Malicious website identifying method and system
US-9231972-B2 · Jan 5, 2016 · US
Detection of malware using time spans and periods of activity for network requests
US9692772B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9692772-B2 |
| Application number | US-201615018758-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 8, 2016 |
| Priority date | Mar 26, 2014 |
| Publication date | Jun 27, 2017 |
| Grant date | Jun 27, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method to identify machines infected by malware is provided. The method includes determining whether a universal resource locator in a network request is present in a first cache and determining whether a fully qualified domain name from the uniform resource locator is present in a second cache. The method includes evaluating a parent hostname as to suspiciousness. The method includes indicating the computing device has a likelihood of infection, responsive to one of: the universal resource locator being present in the first cache with a first indication of suspiciousness, the fully qualified domain name being present in the second cache with a second indication of suspiciousness, or the evaluating the parent hostname having a third indication of suspiciousness, wherein at least one method operation is performed by the processor. A system and computer readable media are provided.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of identifying machines infected by malware, performed by a security monitoring computing device, the method comprising: tracking domain names in network requests from a computing device, the tracking occurring over a first time span; receiving a fully qualified domain name relating to a network request from the computing device; determining whether the fully qualified domain name is among the tracked domain names and whether the fully qualified domain name was visited during a more recent second time span; indicating the computing device has a likelihood of infection, responsive to a result of the determining; determining whether the fully qualified domain name exceeds a predetermined length; and elevating a level of suspicion of the computing device responsive to the result of the determining whether the fully qualified domain name exceeds a predetermined length. 2. The method of claim 1 , wherein tracking the domain names includes adding the fully qualified domain name, along with a timestamp, to a list of tracked domain names. 3. The method of claim 1 , further comprising: adding the computing device to a list of computing devices suspected of infection by malware, responsive to the result of the determining. 4. The method of claim 1 , further comprising: further determining whether the computing device has issued a plurality of network requests greater in number than a specified value, each of the plurality of network requests including the fully qualified domain name, during the second time span; and elevating a level of suspicion of the computing device responsive to the result of the further determining. 5. The method of claim 1 , further comprising: determining whether the fully qualified domain name includes a reference to a country that is anomalous to the computing device per the tracking elevating a level of suspicion of the computing device responsive to the result of the determining whether the fully qualified domain name includes a reference to a country that is anomalous to the computing device per the tracking.
Assignees
Inventors
Classifications
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Test or assess a computer or a system · CPC title
- H04L63/14Primary
for detecting or protecting against malicious traffic · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9692772B2 cover?
- A method to identify machines infected by malware is provided. The method includes determining whether a universal resource locator in a network request is present in a first cache and determining whether a fully qualified domain name from the uniform resource locator is present in a second cache. The method includes evaluating a parent hostname as to suspiciousness. The method includes indicat…
- Who is the assignee on this patent?
- Symantec Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/14. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 27 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).