Heuristic botnet detection

摘要

In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.

主权项

1. A system, comprising:
a processor configured to:
monitor network traffic to identify suspicious network traffic, wherein the monitoring of the network traffic includes:
identify a uniform resource locator (URL) in the network traffic;determine whether the network traffic includes a malware URL, an unclassified URL, or a combination thereof; andin the event that the network traffic includes the malware URL, the unclassified URL, or a combination thereof, assign the network traffic as the suspicious network traffic;detect a bot based on a heuristic analysis of the suspicious network traffic behavior, wherein the suspicious network traffic behavior includes command and control traffic associated with a bot master;monitor behavior indicated in the network traffic to identify malware, wherein the monitored behaviors that indicate potential malware include connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, communicating using an intrusion prevention system evasion technique, communicating unclassified traffic over an HTTP port, visiting a dynamic DNS domain, or any combination thereof; andmonitor visited domain related behavior to identify a malicious domain based on whether a visited domain is a dynamic DNS domain; and a memory coupled to the processor and configured to provide the processor with instructions.