CN104067280B - 用于检测恶意命令和控制通道的系统和方法 - Google Patents
用于检测恶意命令和控制通道的系统和方法 Download PDFInfo
- Publication number
- CN104067280B CN104067280B CN201280053582.9A CN201280053582A CN104067280B CN 104067280 B CN104067280 B CN 104067280B CN 201280053582 A CN201280053582 A CN 201280053582A CN 104067280 B CN104067280 B CN 104067280B
- Authority
- CN
- China
- Prior art keywords
- fraction
- connection
- calculating
- repetition
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
在一个示例实施例中提供方法,其包括检测从源节点到目的地节点的重复连接、基于这些连接对源节点计算分数以及如果分数超出阈值分数则采取策略动作。在更特定的实施例中,重复连接使用超文本传输协议并且可包括通向少量唯一域的连接、通向与目的地节点关联的少量唯一资源的连接和/或通向域中的资源的大量连接。此外,启发法可用于对源节点记分并且识别指示威胁的行为,例如爬虫软件(bot)或其他恶意软件(malware)。
Description
技术领域
该说明书大体上涉及网络安全,并且更特定地,涉及用于检测恶意命令和控制通道的系统和方法。
背景技术
网络安全的领域在现今的社会中已变得越来越重要。因特网遍布全世界实现不同计算机网络的互连。然而,有效保护并且维持稳定的计算机和系统的能力对于部件制造商、系统设计师和网络运营商呈现出重大障碍。该障碍由于由恶意操作者实施的不断发展的一系列战术而变得甚至更复杂。如果某些类型的恶意软件可能感染主计算机,它还可能够进行许多有敌意、侵入或骚扰动作,例如从主计算机发出垃圾邮件或恶意email、从与主计算机关联的企业或个体窃取敏感信息、传播到其他主计算机和/或帮助分布式拒绝服务攻击。另外,恶意操作者可以向其他恶意操作者出售或用别的方式准许其他恶意操作者访问,由此扩大主计算机的利用。因此,对于开发创新工具来对抗允许恶意操作者利用计算机的战术仍然存在重大挑战。
附图说明
为了提供对本公开及其特征和优势的更完整理解,结合附图参考下面的描述,其中类似的标号代表类似的部件,其中:
图1是图示根据该说明书的网络环境(其中可检测恶意命令和控制通道)的示例实施例的简化框图;
图2是图示可与网络环境的关联的额外细节的简化框图;
图3是图示可与网络环境关联的潜在操作的简化流程图;
图4是图示可与网络环境关联的额外操作的简化流程图;
图5是图示可与网络环境关联的再其他操作的简化流程图。
具体实施方式
综览
在一个示例实施例中提供方法,其包括检测从源节点到目的地节点的重复连接、基于这些连接对源节点计算分数以及如果分数超出阈值分数则采取策略动作。
在更特定的实施例中,重复连接使用超文本传输协议并且可包括到少量唯一域的连接、到与目的地节点关联的少量唯一资源的连接和/或到域中的资源的大量连接。此外,启发法可用于对源节点记分并且识别指示威胁的行为,例如爬虫软件(bot)或其他恶意软件(malware)。
示例实施例
转向图1,图1是其中可检测恶意命令和控制通道的网络环境100的示例实施例的简化框图。网络环境100可包括具有例如主机110a-110d等节点的局域网105,这些节点可通过具有僵尸网络检测模块(botnet detection module)122的传感器120连接到因特网115。节点一般是任何系统、机器、装置、网络元件、客户端、服务器、对等装置、服务、应用或能够在网络上发送并且接收数据的其他对象。网络环境100中的节点之间的链路代表两个节点可以通过其而通信的任何介质。该介质可以是例如导线或光纤缆线等有形介质,或例如用于无线通信的无线电波等无形介质。
