Detection of malware beaconing activities
US-9038178-B1 · May 19, 2015 · US
Detection of malware beaconing activities
US9369479B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9369479-B2 |
| Application number | US-201514690771-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 20, 2015 |
| Priority date | Jun 25, 2012 |
| Publication date | Jun 14, 2016 |
| Grant date | Jun 14, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.
First claim
Opening claim text (preview).
What is claimed is: 1. A system, comprising: a processor configured to: identify a plurality of communication events between a dynamically assigned address and an external destination; determine that the dynamically assigned address maps to a statically assigned address associated with an internal device; generate a conversation between the internal device and the external destination based at least in part on the plurality of communication events; extract feature sets based at least in part on the conversation between the internal device and the external destination; and determine whether the conversation between the internal device and the external destination is anomalous based at least in part on the extracted feature sets; and a memory coupled to the processor and configured to store the extracted feature sets. 2. The system of claim 1 , wherein the external destination comprises an external IP address outside of an enterprise network. 3. The system of claim 1 , wherein the plurality of communication events is identified based at least in part on one or more of the following: firewall logs, proxy logs, and dynamic host configuration protocol (DHCP) logs. 4. The system of claim 1 , wherein in the event that the conversation between the internal device and the external destination is determined to be anomalous, the processor is further configured to determine that the conversation is potentially indicative of malware being present at the internal device. 5. The system of claim 1 , wherein to determine whether the conversation between the internal device and the external destination is anomalous includes to build a model based at least in part on at least some of the feature sets and a plurality of historical conversations. 6. The system of claim 5 , wherein at least some of the extracted feature sets are input into the model and the model is configured to determine whether the conversation is anomalous based on the inputted feature sets. 7. The system of claim 1 , wherein one of the feature sets includes a feature associated with an age of the internal device. 8. The system of claim 1 , wherein one of the feature sets includes a feature associated with a service of the external destination. 9. The system of claim 1 , wherein one of the feature sets includes a feature associated with an age of the external destination. 10. The system of claim 1 , wherein one of the feature sets includes a feature associated with a geolocation of the external destination. 11. The system of claim 1 , wherein in the event that the conversation between the internal device and the external destination is determined to be anomalous, the processor is further configured to present information associated with the conversation. 12. A method, comprising: identifying a plurality of communication events between a dynamically assigned address and an external destination; determining, using a processor, that the dynamically assigned address maps to a statically assigned address associated with an internal device; generating a conversation between the internal device and the external destination based at least in part on the plurality of communication events; extracting feature sets based at least in part on the conversation between the internal device and the external destination; and determining whether the conversation between the internal device and the external destination is anomalous based at least in part on the extracted feature sets. 13. The method of claim 12 , wherein the external destination comprises an external IP address outside of an enterprise network. 14. The method of claim 12 , wherein the plurality of communication events is identified based at least in part on one or more of the following: firewall logs, proxy logs, and dynamic host configuration protocol (DHCP) logs. 15. The method of claim 12 , wherein in the event that the conversation between the internal device and the external destination is determined to be anomalous, determining that the conversation is potentially indicative of malware being present at the internal device. 16. The method of claim 12 , wherein determining whether the conversation between the internal device and the external destination is anomalous includes building a model based at least in part on at least some of the feature sets and a plurality of historical conversations. 17. The method of claim 16 , wherein at least some of the extracted feature sets are input into the model and the model is configured to determine whether the conversation is anomalous based on the inputted feature sets. 18. The method of claim 12 , wherein one of the feature sets includes a feature associated with an age of the internal device. 19. The method of claim 12 , wherein one of the feature sets includes a feature associated with an age of the external destination.
Assignees
Inventors
Classifications
for separating internal from external traffic, e.g. firewalls · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9369479B2 cover?
- Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.
- Who is the assignee on this patent?
- Emc Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 14 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).