Historical analysis to identify malicious activity

US 9,680,861 B2
Filed: 08/30/2013
Issued: 06/13/2017
Est. Priority Date: 08/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

gathering and storing, using at least one processor in communication with a network, historical network data associated with a plurality of hardware assets associated with the network;

detecting a malware infection of at least one asset within the plurality of hardware assets associated with the network, wherein the detecting is not based on the historical network data;

responsive to the detecting the malware infection, identifying, with the at least one processor in communication with the network, historical network data associated with the at least one infected asset associated with the network, the historical network data having been gathered prior to the detection of the malware infection;

responsive to the detecting the malware infection, analyzing, with the at least one processor, the identified historical network data to determine whether a subset of the identified historical network data is associated with the malware infection of the at least one infected asset; and

present, using the at least one processor, a notification that the at least one asset is infected with malware and the analyzed identified historical network data to a user.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods may use historical analysis to identify malicious activity. A discovery/recovery system may comprise a processor in communication with a network and in communication with a database. The discovery/recovery system may gather filtered historical network data associated with an asset associated with the network. The discovery/recovery system may analyze the filtered historical network data to determine whether a subset of the filtered historical network data is associated with a malware infection of the asset.

263 Citations

30 Claims

1. A method comprising:
- gathering and storing, using at least one processor in communication with a network, historical network data associated with a plurality of hardware assets associated with the network;
  
  detecting a malware infection of at least one asset within the plurality of hardware assets associated with the network, wherein the detecting is not based on the historical network data;
  
  responsive to the detecting the malware infection, identifying, with the at least one processor in communication with the network, historical network data associated with the at least one infected asset associated with the network, the historical network data having been gathered prior to the detection of the malware infection;
  
  responsive to the detecting the malware infection, analyzing, with the at least one processor, the identified historical network data to determine whether a subset of the identified historical network data is associated with the malware infection of the at least one infected asset; and
  
  present, using the at least one processor, a notification that the at least one asset is infected with malware and the analyzed identified historical network data to a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the identified historical network data comprises historical network communication data.
  - 3. The method of claim 2, wherein the analyzing comprises identifying a destination and/or source associated with the historical network communication data and identifying a reputation associated with the destination and/or source, measuring a statistical feature of a new destination and/or source associated with the historical network communication data and determining a likely reputation of the new destination and/or source, analyzing a header associated with the historical network communication data, and/or analyzing a referrer associated with the historical network communication data.
  - 4. The method of claim 3, wherein:
    - the destination and/or source comprises a domain, an IP address, a URL path, and/or a resource; and
      
      the new destination and/or source comprises a domain, an IP address, a URL path, and/or a resource.
  - 5. The method of claim 1, wherein the identified historical network data comprises an historical network file download.
  - 6. The method of claim 5, wherein the analyzing comprises identifying a source associated with the historical network file download and identifying a reputation associated with the source, measuring a statistical feature of a new source associated with the historical network file download and determining a likely reputation of the new source, analyzing the historical network file download using a third party commodity, identifying a static structure of the historical network file download, identifying a behavioral trait of the historical network file download, and/or allowing a file associated with the historical network file download to execute and examining a result of the executing.
  - 7. The method of claim 6, wherein:
    - the source comprises a domain, an IP address, a URL path, and/or a resource; and
      
      the new source comprises a domain, an IP address, a URL path, and/or a resource.
  - 8. The method of claim 1, wherein the identified historical network communication data comprises suspicious network traffic.
  - 9. The method of claim 8, further comprising:
    - monitoring, with the at least one processor, network traffic to and/or from the at least one asset associated with the network;
      
      assessing, with the at least one processor, the network traffic to determine a destination and/or source for the network traffic and/or content of the network traffic;
      
      determining, with the at least one processor, whether the network traffic is suspicious network traffic based on the assessed destination and/or source and/or content; and
      
      capturing, with the at least one processor, metadata associated with the suspicious network traffic and storing the metadata in a database in communication with the at least one processor.
  - 10. The method of claim 9, wherein the monitoring comprises monitoring a transport protocol of the network traffic, monitoring an application protocol of the network traffic, monitoring a destination and/or source of the network traffic, and/or monitoring content of the network traffic.
  - 11. The method of claim 9, wherein the determining whether the network traffic is suspicious network traffic is based on a low reputation score associated with the destination and/or source for the network traffic, a suspicious DGA cluster associated with the destination and/or source for the network traffic, a suspicious DGA cluster associated with the content of the network traffic, and/or a suspicious content element within the content of the network traffic.
  - 12. The method of claim 9, further comprising:
    - when the network traffic is determined to be suspicious network traffic, indexing, with the at least one processor, the metadata.
  - 13. The method of claim 9, wherein the metadata comprises a source port, a destination port, a transport protocol, an application protocol, a time stamp, a duration, a source identifier, a destination identifier, a bytes in count, a bytes out count, a connection success indicator, a connection status, a DNS RR set, HTTP data, a file within the content of the network traffic, the content of the network traffic, and/or a subsequent communication.
  - 14. The method of claim 9, further comprising:
    - when the network traffic is determined to be suspicious network traffic, sending, with the at least one processor, a report indicating that the network traffic is determined to be suspicious network traffic to a display in communication with the at least one processor.
  - 15. The method of claim 9, wherein determining whether the network traffic is suspicious network traffic comprises determining that all traffic to and/or from the at least one asset is suspicious network traffic when the at least one asset is an asset with a potential malware infection.