从而,主机110a-110d中的每个可彼此通信并且与连接到因特网115的远程节点(例如web服务器125或邮件服务器130)通信。主机110a-110d还可例如通过邮件服务器130与远程主机135交换email消息。一般,主机110a-110d可以是能够运行程序并且与操作者交互的任何类型的节点。在它最常见的意义上,主机大体上包括附连的输入装置和附连的输出装置,但额外或备选地可包括用于与操作者远程交互的接口。例如,主机可以是台式计算机、工作站计算机、服务器、便携式电脑、平板计算机(例如,iPad)或移动电话(例如,iPhone)。在该示例网络环境100中,例如主机110b等主机可被bot 140损害,bot 140大体上代表可在远程软件、装置、机器或系统(例如命令和控制(C&C)服务器145)的控制之下的任何恶意软件(“malware”)。
图1的元件中的每个可通过简单的网络接口或通过任何其他适合的连接(有线或无线)而耦合于彼此,这对网络通信提供可行路径。另外,这些元件中的任何一个或多个可基于特定配置需要而组合或从架构去除。网络环境100可包括能够进行传输控制协议/因特网协议(TCP/IP)通信以用于在网络中传送或接收包的配置。网络环境100还可连同用户数据报协议/IP(UDP/IP)或任何其他适合的协议(在适合的情况下)并且基于特定需要而操作。
为了说明用于检测恶意命令和控制通道(例如可由基于web的僵尸网络使用)的系统和方法的技术的目的,重要的是理解某些活动在给定网络内出现。下面的基本信息可视为本公开可正确地从其解释的基础。这样的信息最早仅为了说明目的而提供,因此,不应采用任何方式解释来限制本公开和它的潜在应用的广泛范围。
在组织中以及由个体使用的典型的网络环境包括与其他网络电子通信的能力。例如,因特网可用于访问在远程服务器上托管的web页面、发送或接收电子邮件(即,email)消息或交换文件。然而,用于干扰正常操作并且获得对机密信息的访问的新战术持续出现。威胁包括能够通过对计算机、网络和/或数据的未经授权的访问、未经授权的销毁、披露和/或修改数据和/或拒绝服务而干扰计算机或网络的正常操作的任何活动。
僵尸网络特别地代表对计算机安全的日益增加的威胁。在许多情况下,它们采用精密的攻击方案,其包括众所周知和新的致命性的组合。僵尸网络大体上使用客户端-服务器架构,其中一类恶意软件(即,bot)被放置在主计算机上并且与命令和控制服务器通信,该命令和控制服务器可由僵尸网络操作者控制。通常,僵尸网络由大量的bot组成,其操作者通过各种通道(其包括因特网中继对话(IRC)和对等(P2P)通信)使用命令和控制协议而控制。Bot可从命令和控制服务器接收命令来进行特定恶意活动,并且因此,可执行这样的命令。Bot还可将任何结果或偷窃的信息发送回到命令和控制服务器。
僵尸网络攻击大体上遵循相同的生命周期。首先,主机(例如,台式计算机)可被malware损害。“Malware”通常用作对于任何有敌意的、侵入的或骚扰软件(例如计算机病毒、Trojan、worm、bot、间谍软件、广告软件等)的标签,但还可包括其他恶意软件。Malware可颠覆受损方,从而给予bot操作者对它的控制。bot操作者然后可使用这样的计算机用于恶意活动,例如拒绝服务攻击。除接收命令来进行恶意活动外,bot典型地还包括一个或多个传播矢量,其使它能够在组织的网络内或跨其他网络到其他组织或个体蔓延。常见的传播矢量包括利用本地网络内的主机上的已知致命性并且发送具有附连的恶意程序的恶意email或在这些email内提供恶意链接。
