| 发明名称 |
Systems And Methods For Detecting Domain Generation Algorithm (DGA) Malware |
| 摘要 |
Domain generation algorithm (DGA) malware is detected by intercepting an external time request sent by a potential DGA malware host, and replacing the received real time with an accelerated (future) real time designed to trigger time-dependent DGA activity. The interception and replacement are performed outside the physical or virtual DGA host, on a different physical or virtual system such as a distinct external physical server or router, or distinct hypervisor or virtual machine running on the same physical system, in order to reduce the risk that the DGA malware identifies the time substitution. Failed DGA malware external access requests triggered only at future times are then used to identify domain names generated by the DGA malware, allowing proactive countermeasures. |
| 申请公布号 |
US2017126706(A1) |
申请公布日期 |
2017.05.04 |
| 申请号 |
US201514932765 |
申请日期 |
2015.11.04 |
| 申请人 |
Bitdefender IPR Management Ltd. |
发明人 |
MINEA Octavian M.;VATAMANU Cristina;BENCHEA Mihai R.;GAVRILUT Dragos T. |
| 分类号 |
H04L29/06;G06F9/455 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A first computer system comprising at least one memory and at least one associated microprocessor configured to perform, externally from a potential domain generation algorithm (DGA) malware host, the following steps:
intercept an original answer to a first external access request, wherein the first external access request is sent by the potential DGA malware host to an external site; parse at least one of the first external access request and the original answer to the first external access request to determine whether the original answer to the first external access request comprises a real time; send a modified answer to the potential DGA malware host, the modified answer being generated from the original answer by replacing an original real time included in the original answer with an accelerated real time subsequent to the original real time; intercept, in response to a second external access request sent by the potential DGA malware host, an answer indicating that the second access request was not successful, wherein the second external access request is sent after the first external access request is sent; and in response to intercepting the answer indicating that the second access request was not successful, determine that the potential DGA malware host includes malware executing a domain generation algorithm. |
| 地址 |
Nicosia CY |
