Detection of malware beaconing activities

US 9,369,479 B2
Filed: 04/20/2015
Issued: 06/14/2016
Est. Priority Date: 06/25/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

identify a plurality of communication events between a dynamically assigned address and an external destination;

determine that the dynamically assigned address maps to a statically assigned address associated with an internal device;

generate a conversation between the internal device and the external destination based at least in part on the plurality of communication events;

extract feature sets based at least in part on the conversation between the internal device and the external destination; and

determine whether the conversation between the internal device and the external destination is anomalous based at least in part on the extracted feature sets; and

a memory coupled to the processor and configured to store the extracted feature sets.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.

90 Citations

View as Search Results

19 Claims

1. A system, comprising:
- a processor configured to;
  
  identify a plurality of communication events between a dynamically assigned address and an external destination;
  
  determine that the dynamically assigned address maps to a statically assigned address associated with an internal device;
  
  generate a conversation between the internal device and the external destination based at least in part on the plurality of communication events;
  
  extract feature sets based at least in part on the conversation between the internal device and the external destination; and
  
  determine whether the conversation between the internal device and the external destination is anomalous based at least in part on the extracted feature sets; and
  
  a memory coupled to the processor and configured to store the extracted feature sets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the external destination comprises an external IP address outside of an enterprise network.
  - 3. The system of claim 1, wherein the plurality of communication events is identified based at least in part on one or more of the following:
    - firewall logs, proxy logs, and dynamic host configuration protocol (DHCP) logs.
  - 4. The system of claim 1, wherein in the event that the conversation between the internal device and the external destination is determined to be anomalous, the processor is further configured to determine that the conversation is potentially indicative of malware being present at the internal device.
  - 5. The system of claim 1, wherein to determine whether the conversation between the internal device and the external destination is anomalous includes to build a model based at least in part on at least some of the feature sets and a plurality of historical conversations.
  - 6. The system of claim 5, wherein at least some of the extracted feature sets are input into the model and the model is configured to determine whether the conversation is anomalous based on the inputted feature sets.
  - 7. The system of claim 1, wherein one of the feature sets includes a feature associated with an age of the internal device.
  - 8. The system of claim 1, wherein one of the feature sets includes a feature associated with a service of the external destination.
  - 9. The system of claim 1, wherein one of the feature sets includes a feature associated with an age of the external destination.
  - 10. The system of claim 1, wherein one of the feature sets includes a feature associated with a geolocation of the external destination.
  - 11. The system of claim 1, wherein in the event that the conversation between the internal device and the external destination is determined to be anomalous, the processor is further configured to present information associated with the conversation.

12. A method, comprising:
- identifying a plurality of communication events between a dynamically assigned address and an external destination;
  
  determining, using a processor, that the dynamically assigned address maps to a statically assigned address associated with an internal device;
  
  generating a conversation between the internal device and the external destination based at least in part on the plurality of communication events;
  
  extracting feature sets based at least in part on the conversation between the internal device and the external destination; and
  
  determining whether the conversation between the internal device and the external destination is anomalous based at least in part on the extracted feature sets.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, wherein the external destination comprises an external IP address outside of an enterprise network.
  - 14. The method of claim 12, wherein the plurality of communication events is identified based at least in part on one or more of the following:
    - firewall logs, proxy logs, and dynamic host configuration protocol (DHCP) logs.
  - 15. The method of claim 12, wherein in the event that the conversation between the internal device and the external destination is determined to be anomalous, determining that the conversation is potentially indicative of malware being present at the internal device.
  - 16. The method of claim 12, wherein determining whether the conversation between the internal device and the external destination is anomalous includes building a model based at least in part on at least some of the feature sets and a plurality of historical conversations.
  - 17. The method of claim 16, wherein at least some of the extracted feature sets are input into the model and the model is configured to determine whether the conversation is anomalous based on the inputted feature sets.
  - 18. The method of claim 12, wherein one of the feature sets includes a feature associated with an age of the internal device.
  - 19. The method of claim 12, wherein one of the feature sets includes a feature associated with an age of the external destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Lin, Derek
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US14/690,771
Publication Number

US 20150304350A1
Time in Patent Office

421 Days
Field of Search

726/23, 726/11, 726/13, 713/153, 713/154, 713/168, 713/170, 709/224, 709/225
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Detection of malware beaconing activities

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Detection of malware beaconing activities

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others