现有的防火墙和网络入侵防护技术通常不足以识别并且遏制许多僵尸网络。Bot通常设计成发起与命令和控制服务器的通信并且伪装成正常的web浏览器业务。现代的僵尸网络(其包括高级持续性威胁(APT))可利用隐写技术以隐藏在普通场景中,例如使用使得bot似乎进行到web服务器的正常网络连接的命令和控制协议。例如,bot可使用典型地与web服务器通信的端口。这些通信对于管理员可非常难以与合法的网络业务区分。因此,这样的bot在不进行web业务的更详细包检查的情况下可不被现有的技术检测到。此外,一旦发现bot,僵尸网络操作者可简单地找到由bot伪装网络业务的另一个方式来继续呈现为正常web业务。最近,僵尸网络操作者还精心制作bot来使用例如安全套接层(SSL)等加密协议,由此对恶意网络业务加密。这样的加密业务可使用超文本传输协议安全(HTTPS)端口使得仅加密会话中牵涉的端点可以解密数据。从而,现有的防火墙和其他网络入侵防护技术不能进行web业务的任何有意义检查。因此,Bot继续感染网络内的主计算机。
一些信誉系统还可以对特定僵尸网络提供可行的防御。一般,信誉系统监视活动并且基于过去的行为分配信誉值或分数。该信誉值可在从善良到恶意的图谱上指示不同的信赖度水平。例如,可基于与地址或起源于地址的email进行的网络连接对网络地址计算连接信誉值(例如,最小风险、未经证实、高风险,等),其中“网络地址”在广泛意义上使用来包括任何形式的对节点或资源寻址,其包括例如媒体访问控制(MAC)地址、IP地址或域名。连接信誉系统可用于拒绝与具有不可接受的连接信誉(例如指示IP地址已知与或可能与恶意活动关联的那个)的网络地址的email或网络连接。其他信誉系统可以阻断具有已知与或可能与恶意活动关联的哈希的应用的活动。
然而,连接信誉查找大体上仅对于提供对具有一些历史的malware或僵尸网络的预防有效,并且可不能提供对零日威胁的有效防御。例如,具有很少没有历史的域名可通过向互联网公司对于分配的名字和号码(ICANN)所授权的注册器注册域名而创建。从而,bot操作者可注册新的好像无害的域名(例如,“futbol.com”)并且使用普通超文本传输协议(HTTP)连接以使用新的域名在bot与基于web的命令和控制服务器之间交换信息。因为域名是新的并且可能没有信誉,信誉系统可不能将这样的业务与合法业务区分。
聚焦在防止未经授权的程序文件在主机计算机上执行上的其他安全技术对最终用户或企业或其他组织实体的雇员可具有不可取的副效应。网络或信息技术(IT)管理员可承担精心制作与企业实体的所有方面相关的广泛策略以使雇员能够从可取且可信的网络资源获得软件和其他电子数据的责任。在广泛策略没有到位的情况下,可阻止雇员从未被专门授权的网络资源下载软件和其他电子数据,即使这样的软件和其他数据促进合法且必需的业务活动也如此。另外,这样的系统可如此有限制性使得如果在主机计算机上发现未经授权的软件,任何主机计算机活动在网络管理员介入之前可被暂停。对于企业,该类型的系统可干扰合法且必需的业务活动,从而导致工人停工、失去收入、明显的信息技术开销及类似物。
根据本文公开的实施例,网络环境100可以通过检测恶意命令和控制通道而克服这些缺点(及其他)。特别地,网络环境100可提供行为分析、逻辑和启发法来检测僵尸网络(其包括APT)和在0日的其他威胁。此外,网络环境100可检测试图隐藏在普通场景中的僵尸网络,而没有对签名更新的任何需要。
在某些实施例中,例如传感器(例如,在入侵防护系统、防火墙、网关等)可寻找从主机(当该主机空闲时)的重复HTTP连接(甚至处于低/隐匿等级)。如果在给定时间段期间(例如晚上或周末一至两小时窗口)没有操作者主动使用主机,该主机在该背景中假定为空闲的。一旦识别出这样的重复HTTP连接,这些连接可被启发式记分,并且可基于策略和与该分数关联的置信水平采取适当的动作。例如,主机可被隔离或者可以向管理员发送具有关联的置信水平的警报。本文公开和描述的实施例可以提供对malware开发者难以回避的行为的高比率bot检测,连同该检测的高置信水平。
