Measuring, categorizing, and/or mitigating malware distribution paths
First Claim
1. A system for event path traceback comprising:
- at least one processor; and
a data storage device having computer readable program code embodied therewith;
the at least one processor configured to execute the computer readable program code to perform processing associated with receiving network traffic from a network; and
an attack path traceback and categorization module in communication with the at least one processor, the attack path traceback and categorization module being configured to perform processing associated with identifying an event within the network traffic;
tracing a sequence of network transactions related to the event; and
outputting an annotated malware path including data about the event and the sequence of network transactions related to the event;
wherein performing processing associated with tracing the sequence of network transactions comprises;
reconstructing a sequence of transactions within the network traffic that led to the event based on a download referrer, at least one surrogate referrer indicator, and at least one of a drive-by uniform resource identifier similarity and a download domain recurrence, wherein the at least one surrogate referrer indicator is not the download referrer, andfiltering out unrelated traffic within the network traffic.
11 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for event path traceback may utilize a processor and a path traceback and categorization (ATC) module in communication with the processor. The processor may be configured to perform processing associated with receiving network traffic from a network. The ATC module may be configured to perform processing associated with identifying an event within the network traffic, tracing a sequence of network transactions related to the event, and outputting an annotated event path (AMP) including data about the event and the sequence of network transactions related to the event. Performing processing associated with tracing the sequence of network transactions may comprise reconstructing a sequence of transactions within the network traffic that led to the event while filtering out unrelated traffic within the network traffic.
-
Citations
25 Claims
-
1. A system for event path traceback comprising:
-
at least one processor; and a data storage device having computer readable program code embodied therewith; the at least one processor configured to execute the computer readable program code to perform processing associated with receiving network traffic from a network; and an attack path traceback and categorization module in communication with the at least one processor, the attack path traceback and categorization module being configured to perform processing associated with identifying an event within the network traffic; tracing a sequence of network transactions related to the event; and outputting an annotated malware path including data about the event and the sequence of network transactions related to the event; wherein performing processing associated with tracing the sequence of network transactions comprises; reconstructing a sequence of transactions within the network traffic that led to the event based on a download referrer, at least one surrogate referrer indicator, and at least one of a drive-by uniform resource identifier similarity and a download domain recurrence, wherein the at least one surrogate referrer indicator is not the download referrer, and filtering out unrelated traffic within the network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for event path traceback comprising:
-
performing processing associated with receiving, with a processor, network traffic from a network; performing processing associated with identifying, with an attack path traceback and categorization module in communication with the processor, an event within the network traffic; performing processing associated with tracing, with the attack path traceback and categorization module, a sequence of network transactions related to the event; and performing processing associated with outputting, with the attack path traceback and categorization module, an annotated malware path including data about the event and the sequence of network transactions related to the event; wherein performing processing associated with tracing the sequence of network transactions comprises; performing processing associated with reconstructing a sequence of transactions within the network traffic that led to the event based on a download referrer, at least one surrogate referrer indicator and at least one of a drive-by uniform resource identifier similarity and a download domain recurrence, wherein the at least one surrogate referrer indicator is not the download referrer, and filtering out unrelated traffic within the network traffic. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification