Entropy-based beaconing detection

US 9,985,980 B1
Filed: 12/15/2015
Issued: 05/29/2018
Est. Priority Date: 12/15/2015
Status: Active Grant

First Claim

Patent Images

1. A method, performed by a computing device, of identifying potential malware within a computer network, the method comprising:

collecting information on times at which remote domains were contacted by each device of a set of devices on the computer network, wherein collecting includes sniffing packets over the computer network from communication sessions between devices of the set of devices and the remote domains;

for each remote domain of a set of remote domains contacted by the set of devices, recording a list of time gaps between subsequent contacts to that remote domain by each device of the set of devices;

for each remote domain, calculating an entropy for the list of time gaps for that remote domain, a lower entropy indicating that that remote domain has been accessed at more regular intervals, while a higher entropy indicates that that remote domain has been accessed at more random intervals, wherein calculating the entropy includes;

assigning each time gap, based on a length of that time gap, to a bin of a set of bins of a same fixed bin size;

determining a number of time gaps assigned to each bin of the set of bins;

calculating a mode equal to the number of time gaps assigned to the bin of the set of bins having the most time gaps assigned thereto;

clipping to zero the number of time gaps assigned to any bin of the set of bins having a number of time gaps less than a fixed percentage of the mode; and

calculating the entropy over the set of bins based on the number of time gaps assigned to each bin;

selecting a strict subset of the set of remote domains, the calculated entropy of each remote domain of the strict subset being smaller than the calculated entropy of each remote domain of the set of remote domains not within the selected strict subset, wherein selecting the strict subset includes (a) sorting the remote domains from a lowest entropy to a highest entropy using the calculated entropy of each remote domain and then (b) refining by further sorting remote domains having equal calculated entropies by using another entropy calculated for those remote domains using a different fixed bin size; and

presenting the selected strict subset to an administrator with directions to review remote domains of the strict subset for potential contact with malware installed on devices of the computer network.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes (a) collecting information on times at which domains were contacted by each device of a set of devices on a network, (b) for each domain contacted by the set of devices, recording a list of time gaps between subsequent contacts to that domain by each device, (c) for each domain, calculating an entropy for the list of time gaps for that domain, a lower entropy indicating that that domain has been accessed at more regular intervals, while a higher entropy indicates that that domain has been accessed at more random intervals, (d) selecting a subset of the set of domains having smaller entropies relative to other domains of the set of domains, and (e) presenting the selected subset to an administrator with directions to review domains of the subset for potential contact with malware installed on devices of the computer network.

14 Citations

View as Search Results

9 Claims

1. A method, performed by a computing device, of identifying potential malware within a computer network, the method comprising:
- collecting information on times at which remote domains were contacted by each device of a set of devices on the computer network, wherein collecting includes sniffing packets over the computer network from communication sessions between devices of the set of devices and the remote domains;
  
  for each remote domain of a set of remote domains contacted by the set of devices, recording a list of time gaps between subsequent contacts to that remote domain by each device of the set of devices;
  
  for each remote domain, calculating an entropy for the list of time gaps for that remote domain, a lower entropy indicating that that remote domain has been accessed at more regular intervals, while a higher entropy indicates that that remote domain has been accessed at more random intervals, wherein calculating the entropy includes;
  
  assigning each time gap, based on a length of that time gap, to a bin of a set of bins of a same fixed bin size;
  
  determining a number of time gaps assigned to each bin of the set of bins;
  
  calculating a mode equal to the number of time gaps assigned to the bin of the set of bins having the most time gaps assigned thereto;
  
  clipping to zero the number of time gaps assigned to any bin of the set of bins having a number of time gaps less than a fixed percentage of the mode; and
  
  calculating the entropy over the set of bins based on the number of time gaps assigned to each bin;
  
  selecting a strict subset of the set of remote domains, the calculated entropy of each remote domain of the strict subset being smaller than the calculated entropy of each remote domain of the set of remote domains not within the selected strict subset, wherein selecting the strict subset includes (a) sorting the remote domains from a lowest entropy to a highest entropy using the calculated entropy of each remote domain and then (b) refining by further sorting remote domains having equal calculated entropies by using another entropy calculated for those remote domains using a different fixed bin size; and
  
  presenting the selected strict subset to an administrator with directions to review remote domains of the strict subset for potential contact with malware installed on devices of the computer network.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the fixed bin size is 1 minute.
  - 3. The method of claim 1 wherein the fixed bin size is in a range of 5 minutes to 20 minutes and the fixed percentage is in a range of 5% to 20%.
  - 4. The method of claim 1 wherein calculating the entropy further includes calculating the other entropy by:
    - assigning each time gap, based on a length of that time gap, to another bin of another set of bins of a same other fixed bin size, the other fixed bin size being smaller than the fixed bin size;
      
      determining a number of time gaps assigned to each other bin of the other set of bins; and
      
      calculating the other entropy over the other set of bins based on the number of time gaps assigned to each other bin.
  - 5. The method of claim 4 wherein the fixed bin size is in a range of 5 minutes to 20 minutes, the smaller fixed bin size is 1 minute, and the fixed percentage is in a range of 5% to 20%.

