CYBER SECURITY ADAPTIVE ANALYTICS THREAT MONITORING SYSTEM AND METHOD

摘要

A system and method of detecting command and control behavior of malware on a client computer is disclosed. One or more DNS messages are monitored from one or more client computers to a DNS server to determine a risk that one or more client computers is communicating with a botnet. Real-time entity profiles are generated for at least one of each of the one or more client computers, DNS domain query names, resolved IP addresses of query domain names, client computer-query domain name pairs, pairs of query domain name and corresponding resolved IP address, or query domain name-IP address cliques based on each of the one or more DNS messages. Using the real-time entity profiles, a risk that any of the one or more client computers is infected by malware that utilizes DNS messages for command and control or illegitimate data transmission purposes is determined. One or more scores are generated representing probabilities that one or more client computers is infected by malware.

主权项

1. A method of detecting command and control behavior of malware on a client computer, the method comprising:
monitoring one or more domain name system (DNS) messages from one or more client computers to a DNS server to determine a risk that one or more client computers is communicating with a botnet, each of the one or more client computers having an IP address; generating a real-time entity profiles for at least one of each of the one or more client computers, DNS domain query names, resolved IP addresses of query domain names, client computer-query domain name pairs, pairs of query domain name and corresponding resolved IP address, or query domain name-IP address cliques based on each of the one or more DNS messages; determining, using the real-time entity profiles, a risk that any of the one or more client computers is infected by malware that utilizes DNS messages for command and control or illegitimate data transmission purposes; and generating, using real-time calibration profiles to determine the risk, one or more scores representing probabilities that one or more client computers is infected by malware associated with the botnet.