可以检测产生重复HTTP连接的主机同时确保主机另外空闲或睡眠来避免由用户活动创建的连接。在还未连接到其他域和/或相同域上的其他文件时,合法用户(即,人)典型地未打开浏览器并且反复地仅对特定文件产生业务。例如,即使在访问相对简单的web页面(例如google.com)时,浏览器通常连接到该域中的大量文件。Web站点很少只具有一个不带嵌入脚本或图像(用户反复刷新/重载的)的页面。从而,在网络环境100的一个实施例中,在主机已连接到大量资源X(例如,X≥10)但唯一域的总数量Y是小的数字(例如,Y≤ 5)并且这些域中的至少一个域的唯一文件路径的总数量Z是小数字(例如,Z≤ 5)时,该主机可识别为具有可疑的重复连接。在主机空闲期间的八小时窗口可用于检测甚至隐秘的bot,但更短或更长的时间窗口对于一些环境可以是适合的。
额外的启发法可应用于来自具有可疑、重复HTTP连接的这样的主机(其另外是空闲或睡眠来减少假肯定并且提高肯定检测的置信度)的业务。例如,记分系统可用于指示低、中或高置信水平。
转向图2,图2是图示可与传感器120的示例环境关联的额外细节的简化框图。传感器120可包括处理器205、存储器元件210和各种硬件和/或软件元件。更特定地,传感器120可包括僵尸网络检测模块122,其可提供连接监视器215、行为分析模块220和记分引擎225。僵尸网络检测模块122可进一步包括各种数据元素,其包括白名单230、黑名单235、忽略名单240、跟踪名单245和灰名单250。
在适当的情况下并且基于特定需要,传感器120可使信息保持在任何适合的存储器元件(例如,随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)、专用集成电路(ASIC),等)、软件、硬件中,或在任何其他适合的部件、装置、元件或对象中。本文论述的存储器项目中的任一个(例如,存储器210)应该解释为包含在广义术语'存储器元件'内。被传感器120跟踪或发送的信息(例如,白名单230、黑名单235等)可以在任何数据库、寄存器、队列、表格、控制列表或存储结构中提供,其中的全部可以在任何适合的时帧被引用。任何这样的存储选项可包括在如本文使用的广义术语'存储器元件'内。
在某些示例实现中,本文概述的功能可由在一个或多个有形介质(可包括非暂时介质)中编码的逻辑(例如,在ASIC中提供的嵌入式逻辑、数字信号处理器(DSP)指令、要由处理器或其他相似的机器执行的软件(潜在地包括对象代码和源代码),等)实现。在这些实例中的一些中,存储器元件(如在图2中示出的)可以存储用于本文描述的操作的数据。这包括能够存储软件、逻辑、代码或处理器指令(其被执行来实施本文描述的活动)的存储器元件。
处理器可以执行与数据关联的任何类型的指令来实现本文详述的操作。在一个示例中,处理器(如在图2中示出的)可以将元素或项目(例如,数据)从一个状态或事物变换成另一个状态或事物。在另一个示例中,本文概述的活动可用固定逻辑或可编程逻辑(例如,由处理器执行的软件/计算机指令)实现,并且本文识别的元件可以是某类型的可编程处理器、可编程数字逻辑(例如,现场可编程门阵列(FPGA)、EPROM、EEPROM)或包括数字逻辑、软件、代码、电子指令或其任何适合的组合的ASIC。本文描述的潜在处理元件、模块和机器中的任一个应解释为包含在广义术语'处理器'内。网络元件中的每个还可以包括用于在网络环境中接收、传送和/或用别的方式传达数据或信息的适合的接口。
在一个示例实现中,传感器120是网络元件,其代表任何网络电器、服务器、路由器、交换机、网关、网桥、负载平衡器、防火墙、指令防护系统、处理器、模块或能操作成在网络环境中交换信息的任何其他适合的装置、部件、元件或对象。网络元件可包括便于其操作的任何适合的硬件、软件、部件、模块、接口或对象。这可包括适当的算法和允许数据或信息的有效交换的通信协议。
