Entropy-based beaconing detection
First Claim
1. A method, performed by a computing device, of identifying potential malware within a computer network, the method comprising:
- collecting information on times at which remote domains were contacted by each device of a set of devices on the computer network, wherein collecting includes sniffing packets over the computer network from communication sessions between devices of the set of devices and the remote domains;
for each remote domain of a set of remote domains contacted by the set of devices, recording a list of time gaps between subsequent contacts to that remote domain by each device of the set of devices;
for each remote domain, calculating an entropy for the list of time gaps for that remote domain, a lower entropy indicating that that remote domain has been accessed at more regular intervals, while a higher entropy indicates that that remote domain has been accessed at more random intervals, wherein calculating the entropy includes;
assigning each time gap, based on a length of that time gap, to a bin of a set of bins of a same fixed bin size;
determining a number of time gaps assigned to each bin of the set of bins;
calculating a mode equal to the number of time gaps assigned to the bin of the set of bins having the most time gaps assigned thereto;
clipping to zero the number of time gaps assigned to any bin of the set of bins having a number of time gaps less than a fixed percentage of the mode; and
calculating the entropy over the set of bins based on the number of time gaps assigned to each bin;
selecting a strict subset of the set of remote domains, the calculated entropy of each remote domain of the strict subset being smaller than the calculated entropy of each remote domain of the set of remote domains not within the selected strict subset, wherein selecting the strict subset includes (a) sorting the remote domains from a lowest entropy to a highest entropy using the calculated entropy of each remote domain and then (b) refining by further sorting remote domains having equal calculated entropies by using another entropy calculated for those remote domains using a different fixed bin size; and
presenting the selected strict subset to an administrator with directions to review remote domains of the strict subset for potential contact with malware installed on devices of the computer network.
18 Assignments
0 Petitions
Accused Products
Abstract
A method includes (a) collecting information on times at which domains were contacted by each device of a set of devices on a network, (b) for each domain contacted by the set of devices, recording a list of time gaps between subsequent contacts to that domain by each device, (c) for each domain, calculating an entropy for the list of time gaps for that domain, a lower entropy indicating that that domain has been accessed at more regular intervals, while a higher entropy indicates that that domain has been accessed at more random intervals, (d) selecting a subset of the set of domains having smaller entropies relative to other domains of the set of domains, and (e) presenting the selected subset to an administrator with directions to review domains of the subset for potential contact with malware installed on devices of the computer network.
-
Citations
9 Claims
-
1. A method, performed by a computing device, of identifying potential malware within a computer network, the method comprising:
-
collecting information on times at which remote domains were contacted by each device of a set of devices on the computer network, wherein collecting includes sniffing packets over the computer network from communication sessions between devices of the set of devices and the remote domains; for each remote domain of a set of remote domains contacted by the set of devices, recording a list of time gaps between subsequent contacts to that remote domain by each device of the set of devices; for each remote domain, calculating an entropy for the list of time gaps for that remote domain, a lower entropy indicating that that remote domain has been accessed at more regular intervals, while a higher entropy indicates that that remote domain has been accessed at more random intervals, wherein calculating the entropy includes; assigning each time gap, based on a length of that time gap, to a bin of a set of bins of a same fixed bin size; determining a number of time gaps assigned to each bin of the set of bins; calculating a mode equal to the number of time gaps assigned to the bin of the set of bins having the most time gaps assigned thereto; clipping to zero the number of time gaps assigned to any bin of the set of bins having a number of time gaps less than a fixed percentage of the mode; and calculating the entropy over the set of bins based on the number of time gaps assigned to each bin; selecting a strict subset of the set of remote domains, the calculated entropy of each remote domain of the strict subset being smaller than the calculated entropy of each remote domain of the set of remote domains not within the selected strict subset, wherein selecting the strict subset includes (a) sorting the remote domains from a lowest entropy to a highest entropy using the calculated entropy of each remote domain and then (b) refining by further sorting remote domains having equal calculated entropies by using another entropy calculated for those remote domains using a different fixed bin size; and presenting the selected strict subset to an administrator with directions to review remote domains of the strict subset for potential contact with malware installed on devices of the computer network. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product comprising a non-transitory computer-readable storage medium storing a set of instructions, which, when executed by a computing device, causes the computing device to identify potential malware within a computer network by performing the following operations:
