Cyber security adaptive analytics threat monitoring system and method

摘要

A system and method of detecting command and control behavior of malware on a client computer is disclosed. One or more DNS messages are monitored from one or more client computers to a DNS server to determine a risk that one or more client computers is communicating with a botnet. Real-time entity profiles are generated for at least one of each of the one or more client computers, DNS domain query names, resolved IP addresses of query domain names, client computer-query domain name pairs, pairs of query domain name and corresponding resolved IP address, or query domain name-IP address cliques based on each of the one or more DNS messages. Using the real-time entity profiles, a risk that any of the one or more client computers is infected by malware that utilizes DNS messages for command and control or illegitimate data transmission purposes is determined. One or more scores are generated representing probabilities that one or more client computers is infected by malware.

主权项

1. A method of detecting a cyber security threat risk in a computer network, the method comprising:
monitoring one or more network messages or events associated with one or more client computers that electronically communicate with at least one server, each of the one or more client computers and the at least one server having an IP address; generating a real-time entity profile for at least one of the one or more client computers, the real-time entity profile comprising one or more variables associated with electronic communication between the one or more client computers and the at least one server, the one or more variables including at least IP addresses associated with the monitored one or more network messages or events; determining a variance from the real-time entity profile containing one or more cyber threat features for each of the at least one or more client computers, the variance representing cyber security threat risk that the security of any of the one or more client computers is compromised and the client computer network message or event traffic represents illegitimate data transmission; generating a real time calibration profile for the at least one of the one or more client computers based on the real time entity profile variable values and the determined variance; and generating, using the real-time calibration profiles and the real time entity profile and associated one or more variables, one or more scores, each of the one or more scores representing a probability of the cyber-security threat risk.