Method and apparatus for detecting malware infection

US 8,955,122 B2
Filed: 04/04/2008
Issued: 02/10/2015
Est. Priority Date: 04/04/2007
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malware infection at a local host, the method comprising:

monitoring network communications between the local host and one or more entities external to the local host;

generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host;

declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least;

an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by;

calculating a rate of outbound connections from the local host; and

generating the outbound dialog warning based at least partly on the rate of outbound connections from the local host exceeding a predefined threshold;

and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and

outputting an infection profile for the local host,wherein at least one of;

the monitoring, the generating the at least one dialog warning, the declaring, the calculating, the generating the outbound dialog warning or the outputting is performed by a processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, the present invention is a method and apparatus for detecting malware infection. One embodiment of a method for detecting a malware infection at a local host in a network, includes monitoring communications between the local host and one or more entities external to the network, generating a dialog warning if the communications include a transaction indicative of a malware infection, declaring a malware infection if, within a predefined period of time, the dialog warnings includes at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection, and outputting an infection profile for the local host.

60 Citations

View as Search Results

16 Claims

1. A method for detecting a malware infection at a local host, the method comprising:
- monitoring network communications between the local host and one or more entities external to the local host;
  
  generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host;
  
  declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least;
  
  an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by;
  
  calculating a rate of outbound connections from the local host; and
  
  generating the outbound dialog warning based at least partly on the rate of outbound connections from the local host exceeding a predefined threshold;
  
  and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and
  
  outputting an infection profile for the local host,wherein at least one of;
  
  the monitoring, the generating the at least one dialog warning, the declaring, the calculating, the generating the outbound dialog warning or the outputting is performed by a processor.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the generating comprises:
    - applying at least one rule file to the network communications; and
      
      outputting a dialog warning if one or more of the network communications satisfy the at least one rule file.
  - 3. The method of claim 1, wherein each of the outbound dialog warning and the inbound dialog warning indicates at least one of:
    - a scan attempt involving the local host, an exploit at the local host, a binary download at the local host, or a command and control communication involving the local host.
  - 4. The method of claim 1, wherein the infection profile includes at least one of:
    - a confidence score indicative of a likelihood that the local host is infected with malware, an Internet Protocol address of the local host, at least one Internet Protocol address associated with a source of the malware infection, at least one Internet Protocol address associated with a command and control server, at least one transaction indicative of the malware infection, and a time range of the malware infection.

5. A computer readable storage device containing an executable program for detecting a malware infection at a local host, where the program performs the steps of:
- monitoring network communications between the local host and one or more entities external to the local host;
  
  generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host;
  
  declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least;
  
  an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by;
  
  calculating a failure rate of outbound connections from the local host;
  
  andgenerating the outbound dialog warning based at least partly on the failure rate of outbound connections from the local host exceeding a predefined threshold;
  
  and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and
  
  outputting an infection profile for the local host.
- View Dependent Claims (6, 7, 8)
- - 6. The computer readable storage device of claim 5, wherein the generating comprises:
    - applying at least one rule file to the network communications; and
      
      outputting a dialog warning if one or more of the network communications satisfy the at least one rule file.
  - 7. The computer readable storage device of claim 5, wherein each of the outbound dialog warning and the inbound dialog warning indicates at least one of:
    - a scan attempt involving the local host, an exploit at the local host, a binary download at the local host, or a command and control communication involving the local host.
  - 8. The computer readable storage device of claim 5, wherein the infection profile includes at least one of:
    - a confidence score indicative of a likelihood that the local host is infected with malware, an Internet Protocol address of the local host, at least one Internet Protocol address associated with a source of the malware infection, at least one Internet Protocol address associated with a command and control server, at least one transaction indicative of the malware infection, and a time range of the malware infection.

9. A system for detecting a malware infection at a local host, the system comprising:
- one or more processors for monitoring network communications between the local host and one or more entities external to the local host and for generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host;
  
  a correlator for declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least;
  
  an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by;
  
  calculating a rate of outbound connections from the local host;
  
  andgenerating the outbound dialog warning based at least partly on the rate of outbound connections from the local host exceeding a predefined threshold;
  
  and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and
  
  an output device for outputting an infection profile for the local host.
- View Dependent Claims (10, 11, 12)
- - 10. The system of claim 9, wherein the one or more processors includes a rule-based intrusion detection/prevention system that monitors the network communications by:
    - applying at least one rule file to the network communications; and
      
      outputting a dialog warning if one or more of the network communications satisfy the at least one rule file.
  - 11. The system of claim 9, wherein each of the outbound dialog warning and the inbound dialog warning indicates at least one of:
    - a scan attempt involving the local host, an exploit at the local host, a binary download at the local host, or a command and control communication involving the local host.
  - 12. The system of claim 9, wherein the infection profile includes at least one of:
    - a confidence score indicative of a likelihood that the local host is infected with malware, an Internet Protocol address of the local host, at least one Internet Protocol address associated with a source of the malware infection, at least one Internet Protocol address associated with a command and control server, at least one transaction indicative of the malware infection, and a time range of the malware infection.

13. A method for detecting a malware infection at a local host, the method comprising:
- monitoring network communications between the local host and one or more entities external to the local host;
  
  generating at least one dialog warning if the network communications include a transaction indicative of a malware infection at the local host;
  
  declaring a malware infection at the local host when, within a limited period of time, the at least one dialog warning includes at least;
  
  an outbound dialog warning indicating an outbound transaction indicative of the malware infection at the local host, where the outbound transaction is initiated at the local host, wherein the outbound dialog warning is generated by;
  
  calculating a failure rate of outbound connections from the local host;
  
  andgenerating the outbound dialog warning based at least partly on the failure rate of outbound connections from the local host exceeding a predefined threshold;
  
  and an inbound dialog warning, separate from the outbound dialog warning, indicating an inbound transaction indicative of the malware infection at the local host, where the inbound transaction is initiated external to the local host and occurs prior to the outbound transaction, and wherein a combination of events comprising the outbound dialog warning and the inbound dialog warning is mapped to a defined infection sequence that specifies a series of events evidencing the malware infection; and
  
  outputting an infection profile for the local host, wherein at least one of;
  
  the monitoring, the generating the at least one dialog warning, the declaring, the calculating, the generating the outbound dialog warning, or the outputting is performed by a processor.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the generating comprises:
    - applying at least one rule file to the network communications; and
      
      outputting a dialog warning if one or more of the network communications satisfy the at least one rule file.
  - 15. The method of claim 13, wherein each of the outbound dialog warning and the inbound dialog warning indicates at least one of:
    - a scan attempt involving the local host, an exploit at the local host, a binary download at the local host, or a command and control communication involving the local host.
  - 16. The method of claim 13, wherein the infection profile includes at least one of:
    - a confidence score indicative of a likelihood that the local host is infected with malware, an Internet Protocol address of the local host, at least one Internet Protocol address associated with a source of the malware infection, at least one Internet Protocol address associated with a command and control server, at least one transaction indicative of the malware infection, and a time range of the malware infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Gu, Guofei, Porras, Phillip Andrew, Fong, Martin
Primary Examiner(s)
Eskandarnia, Arvin
Assistant Examiner(s)
DESAI, MARGISHI V

Application Number

US12/098,334
Publication Number

US 20090172815A1
Time in Patent Office

2,503 Days
Field of Search

713/188, 713/201, 713/200, 714/57, 726/24, 726/23
US Class Current

726/23
CPC Class Codes

G06F 11/3495   for systems

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Method and apparatus for detecting malware infection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting malware infection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links