-
collecting information on times at which remote domains were contacted by each device of a set of devices on the computer network, wherein collecting includes sniffing packets over the computer network from communication sessions between devices of the set of devices and the remote domains; for each remote domain of a set of remote domains contacted by the set of devices, recording a list of time gaps between subsequent contacts to that remote domain by each device of the set of devices; for each remote domain, calculating an entropy for the list of time gaps for that remote domain, a lower entropy indicating that that remote domain has been accessed at more regular intervals, while a higher entropy indicates that that remote domain has been accessed at more random intervals, wherein calculating the entropy includes; assigning each time gap, based on a length of that time gap, to a bin of a set of bins of a same fixed bin size; determining a number of time gaps assigned to each bin of the set of bins; calculating a mode equal to the number of time gaps assigned to the bin of the set of bins having the most time gaps assigned thereto; clipping to zero the number of time gaps assigned to any bin of the set of bins having a number of time gaps less than a fixed percentage of the mode; and calculating the entropy over the set of bins based on the number of time gaps assigned to each bin; selecting a strict subset of the set of remote domains, the calculated entropy of each remote domain of the strict subset being smaller than the calculated entropy of each remote domain of the set of remote domains not within the selected strict subset, wherein selecting the strict subset includes (a) sorting the remote domains from a lowest entropy to a highest entropy using the calculated entropy of each remote domain and then (b) refining by further sorting remote domains having equal calculated entropies by using another entropy calculated for those remote domains using a different fixed bin size; and presenting the selected strict subset to an administrator with directions to review remote domains of the strict subset for potential contact with malware installed on devices of the computer network. - View Dependent Claims (7)
-
-
8. An apparatus comprising:
-
network interface circuitry for connecting to a computer network; user interface circuitry; and processing circuitry coupled to memory configured to identify potential malware within the computer network by performing the following operations; collecting, via the network interface circuitry, information on times at which remote domains were contacted by each device of a set of devices on the computer network, wherein collecting includes sniffing packets over the network interface circuitry from communication sessions between devices of the set of devices and the remote domains; for each remote domain of a set of remote domains contacted by the set of devices, recording a list of time gaps between subsequent contacts to that remote domain by each device of the set of devices; for each remote domain, calculating an entropy for the list of time gaps for that remote domain, a lower entropy indicating that that remote domain has been accessed at more regular intervals, while a higher entropy indicates that that remote domain has been accessed at more random intervals, wherein calculating the entropy includes; assigning each time gap, based on a length of that time gap, to a bin of a set of bins of a same fixed bin size; determining a number of time gaps assigned to each bin of the set of bins; calculating a mode equal to the number of time gaps assigned to the bin of the set of bins having the most time gaps assigned thereto; clipping to zero the number of time gaps assigned to any bin of the set of bins having a number of time gaps less than a fixed percentage of the mode; and calculating the entropy over the set of bins based on the number of time gaps assigned to each bin; selecting a strict subset of the set of remote domains, the calculated entropy of each remote domain of the strict subset being smaller than the calculated entropy of each remote domain of the set of remote domains not within the selected strict subset, wherein selecting the strict subset includes (a) sorting the remote domains from a lowest entropy to a highest entropy using the calculated entropy of each remote domain and then (b) refining by further sorting remote domains having equal calculated entropies by using another entropy calculated for those remote domains using a different fixed bin size; and presenting, via the user interface circuitry, the selected strict subset to an administrator with directions to review remote domains of the strict subset for potential contact with malware installed on devices of the computer network. - View Dependent Claims (9)
-
Specification