在一个示例实现中,传感器120可包括用于实现或用于促进如本文概述的操作的软件(例如,僵尸网络检测模块122)。在其他实施例中,这样的操作可由硬件实施、在这些元件外部实现或包括在某种其他网络装置中来实现规定的功能性。备选地,这些元件可包括可以协作以便实现操作的软件(或往复软件),如本文概述的。在再其他实施例中,这些装置中的一个或全部可包括便于其操作的任何适合的算法、硬件、软件、部件、模块、接口或对象。
图3是图示用于使用给定协议来识别网络连接的潜在操作(其可与网络环境100的示例环境关联)的简化流程图300。在一些实施例中,这样的操作可由传感器120(例如,僵尸网络检测模块,其包括连接监视器215、行为分析模块220、记分引擎225,等)实现来识别使用HTTP的连接。
一般,HTTP便于客户端与附连到网络的服务器之间的数据交换。如通常实现的,HTTP是请求/响应应用级协议,其可以使用例如TCP等传输层协议来创建连接并且在例如客户端与服务器等两个网络节点(每个具有唯一网络地址)之间传递数据。在该上下文中,“服务器”可以是网络中的任何节点(或节点的软件部件),其对其他节点提供资源。“客户端”可以是网络中的任何节点(或节点的软件部件),其请求资源。从而,客户端(也称为“用户代理”)可以建立到服务器的连接(通常在众所周知的端口上)并且使用该连接来请求来自服务器的资源。服务器可以监视连接并且在接收请求后发送响应。该响应可包括请求的资源、错误消息或其他信息。
许多类型的资源(其包括文档、图像、程序和服务)通过HTTP而大体上可用。一般,资源是可以被识别以及通过网络连接而被访问的任何对象、数据、信息、服务或其他抽象概念。资源可以由字符和/或数字的任何串识别,例如统一资源标识符(URI)方案。URI可归类为定位符、名称或两者。统一资源名称(URN)是可以通过给定命名空间内的唯一名称而识别资源的资源标识符的一个示例,而统一资源定位符(URL)是可以规定资源的位点的资源标识符的示例。URI还可以规定用于检索资源的机制(例如,协议)。URI方案通常设计成与特定协议一起起作用。用于明确识别网络资源的常见URL方案例如由服务标识符(例如,“HTTP”)、后跟服务资源(其可以是主机名称(或IP地址))结合有到资源(例如,文件或程序)的路径来组成。路径的顶部大体上称为“根”,并且在根处的资源在本文称作“根资源”。参数也可包括在一些标识符(例如对于程序的HTTP URL)中。
如本文使用的,“源”包括可以通过传感器120发起与另一个节点的连接的任何客户端、主机或其他节点。源的连接或其他活动可以在各种类型的名单、表格或相似的结构中被跟踪来便于本文描述的另外的操作。例如,白名单(例如,白名单230)可识别已经确定为合法且安全的源,而黑名单(例如,黑名单235)可识别之前确定为恶意的源。忽略名单(例如,忽略名单240)可识别展现一些可疑连接模式但也展现指示合法活动的某种活动的源。灰名单(例如,灰名单250)可识别展现可疑连接模式或批准进一步的行为分析的其他活动的源。跟踪名单(例如,跟踪名单245)可识别展现可疑连接模式或未在另一名单中识别(例如,之前未识别的)的其他活动的源。
再次参考图3,在一个示例实施例中,在305,连接监视器215可监视并且检查包。如果在310包指示使用超文本传输协议(HTTP)的连接,该连接的源可在315识别。源可在320与忽略名单、在325与黑名单、在330与白名单以及在335与跟踪名单比较。如果源未在这些名单中的任一个中识别,源可在340被添加到跟踪名单,例如通过添加源的网络地址。也可添加与连接关联的其他信息,例如URI、URL、URN、网络地址、主机名称或与目的地关联的其他标识符。
图4是图示用于在没有活动用户的情况下识别使用超本文传输协议来产生重复连接的空闲源的潜在操作(其可与网络环境100的示例实施例关联)的简化流程图400。在一些实施例中,这样的操作可由传感器120(例如,僵尸网络检测模块,其包括连接监视器215、行为分析模块220、记分引擎225,等)实现。
