BEHAVIORAL DETECTION OF MALWARE AGENTS
First Claim
1. A computing apparatus, comprising:
- a network interface operable for connecting to a data network; and
one or more hardware and/or software logic elements comprising a detection engine operable for;
inspecting a network packet provided on the network interface;
identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live;
determining that the time-to-live of the DNS request is expired; and
designating the network packet as suspicious.
10 Assignments
0 Petitions
Accused Products
Abstract
In an example, a detection engine identifies potential malware objects according to behavior. In order to circumvent blacklists and fingerprint-based detection, a malware server may frequently change domain names, and change the fingerprints of distributed malware agents. A malware agent may perform only an initial DNS lookup, and thereafter communicate with the malware command-and-control server via “naked” HTTP packets using the raw IP address of the server. The detection engine identifies malware agents by this behavior. In one example, if an executable object makes repeated HTTP requests to an address after the DNS lookup “time to live” has expired, the object may be flagged as potential malware.
-
Citations
25 Claims
-
1. A computing apparatus, comprising:
-
a network interface operable for connecting to a data network; and one or more hardware and/or software logic elements comprising a detection engine operable for; inspecting a network packet provided on the network interface; identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live; determining that the time-to-live of the DNS request is expired; and designating the network packet as suspicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. One or more computer-readable mediums having stored thereon executable instructions for providing a detection engine operable for:
-
inspecting a network packet; identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live; determining that the time-to-live of the DNS request is expired; and designating the network packet as suspicious. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method of detecting a malware agent, comprising:
-
inspecting a network packet provided on the network interface; identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live; determining that the time-to-live of the DNS request is expired; and designating the network packet and a parent process of the network packet as suspicious. - View Dependent Claims (25)
-
Specification