16. A system comprising:
- a non-transitory device comprising at least one processor in communication with a network and in communication with a database, the at least one processor being constructed and arranged to;
  
  gather and store, using the at least one processor, historical network data associated with a plurality of hardware assets associated with the network;
  
  detect a malware infection of at least one asset within the plurality of hardware assets associated with the network, wherein the detecting is not based on the historical network data;
  
  responsive to the detection of the malware infection of the at least one asset associated with the network, identify, with the at least one processor in communication with the network, historical network data associated with the at least one infected asset associated with the network, the historical network data having been gathered prior to the detection of the malware infection;
  
  responsive to the detection of the malware infection, analyze, with the at least one processor, the identified historical network data to determine whether a subset of the identified historical network data is associated with the malware infection of the at least one infected asset; and
  
  present, using the at least one processor, a notification that the at least one asset is infected with malware and the analyzed identified historical network data to a user.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system of claim 16, wherein the identified historical network data comprises historical network communication data.
  - 18. The system of claim 17, wherein the at least one processor is constructed and arranged to analyze the identified historical network data by identifying a destination and/or source associated with the historical network communication data and identifying a reputation associated with the destination and/or source, measuring a statistical feature of a new destination and/or source associated with the historical network communication data and determining a likely reputation of the new destination and/or source, analyzing a header associated with the historical network communication data, and/or analyzing a referrer associated with the historical network communication data.
  - 19. The system of claim 18, wherein:
    - the destination and/or source comprises a domain, an IP address, a URL path, and/or a resource; and
      
      the new destination and/or source comprises a domain, an IP address, a URL path, and/or a resource.
  - 20. The system of claim 16, wherein the identified historical network data comprises an historical network file download.
  - 21. The system of claim 20, wherein the at least one processor is constructed and arranged to analyze the identified historical network data by identifying a source associated with the historical network file download and identifying a reputation associated with the source, measuring a statistical feature of a new source associated with the historical network file download and determining a likely reputation of the new source, analyzing the historical network file download using a third party commodity, identifying a static structure of the historical network file download, identifying a behavioral trait of the historical network file download, and/or allowing a file associated with the historical network file download to execute and examining a result of the executing.
  - 22. The system of claim 21, wherein:
    - the destination comprises a domain, an IP address, a URL path, and/or a resource; and
      
      the new destination comprises a domain, an IP address, a URL path, and/or a resource.
  - 23. The system of claim 16, wherein the identified historical network communication data comprises suspicious network traffic.
  - 24. The system of claim 23, wherein the at least one processor is constructed and arranged to:
    - monitor network traffic to and/or from the at least one asset associated with the network;
      
      assess the network traffic to determine a destination and/or source for the network traffic and/or content of the network traffic;
      
      determine whether the network traffic is suspicious network traffic based on the assessed destination and/or source and/or content; and
      
      capture metadata associated with the suspicious network traffic and store the metadata in the database.
  - 25. The system of claim 24, wherein the monitoring comprises monitoring a transport protocol of the network traffic, monitoring an application protocol of the network traffic, monitoring a destination of the network traffic, and/or monitoring content of the network traffic.
  - 26. The system of claim 24, wherein the determining whether the network traffic is suspicious network traffic is based on a low reputation score associated with the destination and/or source for the network traffic, a suspicious DGA cluster associated with the destination and/or source for the network traffic, a suspicious DGA cluster associated with the content of the network traffic, and/or a suspicious content element within the content of the network traffic.
  - 27. The system of claim 24, wherein the at least one processor is further constructed and arranged to:
    - when the network traffic is determined to be suspicious network traffic, index the metadata.
  - 28. The system of claim 24, wherein the metadata comprises a source port, a destination port, a transport protocol, an application protocol, a time stamp, a duration, a source identifier, a destination identifier, a bytes in count, a bytes out count, a connection success indicator, a connection status, a DNS RR set, HTTP data, a file within the content of the network traffic, the content of the network traffic, and/or a subsequent communication.
  - 29. The system of claim 24, wherein the at least one processor is further constructed and arranged to:
    - when the network traffic is determined to be suspicious network traffic, send a report indicating that the network traffic is determined to be suspicious network traffic to a display in communication with the at least one processor.
  - 30. The system of claim 24, wherein the at least one processor is constructed and arranged to determine whether the network traffic is suspicious network traffic with a method comprising determining that all traffic to and/or from the asset is suspicious network traffic when the asset is an asset with a potential malware infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Ward, Joseph, Hobson, Andrew
Primary Examiner(s)
King, John B

Application Number

US14/015,704
Publication Number

US 20140068775A1
Time in Patent Office

1,383 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1441 Countermeasures against mal...

Historical analysis to identify malicious activity

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

263 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Historical analysis to identify malicious activity

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

263 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links