| 发明名称 |
BEHAVIORAL DETECTION OF MALWARE AGENTS |
| 摘要 |
In an example, a detection engine identifies potential malware objects according to behavior. In order to circumvent blacklists and fingerprint-based detection, a malware server may frequently change domain names, and change the fingerprints of distributed malware agents. A malware agent may perform only an initial DNS lookup, and thereafter communicate with the malware command-and-control server via “naked” HTTP packets using the raw IP address of the server. The detection engine identifies malware agents by this behavior. In one example, if an executable object makes repeated HTTP requests to an address after the DNS lookup “time to live” has expired, the object may be flagged as potential malware. |
| 申请公布号 |
US2016094569(A1) |
申请公布日期 |
2016.03.31 |
| 申请号 |
US201414496158 |
申请日期 |
2014.09.25 |
| 申请人 |
Mondiguing Stephen;Cruz Benjamin |
发明人 |
Mondiguing Stephen;Cruz Benjamin |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A computing apparatus, comprising:
a network interface operable for connecting to a data network; and one or more hardware and/or software logic elements comprising a detection engine operable for:
inspecting a network packet provided on the network interface;identifying a domain name server (DNS) request associated with the network packet, the DNS request having a time-to-live;determining that the time-to-live of the DNS request is expired; anddesignating the network packet as suspicious. |
| 地址 |
Sunnyvale CA US |
