BEHAVIORAL DETECTION OF MALWARE AGENTS

US 20160094569A1
Filed: 09/25/2014
Published: 03/31/2016
Est. Priority Date: 09/25/2014
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus, comprising:

a network interface operable for connecting to a data network; and

one or more hardware and/or software logic elements comprising a detection engine operable for;

inspecting a network packet provided on the network interface;

identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live;

determining that the time-to-live of the DNS request is expired; and

designating the network packet as suspicious.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a detection engine identifies potential malware objects according to behavior. In order to circumvent blacklists and fingerprint-based detection, a malware server may frequently change domain names, and change the fingerprints of distributed malware agents. A malware agent may perform only an initial DNS lookup, and thereafter communicate with the malware command-and-control server via “naked” HTTP packets using the raw IP address of the server. The detection engine identifies malware agents by this behavior. In one example, if an executable object makes repeated HTTP requests to an address after the DNS lookup “time to live” has expired, the object may be flagged as potential malware.

Citations

25 Claims

1. A computing apparatus, comprising:
- a network interface operable for connecting to a data network; and
  
  one or more hardware and/or software logic elements comprising a detection engine operable for;
  
  inspecting a network packet provided on the network interface;
  
  identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live;
  
  determining that the time-to-live of the DNS request is expired; and
  
  designating the network packet as suspicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computing apparatus of claim 1, wherein the detection engine is further operable for designating a parent process of the network packet as suspicious.
  - 3. The computing apparatus of claim 1, wherein the detection engine is further operable for:
    - determining that the packet belongs to a parent process that previously provided at least one other network packet with an expired DNS request; and
      
      designating the network packet as malware.
  - 4. The computing apparatus of claim 3, wherein the detection engine is further operable for designating the parent process as malware.
  - 5. The computing apparatus of claim 3, wherein determining that the network packet belongs to a parent process that has previously provided at least one other network packet with an expired DNS request comprises determining that the number of network packets with an expired DNS request is greater than a threshold greater than one.
  - 6. The computing apparatus of claim 3, wherein the detection engine is further operable for not designating the network packet as malware if the at least one other network packet with an expired DNS request occurred before an intervening DNS request.
  - 7. The computing apparatus of claim 3, wherein the detection engine is further operable for taking remediative action on the parent process.
  - 8. The computing apparatus of claim 3, wherein the detection engine is further operable for:
    - determining that the parent process is designated on a whitelist; and
      
      taking no remediative action on the parent process.
  - 9. The computing apparatus of claim 1, wherein the detection engine is further operable for notifying a security server of the network packet.
  - 10. The computing apparatus of claim 7, wherein the detection engine is further operable for receiving threat intelligence from the security server.
  - 11. The computing apparatus of claim 1, wherein the detection engine is further operable for classifying incoming traffic as one of DNS, hypertext transfer protocol (HTTP), and other traffic.
  - 12. The computing apparatus of claim 11, wherein the detection engine is further operable for ignoring traffic classified as other traffic.
  - 13. The computing apparatus of claim 1, wherein the detection engine is further operable for:
    - detecting a DNS request; and
      
      storing response parameters for the DNS request.

14. One or more computer-readable mediums having stored thereon executable instructions for providing a detection engine operable for:
- inspecting a network packet;
  
  identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live;
  
  determining that the time-to-live of the DNS request is expired; and
  
  designating the network packet as suspicious.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The one or more computer-readable mediums of claim 14, wherein the detection engine is further operable for designating a parent process of the network packet as suspicious.
  - 16. The one or more computer-readable mediums of claim 14, wherein the detection engine is further operable for:
    - determining that the network packet belongs to a parent process that has previously provided at least one other network packet with an expired DNS request; and
      
      designating the network packet as malware.
  - 17. The one or more computer-readable mediums of claim 16, wherein the detection engine is further operable for designating the parent process as malware.
  - 18. The one or more computer-readable mediums of claim 16, wherein determining that the packet belongs to a parent process that has previously provided at least one other network packet with an expired DNS request comprises determining that the number of network packets with an expired DNS request is greater than a threshold greater than one.
  - 19. The one or more computer-readable mediums of claim 16, wherein the detection engine is further operable for not designating the network packet as malware if the at least one other network packet with an expired DNS request occurred before an intervening DNS request.
  - 20. The one or more computer-readable mediums of claim 16, wherein the detection engine is further operable for taking remediative action on the parent process.
  - 21. The one or more computer-readable mediums of claim 16, wherein the detection engine is further operable for:
    - determining that the parent process is designated on a whitelist; and
      
      taking no remediative action on the parent process.
  - 22. The one or more computer-readable mediums of claim 14-21, wherein the detection engine is further operable for notifying a security server of the network packet.
  - 23. The one or more computer-readable mediums of claim 22, wherein the detection engine is further operable for receiving threat intelligence from the security server.

24. A method of detecting a malware agent, comprising:
- inspecting a network packet provided on the network interface;
  
  identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live;
  
  determining that the time-to-live of the DNS request is expired; and
  
  designating the network packet and a parent process of the network packet as suspicious.
- View Dependent Claims (25)
- - 25. The method of claim 24, further comprising:
    - determining that the parent process has previously provided at least one other network packet with an expired DNS request; and
      
      designating the network packet and the parent process as malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Mondiguing, Stephen, Cruz, Benjamin

Granted Patent

US 9,876,806 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/142   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

BEHAVIORAL DETECTION OF MALWARE AGENTS

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

BEHAVIORAL DETECTION OF MALWARE AGENTS

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links