Identifying malicious executables by analyzing proxy logs
First Claim
1. A method comprising:
- at a server having connectivity to the Internet, retrieving sets of proxy logs from a plurality of proxy servers, wherein each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network;
determining a set of executables, including malicious and non-malicious executables, hosted by each of the one or more nodes associated with each proxy server of the plurality of proxy servers;
selecting a specific executable from the set of executables for analysis;
analyzing the set of executables hosted by each of the one or more nodes associated with each proxy server of the plurality of proxy servers to detect the specific executable;
determining a group of nodes that each host the specific executable;
identifying similar portions of network traffic logs of the nodes in the group;
identifying portions of each of the network traffic logs that are associated with the specific executable by comparing the similar portions of the network traffic logs of the nodes in the group to the network traffic logs of the nodes not in the group, wherein the similar portions of the network traffic logs that are dissimilar from the network traffic logs of the nodes not in the group comprise the portions of the network traffic logs that are associated with the specific executable;
determining that the specific executable is malicious when the identified portions of each of the network traffic logs include indicators of compromise indicative of maliciousness; and
generating an alert indicating that the portions of each of the network traffic logs associated with the specific executable are malicious.
1 Assignment
0 Petitions
Accused Products
Abstract
Identifying malicious executables by analyzing proxy logs includes, at a server having connectivity to the Internet, retrieving sets of proxy logs from a plurality of proxy servers. Each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network. Then, a set of executables hosted by each of the one or more nodes associated with each of the plurality of proxy servers is determined. Each set of executables is analyzed to detect a specific executable and portions of each of the network traffic logs that are associated with the specific executable are identified. An alert is generated indicating the portions of each of the network traffic logs as likely to be associated with the specific executable.
9 Citations
15 Claims
-
1. A method comprising:
-
at a server having connectivity to the Internet, retrieving sets of proxy logs from a plurality of proxy servers, wherein each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network; determining a set of executables, including malicious and non-malicious executables, hosted by each of the one or more nodes associated with each proxy server of the plurality of proxy servers; selecting a specific executable from the set of executables for analysis; analyzing the set of executables hosted by each of the one or more nodes associated with each proxy server of the plurality of proxy servers to detect the specific executable; determining a group of nodes that each host the specific executable; identifying similar portions of network traffic logs of the nodes in the group; identifying portions of each of the network traffic logs that are associated with the specific executable by comparing the similar portions of the network traffic logs of the nodes in the group to the network traffic logs of the nodes not in the group, wherein the similar portions of the network traffic logs that are dissimilar from the network traffic logs of the nodes not in the group comprise the portions of the network traffic logs that are associated with the specific executable; determining that the specific executable is malicious when the identified portions of each of the network traffic logs include indicators of compromise indicative of maliciousness; and generating an alert indicating that the portions of each of the network traffic logs associated with the specific executable are malicious. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
a plurality of proxy servers, each proxy server having connectivity to the Internet, wherein each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in its associated network; and a server having connectivity to each of the proxy servers via the Internet, and including a processor configured to; retrieve sets of proxy logs from the plurality of proxy servers; determine a set of executables, including malicious and non-malicious executables, hosted by each of the one or more nodes associated with each proxy server of the plurality of proxy servers; select a specific executable from the set of executables for analysis; analyze the set of executables hosted by each of the one or more nodes associated with each proxy server of the plurality of proxy servers to detect the specific executable; determine a group of nodes that each host the specific executable; identify similar portions of network traffic logs of the nodes in the group; identify portions of each of the network traffic logs that are associated with the specific executable by comparing the similar portions of the network traffic logs of the nodes in the group to the network traffic logs of the nodes not in the group, wherein the similar portions of the network traffic logs that are dissimilar from the network traffic logs of the nodes not in the group comprise the portions of the network traffic logs that are associated with the specific executable; determine that the specific executable is malicious when the identified portions of each of the network traffic logs include indicators of compromise indicative of maliciousness; and generate an alert indicating that the portions of each of the network traffic logs associated with the specific executable are malicious. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer-readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
retrieve sets of proxy logs from a plurality of proxy servers, wherein each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network; determine a set of executables, including malicious and non-malicious executables, hosted by each of the one or more nodes associated with each proxy server of the plurality of proxy servers; select a specific executable from the set of executables for analysis; analyze the set of executables hosted by each of the one or more nodes associated with each proxy server of the plurality of proxy servers to detect the specific executable; determine a group of nodes that each host the specific executable; identify similar portions of network traffic logs of the nodes in the group; identify portions of each of the network traffic logs that are associated with the specific executable by comparing the similar portions of the network traffic logs of the nodes in the group to the network traffic logs of the nodes not in the group, wherein the similar portions of the network traffic logs that are dissimilar from the network traffic logs of the nodes not in the group comprise the portions of the network traffic logs that are associated with the specific executable; determine that the specific executable is malicious when the identified portions of each of the network traffic logs include indicators of compromise indicative of maliciousness; and generate an alert indicating that the portions of each of the network traffic logs associated with the specific executable are malicious. - View Dependent Claims (12, 13, 14, 15)
-
Specification