Endpoint traffic profiling for early detection of malware spread
US-2016142426-A1 · May 19, 2016 · US
Endpoint traffic profiling for early detection of malware spread
US9473531B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9473531-B2 |
| Application number | US-201414542693-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 17, 2014 |
| Priority date | Nov 17, 2014 |
| Publication date | Oct 18, 2016 |
| Grant date | Oct 18, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
According to one exemplary embodiment, a method for detecting malware in a network stream to at least one host computer is provided. The method may include initializing a browser profile corresponding with a first website having a first website source and a first plurality of content features. The method may include recording the first plurality of content features and a trusted source based on the first website source. The method may include scanning the network stream for a second content feature within a second plurality of content features associated with a second website. The method may include determining if the second content feature matches a first content feature. The method may include determining if the second plurality of content features is consistent with the first plurality of content features. The method may include determining if a second website source matches the trusted source. The method may include generating an alert.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer system for detecting malware in a network stream to at least one host computer, comprising: one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage medium, and program instructions stored on at least one of the one or more tangible storage medium for execution by at least one of the one or more processors via at least one of the one or more memories, wherein the computer system executes the program instructions to perform the steps comprising: initializing a browser profile corresponding with a first website having a first website source and a first plurality of content features; determining the first plurality of content features based on the first website, wherein a first content feature within the first plurality of content features has a first content feature internet protocol (IP) address indicating a first content feature source; recording in the browser profile the first plurality of content features, the first content feature IP address, and a trusted source based on the first website source; scanning the network stream to the at least one host computer for a second content feature within a second plurality of content features associated with a second website; determining if the second content feature matches the first content feature within the first plurality of content features recorded in the browser profile based on finding the second content feature while scanning the network stream, wherein the second content feature has a second content feature IP address indicating a second content feature source; determining if the second plurality of content features is consistent with the first plurality of content features based on determining the second content feature matches the first content feature, wherein determining if the second plurality of content features is consistent with the first plurality of content features comprises comparing the first content feature IP address recorded in the browser profile to the second content feature IP address; determining if a second website source associated with the second website matches the trusted source based on determining that the second plurality of content features is consistent with the first plurality of content features; generating an alert based on determining that the second plurality of features is inconsistent with the first plurality of content features or the second website source does not match the trusted source; generating, by the at least one host computer, a content signature based on the second plurality of features; sending the generated content signature to a proxy, wherein the proxy is connected to a plurality of enterprise hosts and the at least on host computer by a network within an enterprise; and forwarding the stored content signature from the proxy to the plurality of enterprise hosts within the enterprise, wherein the plurality of enterprise hosts individually store the sent content signature. 2. The computer system of claim 1 , wherein the first plurality of content features and the second plurality of content features comprises at least one of a plurality of website metadata, a plurality of website image sources, a plurality of website links, or a website structure. 3. The computer system of claim 1 , wherein the first website source comprises a trusted domain, the second website source comprises a domain, and the trusted source comprises a list of trusted internet protocol (IP) addresses. 4. The computer system of claim 1 , wherein the generated alert may comprise at least one of outputting the generated alert as a warning message to the host computer, sending the generated alert as an email to a preconfigured email address, or sending the generated alert over a network link to a security information and event manager (SIEM). 5. The computer system of claim 1 , wherein the browser profile is stored as a data structure in a data storage device accessible by the at least one host computer. 6. The computer system of claim 4 , wherein the at least one host computer comprises the at least one host computer within a plurality of host computers linked together in a network with the SIEM. 7. The computer system of claim 6 , wherein the browser profile is stored in a proxy linked to the plurality of host computers and to the SIEM. 8. The computer system of claim 7 , wherein the generated alert may comprise sending the generated alert from the proxy to each host computer within the plurality of host computers. 9. A computer program product for detecting malware in a network stream to at least one host computer, comprising: one or more computer-readable storage devices and program instructions stored on at least one of the one or more tangible storage devices, the program instructions executable by a processor, the program instructions comprising: program instructions to initialize a browser profile corresponding with a first website having a first website source and a first plurality of content features; program instructions to determine the first plurality of content features based on the first website, wherein a first content feature within the first plurality of content features has a first content feature internet protocol (IP) address indicating a first content feature source; program instructions to record in the browser profile the first plurality of content features, the first content feature IP address, and a trusted source based on the first website source; program instructions to scan the network stream to the at least one host computer for a second content feature within a second plurality of content features associated with a second website; program instructions to determine if the second content feature matches the first content feature within the first plurality of content features recorded in the browser profile based on finding the second content feature while scanning the network stream, wherein the second content feature has a second content feature IP address indicating a second content feature source; program instructions to determine if the second plurality of content features is consistent with the first plurality of content features based on determining the second content feature matches the first content feature, wherein determining if the second plurality of content features is consistent with the first plurality of content features comprises comparing the first content feature IP address recorded in the browser profile to the second content feature IP address; program instructions to determine if a second web site source associated with the second website matches the trusted source based on determining that the second plurality of content features is consistent with the first plurality of content features; program instructions to generate an alert based on determining that the second plurality of features is inconsistent with the first plurality of content features or the second website source does not match the trusted source; program instructions to generate, by the at least one host computer, a content signature based on the second plurality of features; program instructions to send the generated content signature to a proxy, wherein the proxy is connected to a plurality of enterprise hosts and the at least on host computer by a network within an enterprise; and program instructions to forward the stored content signature from the proxy to the plurality of enterprise hosts within the enterprise, wherein the plurality of enterprise hosts individually store the sent content signature. 10. The computer program product of claim 9 , wherein the first plurality of content features and the second plurality of conten
Assignees
Inventors
Classifications
Authenticating web pages, e.g. with suspicious links · CPC title
- H04L63/145Primary
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Proxies · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9473531B2 cover?
- According to one exemplary embodiment, a method for detecting malware in a network stream to at least one host computer is provided. The method may include initializing a browser profile corresponding with a first website having a first website source and a first plurality of content features. The method may include recording the first plurality of content features and a trusted source based on…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/145. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 18 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).