Method and system for detecting malware

US 10,257,212 B2
Filed: 12/19/2016
Issued: 04/09/2019
Est. Priority Date: 01/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method of analysis, comprising:

collecting, using at least one decoy virtual machine, honeypot NX domain names from at least one known infected asset in at least one real network, the honeypot NX domain names being domain names that are not registered;

collecting, using the at least one decoy virtual machine, real network NX domain names from at least one asset in the at least one real network;

grouping the honeypot NX domain names and the real network NX domain names based on statistical similarities;

creating at least one training vector, wherein the at least one training vector is created by;

computing various statistical values for at least one group of the honeypot NX domain names, andcollecting the various statistical values for the at least one group of the honeypot NX domain names in at least one vector;

creating, using the real network NX domain names, a plurality of testing vectors, wherein the plurality of testing vectors are created by;

computing various statistical values for at least one group of the real network NX domain names, andcollecting the various statistical values for the at least one group of the real network NX domain names in the plurality of testing vectors;

classifying each of the testing vectors as benign vectors or malicious vectors based on the at least one training vector; and

classifying the at least one asset in the at least one real network as infected if at least one of the plurality of testing vectors is classified as a malicious vector.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector.

286 Citations

18 Claims

1. A method of analysis, comprising:
- collecting, using at least one decoy virtual machine, honeypot NX domain names from at least one known infected asset in at least one real network, the honeypot NX domain names being domain names that are not registered;
  
  collecting, using the at least one decoy virtual machine, real network NX domain names from at least one asset in the at least one real network;
  
  grouping the honeypot NX domain names and the real network NX domain names based on statistical similarities;
  
  creating at least one training vector, wherein the at least one training vector is created by;
  
  computing various statistical values for at least one group of the honeypot NX domain names, andcollecting the various statistical values for the at least one group of the honeypot NX domain names in at least one vector;
  
  creating, using the real network NX domain names, a plurality of testing vectors, wherein the plurality of testing vectors are created by;
  
  computing various statistical values for at least one group of the real network NX domain names, andcollecting the various statistical values for the at least one group of the real network NX domain names in the plurality of testing vectors;
  
  classifying each of the testing vectors as benign vectors or malicious vectors based on the at least one training vector; and
  
  classifying the at least one asset in the at least one real network as infected if at least one of the plurality of testing vectors is classified as a malicious vector.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising classifying previously unclassified malware from the honeypot NX domain names.
  - 3. The method of claim 1, wherein only domain name system (DNS) NX domain name information is utilized to classify the at least one asset as infected.
  - 4. The method of claim 1, wherein only NX domain traffic is utilized.
  - 5. The method of claim 1, wherein a meta-classifier is utilized to classify the testing vectors as benign vectors or malicious vectors.
  - 6. The method of claim 5, wherein the meta-classifier provides intelligence for identifying new malware.
  - 7. The method of claim 1, wherein the classifying of the testing vectors is done using at least one meta-classifier, the at least one meta-classifier comprising at least one generic classifier.
  - 8. The method of claim 1, further comprising classifying previously classified malware from the honeypot NX domain names.
  - 9. The method of claim 1, wherein the honeypot NX domain names collected from the at least one known infected asset and the real network NX domain names collected from the at least one asset are grouped into sets of 10 using absolute timing sequence information.

10. A system of analysis, comprising:
- at least one computer connected to at least one network;
  
  at least one application executing in the at least one computer, the at least one application configured for;
  
  collecting, using at least one decoy virtual machine, honeypot NX domain names from at least one known infected asset in at least one real network, the honeypot NX domain names being domain names that are not registered;
  
  collecting, using the at least one decoy virtual machine, real network NX domain names from at least one asset in the at least one real network;
  
  grouping the honeypot NX domain names and the real network NX domain names based on statistical similarities;
  
  creating at least one training vector, wherein the at least one training vector is created by;
  
  computing various statistical values for at least one group of the honeypot NX domain names, andcollecting the various statistical values for the at least one group of the honeypot NX domain names in at least one vector;
  
  creating, using the real network NX domain names, a plurality of testing vectors, wherein the plurality of testing vectors are created by;
  
  computing various statistical values for at least one group of the real network NX domain names, andcollecting the various statistical values for the at least one group of the real network NX domain names in the plurality of testing vectors;
  
  classifying each of the testing vectors as benign vectors or malicious vectors based on the at least one training vector; and
  
  classifying the at least one asset in the at least one real network as infected if at least one of the plurality of testing vectors is classified as a malicious vector.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the at least one application is further configured for classifying previously unclassified malware from the honeypot NX domain names.
  - 12. The system of claim 10, wherein only domain name system (DNS) NX domain name information is utilized to classify the at least one asset as infected.
  - 13. The system of claim 10, wherein only NX domain traffic is utilized.
  - 14. The system of claim 10, wherein a meta-classifier is utilized to classify the testing vectors as benign vectors or malicious vectors.
  - 15. The system of claim 14, wherein the meta-classifier provides intelligence for identifying new malware.
  - 16. The system of claim 10, wherein the classifying of the testing vectors is done using at least one meta-classifier, the at least one meta-classifier comprising at least one generic classifier.
  - 17. The system of claim 10, wherein the at least one application is further configured for classifying previously classified malware from the honeypot NX domain names.
  - 18. The system of claim 10, wherein the honeypot NX domain names collected from the at least one known infected asset and the real network NX domain names collected from the at least one asset are grouped into sets of 10 using absolute timing sequence information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Help/Systems LLC
Inventors
Antonakakis, Emmanouil, Perdisci, Robert, Lee, Wenke, Ollmann, Gunter
Primary Examiner(s)
Thiaw, Catherine

Application Number

US15/384,025
Publication Number

US 20170201536A1
Time in Patent Office

841 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 9/45508   Runtime interpretation or e...

G06N 20/00   Machine learning

H04L 61/4511   using domain name system [DNS]

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 9/40   Network security protocols

Method and system for detecting malware

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

286 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting malware

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

286 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links