在405对于跟踪名单中(例如,在跟踪名单245中)的每个源,可检查许多度量来识别不是由人员用户产生的HTTP连接。作为阈值问题,可以检查由源进行的连接的数量来确保源已经产生足量的业务。在某些实施例中,连接的数量可通过对源所请求的资源标识符(例如,URI)的数量计数而测量。然而,如果资源标识符的数量(例如,“URI计数”)在410未超出阈值X,则活动可不足以以期望的置信水平确定源是否空闲。然而,如果资源标识符的数量在410超出阈值X,则可测量额外的度量来确定源是否空闲以及业务是否由非人员用户产生。
例如,bot典型地仅连接到少量的域。从而,如果对唯一域所进行的连接的数量(即,“唯一域计数”)在415超出可配置阈值Y,活动可指示合法用户(即,人)活动。源在420可从跟踪名单去除并且以具有T1的生存期(TTL)添加到忽略名单(例如,忽略名单240)。如果唯一域计数在415未超出Y,活动可指示malware或系统产生的活动。
因为bot典型地仅连接到命令和控制服务器的域中的少量资源,额外的度量可包括在给定域中请求的唯一资源标识符的总数量。然而,一些bot可试图通过改变标识符中(例如在URI或URL中)的参数而隐瞒该行为。在某些实施例中,可通过在去除参数值后对每个资源标识符计算哈希值(例如,“URI哈希”)而对抗这样的战术。从而,在425对于源所连接的每个唯一域,可在430计算URI哈希。如果唯一URI哈希的数量在435在阈值Z以下,源可在440添加到灰名单(例如,灰名单250)用于进一步检查。如果唯一URI哈希的数量不小于阈值Z,活动可指示合法进程(例如,脚本)并且源可在420从跟踪名单去除并且以具有T2的TTL添加到忽略名单(例如,忽略名单240)。
阈值X、Y和Z大体上是可配置的,但可被选择来调整灵敏度。例如,使X的值增加应减小假警报,但也使灵敏度降低。X ≥ 10、1≤ Y≤ 5和1≤ Z≤ 5的阈值分别地在许多实施例中可以是适当的。TTL值T1和T2也可以是可配置的,但一小时和四小时的值分别地在许多实施例中可以是适当的。
图5是图示可与网络环境100的某些实施例关联的潜在操作的简化流程图500。在一些实施例中,这样的操作可由传感器120(例如,僵尸网络检测模块,其包括连接监视器215、行为分析模块220、记分引擎225,等)实现。操作可包括用于对源的可疑活动(例如在流程图400中添加到灰名单的源的活动)记分的启发法,并且由此进一步提高置信水平并且减少假肯定。
在图5的示例操作中,记分系统可基于例如0-8等数字标度,其中分数2、4和8分别对应于低、中和高置信水平。从而,8或以上的高分可指示几乎没有假肯定,4-7的中间分数可暗指一些假肯定和较高的灵敏度的可能性,而3或以下的低分可以暗指审计级灵敏度(即,高度灵敏且易于假肯定)。加性方案(例如,低+低=中间并且中间+中间=高)可在这样的实施例中使用,使得三个灵敏度/置信水平(例如,低<4、中间=4-7和高≥ 8)可用。
从而,在图5中,灰名单(例如,灰名单250)中的每个源可在505识别。灰名单中每个源的活动可使用某些启发法来记分。对于每个源的分数可在510初始设置成0。启发法大体上是高度可配置且动态的,但可包括例如在515a确定源是否连接到近期注册的域,因为使用近期注册的域(例如,在几天至一年的时间段内)对于bot操作者是常见的。从而,使用上文描述的0-8记分系统,如果域的注册时间小于阈值X,分数可在515b增加4个点,其中注册时间可通过询问例如WHOIS数据库而确定,并且阈值X可配置成调整启发法灵敏度。对于X的六个月的值在许多实施例中可以是适当的。
