DISTRIBUTED TRAFFIC PATTERN ANALYSIS AND ENTROPY PREDICTION FOR DETECTING MALWARE IN A NETWORK ENVIRONMENT

US 20140298461A1
Filed: 03/29/2013
Published: 10/02/2014
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. At least one machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:

receive an entropy rate of a potentially affected system;

compare the received entropy rate to an average entropy rate; and

determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies are provided in embodiments to detect malware. The embodiments are configured to receive an entropy rate of a potentially affected system. The embodiments are further configured to compare the entropy rate to an average entropy rate, and to determine a probability that the potentially affected system is infected with malware. The probability is based, at least in part, on a result of the comparison. More specific embodiments can include the received entropy rate being generated, at a least in part, by a genetic program. Additional embodiments can include a configuration to provide the potentially affected system with a specified time-span associated with the genetic program. The specified time-span indicates an amount of time to observe context information on the potentially affected system. In at least some embodiments, the result of the comparison includes an indicator of whether the entropy rate correlates to an infected system or a healthy system.

151 Citations

25 Claims

1. At least one machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
- receive an entropy rate of a potentially affected system;
  
  compare the received entropy rate to an average entropy rate; and
  
  determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The medium of claim 1, wherein the received entropy rate is generated, at least in part, by a genetic program.
  - 3. The medium of claim 2, wherein the average entropy rate is an average of one or more entropy rates of one or more respective computing devices, wherein the one or more entropy rates are generated, at least in part, by the genetic program.
  - 4. The medium of claim 3, wherein the computing devices are not infected with malware.
  - 5. The medium of claim 2, wherein the instructions when executed by the processor further cause the processor to:
    - select the genetic program from a repository of genetic programs; and
      
      provide the genetic program to the potentially affected system.
  - 6. The medium of claim 2, wherein the instructions when executed by the processor further cause the processor to:
    - provide a specified time-span associated with the genetic program, wherein the specified time-span indicates an amount of time to observe context information on the potentially affected system.
  - 7. The medium of claim 1, wherein the result of the comparison includes an indicator of whether the received entropy rate correlates to an infected system or a healthy system.
  - 8. The medium of claim 7, wherein the instructions when executed by the processor further cause the processor to:
    - evaluate the indicator together with one or more other indicators, the one or more other indicators being previously determined.
  - 9. The medium of claim 8, wherein the one or more other indicators were determined based, at least in part, on one or more other respective entropy rates of the potentially affected system, wherein the received entropy rate was generated, at least in part, by a genetic program, and wherein the one or more other entropy rates were generated, at least in part, by one or more other respective genetic programs.
  - 10. The medium of claim 1, wherein the instructions when executed by the processor further cause the processor to:
    - take an action based, at least in part, on the probability of infection.
  - 11. The medium of claim 10, wherein the action is taken if the probability of infection reaches a predetermined threshold.
  - 12. The medium of claim 10, wherein the action is taken if the probability of infection increases relative to a previous probability of infection or an expected probability of infection.
  - 13. The medium of claim 12, wherein the action is one of a set of predefined actions that are taken as the probability of infection increases.
  - 14. The medium of claim 1, wherein the instructions when executed by the processor further cause the processor to:
    - select one or more genetic programs from a repository of genetic programs, wherein the selection of the one or more genetic programs is based, at least in part, on the probability of infection; and
      
      provide the selected one or more genetic programs to the potentially affected system.
  - 15. The medium of claim 14, wherein at least one of the genetic programs is configured to detect a specific type of malware.

16. A system to detect malware, the apparatus comprising:
- at least one processor;
  
  at least one memory element; and
  
  an entropy rate comparison module configured to;
  
  receive an entropy rate of a potentially affected system in a network environment;
  
  compare the received entropy rate to an average entropy rate; and
  
  determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.
- View Dependent Claims (17)
- - 17. The system of claim 16, further comprising a genetic program selection module configured to:
    - select a genetic program from a repository of genetic programs; and
      
      provide the genetic program to the potentially affected system, wherein the received entropy rate is generated, at least in part, by the genetic program.

18. A method for detecting malware, the method comprising:
- receiving an entropy rate of a potentially affected system;
  
  comparing the received entropy rate to an average entropy rate; and
  
  determining a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.
- View Dependent Claims (19)
- - 19. The method of claim 18, further comprising:
    - taking an action based, at least in part, on the probability of infection.

20. A system comprising:
- at least one processor;
  
  at least one memory element; and
  
  an agent configured to;
  
  generate one or more streams of context information of the system for one or more events;
  
  execute a genetic program to produce an output stream of manipulated context information based, at least in part, on the one or more streams;
  
  apply entropy encoding to the output stream to generate an entropy rate; and
  
  communicate the entropy rate to a backend system to determine whether the system is an infected system.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20, wherein the agent is further configured to:
    - detect one or more events on the system, wherein each of the one or more streams corresponds to a different one of the events.
  - 22. The system of claim 20, wherein the genetic program is configured to:
    - manipulate the one or more streams to produce the output stream of manipulated context information.
  - 23. The system of claim 22, wherein the manipulation includes performing at least one of deleting, sorting, adding, combining, and encrypting at least one context element of at least one of the streams.
  - 24. The system of claim 22, wherein the agent is further configured to:
    - receive a second genetic program to execute, wherein the second genetic program is configured to produce a new output stream by manipulating one or more new streams, wherein the manipulation of the one or more new streams is different than the manipulation of the other one or more streams.

25. At least one machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
- generate one or more streams of context information of a potentially affected system for one or more events;
  
  execute a genetic program to produce an output stream of manipulated context information based, at least in part, on the one or more streams;
  
  apply entropy encoding to the output stream to generate an entropy rate; and
  
  communicate the entropy rate to a backend system to determine whether the system is an infected system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Hohndel, Dirk, van de Ven, Adriaan

Granted Patent

US 9,380,066 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06N 3/126   Evolutionary algorithms, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

DISTRIBUTED TRAFFIC PATTERN ANALYSIS AND ENTROPY PREDICTION FOR DETECTING MALWARE IN A NETWORK ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

DISTRIBUTED TRAFFIC PATTERN ANALYSIS AND ENTROPY PREDICTION FOR DETECTING MALWARE IN A NETWORK ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others