Method and system for network-based detecting of malware from behavioral clustering

US 8,826,438 B2
Filed: 01/18/2011
Issued: 09/02/2014
Est. Priority Date: 01/19/2010
Status: Active Grant

First Claim

Patent Images

1. A computerized method for performing behavioral clustering of malware samples, comprising:

executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic;

clustering, using at least one processing device, the malware samples into at least one coarse-grain cluster based on network behavioral information measured from content of the HTTP traffic;

splitting, using the at least one processing device, the at least one coarse-grain cluster into at least two fine-grain cluster;

clustering, using the at least one processing device, the at least two fine-grain cluster into merged clusters; and

extracting, using the at least one processing device, network signatures from the HTTP traffic information for each merged cluster, the network signatures being indicative of malware infection.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection.

201 Citations

16 Claims

1. A computerized method for performing behavioral clustering of malware samples, comprising:
- executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic;
  
  clustering, using at least one processing device, the malware samples into at least one coarse-grain cluster based on network behavioral information measured from content of the HTTP traffic;
  
  splitting, using the at least one processing device, the at least one coarse-grain cluster into at least two fine-grain cluster;
  
  clustering, using the at least one processing device, the at least two fine-grain cluster into merged clusters; and
  
  extracting, using the at least one processing device, network signatures from the HTTP traffic information for each merged cluster, the network signatures being indicative of malware infection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - pruning the network signatures that generate false positives.
  - 3. The method of claim 1, further comprising:
    - deploying the network signatures for each merged cluster in order to detect malicious outbound HTTP requests.
  - 4. The method of claim 1, wherein statistical features extracted from the HTTP traffic and structural features extracted from the HTTP traffic are utilized.
  - 5. The method of claim 1, wherein single-linkage hierarchical clustering and/or at least one DB index are utilized.
  - 6. The method of claim 1, further comprising utilizing at least one AV label graph to measure how well clustering was done.
  - 7. The method of claim 6, wherein the at least one AV label graph utilizes at least one cohesion index and/or at least one separation index.
  - 8. The method of claim 1, wherein network signatures that may generate false alarms are filtered out.

9. A computerized system for performing behavioral clustering of malware samples, comprising:
- at least one application executed by at least one processing device, the at least one application configured for;
  
  executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic;
  
  clustering, using the at least one processing device, the malware samples into at least one coarse-grain cluster based on network behavioral information measured from content of the HTTP traffic;
  
  splitting, using the at least one processing device, the at least one coarse-grain cluster into at least two fine-grain clusters;
  
  clustering, using the at least one processing device, the at least two fine-grain clusters into merged clusters; and
  
  extracting, using the at least one processing device, network signatures from the HTTP traffic information for each merged cluster, the network signatures being indicative of malware infection.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the at least one application is further configured for:
    - pruning the network signatures that generate false positives.
  - 11. The system of claim 9, wherein the at least one application is further configured for:
    - deploying the network signatures for each cluster in order to detect malicious outbound HTTP requests.
  - 12. The system of claim 9, wherein statistical features extracted from the HTTP traffic and structural features extracted from the HTTP traffic are utilized.
  - 13. The system of claim 9, wherein single-linkage hierarchical clustering and/or at least one DB index are utilized.
  - 14. The system of claim 9, wherein the at least one application is further configured for:
    - utilizing at least one AV label graph to measure how well clustering was done.
  - 15. The system of claim 14, wherein the system is further configured such that the at least one AV label graph utilizes at least one cohesion index and/or at least one separation index.
  - 16. The system of claim 9, wherein network signatures that may generate false alarms are filtered out.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Perdisci, Roberto, Lee, Wenke, Ollmann, Gunter
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US13/008,257
Publication Number

US 20110283361A1
Time in Patent Office

1,323 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Method and system for network-based detecting of malware from behavioral clustering

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

201 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Method and system for network-based detecting of malware from behavioral clustering

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

201 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others