive-by download.
  - 11. The system of claim 9, wherein performing processing associated with creating the countermeasure comprises generating a report for display, the report comprising at least a portion of the annotated malware path.
  - 12. The system of claim 9, wherein the malware download defense module is further configured to perform processing associated with training a new malware download defense module based on the created countermeasure.

13. A method for event path traceback comprising:
- performing processing associated with receiving, with a processor, network traffic from a network;
  
  performing processing associated with identifying, with an attack path traceback and categorization module in communication with the processor, an event within the network traffic;
  
  performing processing associated with tracing, with the attack path traceback and categorization module, a sequence of network transactions related to the event; and
  
  performing processing associated with outputting, with the attack path traceback and categorization module, an annotated malware path including data about the event and the sequence of network transactions related to the event;
  
  wherein performing processing associated with tracing the sequence of network transactions comprises;
  
  performing processing associated with reconstructing a sequence of transactions within the network traffic that led to the event based on a download referrer, at least one surrogate referrer indicator and at least one of a drive-by uniform resource identifier similarity and a download domain recurrence, wherein the at least one surrogate referrer indicator is not the download referrer, andfiltering out unrelated traffic within the network traffic.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 14. The method of claim 13, wherein the event is caused by an executable download on a computer on the network.
  - 15. The method of claim 14, further comprising performing processing associated with determining, with the attack path traceback and categorization module, a cause of the event based on the sequence of network transactions.
  - 16. The method of claim 15, wherein the cause is an update, a social engineering attack, or a drive-by download.
  - 17. The method of claim 15, wherein the at least one surrogate referrer indicator at least one of:
    - a candidate exploit domain age;
      
      a download path length; and
      
      a user agent popularity.
  - 18. The method of claim 13, wherein performing processing associated with identifying the event comprises detecting the event within the network traffic and other network traffic conducted by a computer on the network affected by the event within a period of time near the event.
  - 19. The method of claim 13, wherein performing processing associated with outputting the annotated malware path comprises automatically labeling at least one node within the sequence.
  - 20. The method of claim 19, wherein performing processing associated with outputting the annotated malware path further comprises adding each node to the annotated malware path.
  - 21. The method of claim 13, wherein performing processing associated with tracing the sequence of network transactions comprises analyzing at least one of the following features of at least two nodes of the network traffic:
    - location;
      
      referrer;
      
      domain in uniform resource identifier;
      
      uniform resource identifier in content;
      
      same domain;
      
      commonly exploitable content; and
      
      same effective second level domains.
  - 22. The method of claim 13, further comprising:
    - performing processing associated with receiving, with a malware download defense module in communication with the processor, the annotated malware path; and
      
      performing processing associated with creating, with the malware download defense module, a countermeasure based on statistical data in the annotated malware path.
  - 23. The method of claim 22, wherein performing processing associated with creating the countermeasure comprises identifying a landing node, an injection node, and an exploit node for an event within the annotated malware path, wherein the event is caused by a drive-by download.
  - 24. The method of claim 22, wherein performing processing associated with creating the countermeasure comprises generating a report for display, the report comprising at least a portion of the annotated malware path.
  - 25. The method of claim 22, further comprising performing processing associated with training, with the malware download defense module, a new malware download defense module based on the created countermeasure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc., The University of Georgia Research Foundation, Inc.
Original Assignee
Damballa Incorporated, The University of Georgia Research Foundation, Inc.
Inventors
Nelms, Terry Lee, Perdisci, Roberto
Primary Examiner(s)
Korsak, Oleg

Application Number

US14/668,329
Publication Number

US 20160285894A1
Time in Patent Office

1,098 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Measuring, categorizing, and/or mitigating malware distribution paths

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Measuring, categorizing, and/or mitigating malware distribution paths

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links