Distributed traffic pattern analysis and entropy prediction for detecting malware in a network environment

US 9,380,066 B2
Filed: 03/29/2013
Issued: 06/28/2016
Est. Priority Date: 03/29/2013
Status: Expired due to Fees

First Claim

Patent Images

1. At least one non-transitory machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:

select a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system;

receive an entropy rate associated with the potentially affected system, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system;

compare the received entropy rate to an average entropy rate; and

determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies are provided in embodiments to detect malware. The embodiments are configured to receive an entropy rate of a potentially affected system. The embodiments are further configured to compare the entropy rate to an average entropy rate, and to determine a probability that the potentially affected system is infected with malware. The probability is based, at least in part, on a result of the comparison. More specific embodiments can include the received entropy rate being generated, at a least in part, by a genetic program. Additional embodiments can include a configuration to provide the potentially affected system with a specified time-span associated with the genetic program. The specified time-span indicates an amount of time to observe context information on the potentially affected system. In at least some embodiments, the result of the comparison includes an indicator of whether the entropy rate correlates to an infected system or a healthy system.

15 Citations

View as Search Results

25 Claims

1. At least one non-transitory machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
- select a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system;
  
  receive an entropy rate associated with the potentially affected system, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system;
  
  compare the received entropy rate to an average entropy rate; and
  
  determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 24, 25)
- - 2. The medium of claim 1, wherein the average entropy rate is an average of one or more entropy rates of one or more respective computing devices, wherein the one or more entropy rates are generated, at least in part, by the genetic program.
  - 3. The medium of claim 1, wherein the instructions when executed by the processor further cause the processor to:
    - provide the genetic program to the potentially affected system for execution on the potentially affected system.
  - 4. The medium of claim 1, wherein the instructions when executed by the processor further cause the processor to:
    - provide a specified time-span associated with the genetic program, wherein the specified time-span indicates an amount of time to observe context information on the potentially affected system.
  - 5. The medium of claim 1, wherein the result of the comparison includes an indicator of whether the received entropy rate correlates to an infected system or a healthy system.
  - 6. The medium of claim 5, wherein the instructions when executed by the processor further cause the processor to:
    - evaluate the indicator together with one or more other indicators, the one or more other indicators being previously determined.
  - 7. The medium of claim 6, wherein the one or more other indicators were determined based, at least in part, on one or more other respective entropy rates of the potentially affected system, wherein the one or more other entropy rates were generated, at least in part, by one or more other respective genetic programs.
  - 8. The medium of claim 1, wherein the instructions when executed by the processor further cause the processor to:
    - take an action based, at least in part, on the probability of infection.
  - 9. The medium of claim 8, wherein the action is taken based on the probability of infection relative to a predetermined threshold.
  - 10. The medium of claim 8, wherein the action is taken if the probability of infection increases relative to a previous probability of infection or an expected probability of infection.
  - 11. The medium of claim 10, wherein the action is one of a set of predefined actions that are taken as the probability of infection increases.
  - 12. The medium of claim 1, wherein the instructions when executed by the processor further cause the processor to:
    - select one or more genetic programs from a repository of genetic programs, wherein the selection of the one or more genetic programs is based, at least in part, on the probability of infection; and
      
      provide the selected one or more genetic programs to the potentially affected system.
  - 13. The medium of claim 12, wherein at least one of the genetic programs is configured to detect a specific type of malware.
  - 24. The medium of claim 1, wherein a second stream of the one or more streams of context information includes one or more other context elements observed in response to a second event being detected on the potentially affected system.
  - 25. The medium of claim 1, wherein the one or more context elements are related to the functioning of the potentially affected system when the first event is detected.

14. A system to detect malware, the apparatus comprising:
- at least one processor;
  
  at least one memory element; and
  
  an entropy rate comparison module configured to;
  
  select a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system;
  
  receive an entropy rate associated with the potentially affected system in a network environment, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system;
  
  compare the received entropy rate to an average entropy rate; and
  
  determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.
- View Dependent Claims (15, 23)
- - 15. The system of claim 14, further comprising a genetic program selection module configured to:
    - provide the genetic program to the potentially affected system for execution on the potentially affected system.
  - 23. The system of claim 14, wherein the genetic program selection module is further configured to:
    - provide a specified time-span associated with the genetic program, wherein the specified time-span indicates an amount of time to observe context information on the potentially affected system.

16. A method for detecting malware, the method comprising:
- selecting a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system;
  
  receiving an entropy rate associated with the potentially affected system, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system;
  
  comparing the received entropy rate to an average entropy rate; and
  
  determining a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.
- View Dependent Claims (17)
- - 17. The method of claim 16, further comprising:
    - taking an action based, at least in part, on the probability of infection.

18. A system comprising:
- at least one processor;
  
  at least one memory element; and
  
  an agent, when executed by the at least one processor,detect one or more events on a potentially affected system in real-time;
  
  generate one or more streams of context information corresponding to, respectively, the one or more events, wherein each stream of context information includes one or more context elements observed on the potentially affected system in response to one of the one or more events being detected;
  
  execute a genetic program to manipulate the one or more streams to produce an output stream of manipulated context information based, at least in part, on the manipulation of the one or more streams;
  
  generate an entropy rate by applying entropy encoding to the output stream of manipulated context information produced by the genetic program; and
  
  communicate the entropy rate to a backend system to determine whether the system is an infected system.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the manipulation includes performing at least one of deleting, sorting, adding, combining, and encrypting at least one context element of at least one of the streams.
  - 20. The system of claim 18, wherein the agent is further configured to:
    - receive a second genetic program to execute, wherein the second genetic program is configured to produce a new output stream by manipulating one or more new streams, wherein the manipulation of the one or more new streams is different than the manipulation of the other one or more streams.

21. At least one non-transitory machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
- detect one or more events on a potentially affected system in real-time;
  
  generate one or more streams of context information corresponding to, respectively, the one or more events, wherein each stream of context information includes one or more context elements observed on the potentially affected system in response to one of the one or more events being detected;
  
  execute a genetic program to manipulate the one or more streams to produce an output stream of manipulated context information based, at least in part, on the manipulation of the one or more streams;
  
  generate an entropy rate by applying entropy encoding to the output stream of manipulated context information produced by the genetic program; and
  
  communicate the entropy rate to a backend system to determine whether the system is an infected system.
- View Dependent Claims (22)
- - 22. The medium of claim 21, wherein the instructions when executed by the processor further cause the processor to:
    - receive a second genetic program to execute, wherein the second genetic program is configured to produce a new output stream by manipulating one or more new streams, wherein the manipulation of the one or more new streams is different than the manipulation of the other one or more streams.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Hohndel, Dirk, van de Ven, Adriaan
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
Li, Mary

Application Number

US13/853,601
Publication Number

US 20140298461A1
Time in Patent Office

1,187 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06N 3/126   Evolutionary algorithms, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Distributed traffic pattern analysis and entropy prediction for detecting malware in a network environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed traffic pattern analysis and entropy prediction for detecting malware in a network environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links