6. A computer program product comprising a non-transitory computer-readable storage medium storing a set of instructions, which, when executed by a computing device, causes the computing device to identify potential malware within a computer network by performing the following operations:
- collecting information on times at which remote domains were contacted by each device of a set of devices on the computer network, wherein collecting includes sniffing packets over the computer network from communication sessions between devices of the set of devices and the remote domains;
  
  for each remote domain of a set of remote domains contacted by the set of devices, recording a list of time gaps between subsequent contacts to that remote domain by each device of the set of devices;
  
  for each remote domain, calculating an entropy for the list of time gaps for that remote domain, a lower entropy indicating that that remote domain has been accessed at more regular intervals, while a higher entropy indicates that that remote domain has been accessed at more random intervals, wherein calculating the entropy includes;
  
  assigning each time gap, based on a length of that time gap, to a bin of a set of bins of a same fixed bin size;
  
  determining a number of time gaps assigned to each bin of the set of bins;
  
  calculating a mode equal to the number of time gaps assigned to the bin of the set of bins having the most time gaps assigned thereto;
  
  clipping to zero the number of time gaps assigned to any bin of the set of bins having a number of time gaps less than a fixed percentage of the mode; and
  
  calculating the entropy over the set of bins based on the number of time gaps assigned to each bin;
  
  selecting a strict subset of the set of remote domains, the calculated entropy of each remote domain of the strict subset being smaller than the calculated entropy of each remote domain of the set of remote domains not within the selected strict subset, wherein selecting the strict subset includes (a) sorting the remote domains from a lowest entropy to a highest entropy using the calculated entropy of each remote domain and then (b) refining by further sorting remote domains having equal calculated entropies by using another entropy calculated for those remote domains using a different fixed bin size; and
  
  presenting the selected strict subset to an administrator with directions to review remote domains of the strict subset for potential contact with malware installed on devices of the computer network.
- View Dependent Claims (7)
- - 7. The computer program product of claim 6 wherein calculating the entropy further includes calculating the other entropy by:
    - assigning each time gap, based on a length of that time gap, to another bin of another set of bins of a same other fixed bin size, the other fixed bin size being smaller than the fixed bin size;
      
      determining a number of time gaps assigned to each other bin of the other set of bins; and
      
      calculating the other entropy over the other set of bins based on the number of time gaps assigned to each other bin.

8. An apparatus comprising:
- network interface circuitry for connecting to a computer network;
  
  user interface circuitry; and
  
  processing circuitry coupled to memory configured to identify potential malware within the computer network by performing the following operations;
  
  collecting, via the network interface circuitry, information on times at which remote domains were contacted by each device of a set of devices on the computer network, wherein collecting includes sniffing packets over the network interface circuitry from communication sessions between devices of the set of devices and the remote domains;
  
  for each remote domain of a set of remote domains contacted by the set of devices, recording a list of time gaps between subsequent contacts to that remote domain by each device of the set of devices;
  
  for each remote domain, calculating an entropy for the list of time gaps for that remote domain, a lower entropy indicating that that remote domain has been accessed at more regular intervals, while a higher entropy indicates that that remote domain has been accessed at more random intervals, wherein calculating the entropy includes;
  
  assigning each time gap, based on a length of that time gap, to a bin of a set of bins of a same fixed bin size;
  
  determining a number of time gaps assigned to each bin of the set of bins;
  
  calculating a mode equal to the number of time gaps assigned to the bin of the set of bins having the most time gaps assigned thereto;
  
  clipping to zero the number of time gaps assigned to any bin of the set of bins having a number of time gaps less than a fixed percentage of the mode; and
  
  calculating the entropy over the set of bins based on the number of time gaps assigned to each bin;
  
  selecting a strict subset of the set of remote domains, the calculated entropy of each remote domain of the strict subset being smaller than the calculated entropy of each remote domain of the set of remote domains not within the selected strict subset, wherein selecting the strict subset includes (a) sorting the remote domains from a lowest entropy to a highest entropy using the calculated entropy of each remote domain and then (b) refining by further sorting remote domains having equal calculated entropies by using another entropy calculated for those remote domains using a different fixed bin size; and
  
  presenting, via the user interface circuitry, the selected strict subset to an administrator with directions to review remote domains of the strict subset for potential contact with malware installed on devices of the computer network.
- View Dependent Claims (9)
- - 9. The apparatus of claim 8 wherein calculating the entropy further includes calculating the other entropy by:
    - assigning each time gap, based on a length of that time gap, to another bin of another set of bins of a same other fixed bin size, the other fixed bin size being smaller than the fixed bin size;
      
      determining a number of time gaps assigned to each other bin of the other set of bins; and
      
      calculating the other entropy over the other set of bins based on the number of time gaps assigned to each other bin.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Kolman, Eyal, Raviv, Kineret
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sherkat, Arezoo

Application Number

US14/969,801
Time in Patent Office

896 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

Entropy-based beaconing detection

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Entropy-based beaconing detection

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links