包(或多个包)的内容也可指示bot行为。例如,HTTP请求和响应大体上包括首标字段,例如引用字段(referrer filed)和用户-代理字段。引用字段可指示请求所起源的之前的资源(例如链接到另一个资源的web页面)的地址。浏览器直接转到非根资源是不寻常的,除非它被硬编码(例如,在脚本或bot中)或从另一个资源重定向。因此,从bot到非根资源的包中的引用字段频繁缺失或为空,并且如果在520a包中的引用字段缺失并且请求的URI不是根目录,分数可在520b增加1-2个点。用户-代理字段被许多合法客户端使用来识别它们自身。相反,用户-代理字段在由bot发送的请求中频繁缺失或未知,并且如果在525a用户-代理字段缺失或未知,分数可在525b增加另外1-2个点。首标字段的数量还可区分某种恶意业务与合法业务。在HTTP中,例如,首标字段大体上通过回车/换行而终止,因此首标字段的数量可以通过对首标行的数量计数而计数。使用HTTP的bot典型地不包括许多首标字段,其通常明显少于合法客户端。如果在530a请求首标行的平均数量小于或等于阈值Y(其中Y是可配置参数),分数可以在530b增加再另外1-2个点。值5在许多实施例中对于Y可以是适当的值。Bot以几乎空的响应页频繁发送keep-alive消息,这些几乎空的响应页完全不同于正常web站点返回的大的web页面(其典型地大于1kB),从而如果响应的平均体大小小于可配置阈值Z(例如,<100个字节),分数在535b还可以增加1-2个点。
目的地节点的信誉也可以明显影响分数。从而,可向信誉系统发送询问,并且分数可以基于来自信誉系统的响应而相应地调整。例如,如果在540a目的地与在具有不良信誉的地带中的顶级域(例如指向中国或俄罗斯站点的.cn或.ru域,其在北美可能不寻常)关联,则分数可在540b增加4个点。如果目的地的地址或域在545a未经证实,分数在545b可增加2个点。相似地,如果在555a目的地的地址或域与可疑信誉关联,分数在555b可以增加4个点。如果地址或域的信誉是不良的,则在源空闲时的重复HTTP连接几乎肯定指示恶意bot活动并且分数可以增加8个点。如果在560a主机字段是公共网络地址(即,是数字并且不是专用(例如,172.16.x/192.16.x/10.x/127.x)),则分数可在560b再次增加2-4个点。
如果分数在565超出可配置阈值,例如在图5的示例实施例中是4或8,可在570采取基于策略的适当动作。例如,适当的动作可包括阻断从源或到目的地的新的连接、在日志中记录活动用于后续取证分析或警告操作者或管理员。
因为是记分标度,对于每个启发法的分数和阈值水平是高度可配置的。一些启发法可在适当的情况下去除,并且可添加其他而不偏离本文提供的教导的范围。在这样的启发法中使用的参数还可对于特定环境修改。例如,如果数字地址在给定环境中在主机字段常用,则对于相关启发法的分数可以减少到0(即,消除启发法)。另外,尽管参考特定协议图示,本文描述的原理可容易适应于检测可使用其他协议的命令和控制通道。
网络环境100可提供明显的优势,其中的一些已经论述。例如,网络环境100可以以高检测速率(其包括具有低活动的隐秘bot检测)提供0日bot(即,之前未部署的bot)和APT的几乎实时检测,同时大大减少或消除假肯定。此外,网络环境100是积极的并且不需要签名,其具有不需要频繁更新或维护的行为方法。网络环境100也是高度可配置的,但提供不需要复杂配置的强默认参数。
在上文提供的示例以及许多其他潜在示例中,可从两个、三个或四个网络元件方面描述交互。然而,这已经为了清楚起见和仅示例的目的而实行。在某些情况下,通过仅参考有限数量的网络元件来描述给定操作集的功能性中的一个或多个可更容易。应该意识到网络环境100能容易定标并且可以容纳大量部件,以及更复杂/精密的设置和配置。因此,提供的示例在潜在地应用于无数其他架构时不应限制范围或抑制网络环境100的广泛教导。另外,尽管参考特定场景描述,在特定模块在网络元件内提供的情况下,这些模块可以在外部提供,或以任何适合的方式合并和/或组合。在某些实例中,这样的模块可在单个专用单元中提供。
还有重要的是,注意在附图中的步骤仅图示可能场景和模式中的一些,其可由网络环境100执行或在网络环境100内执行。这些步骤中的一些可在适当的情况下删除或去除,或这些步骤可被大大修改或改变而不偏离本文提供的教导的范围。另外,许多的这些操作已经描述为与一个或多个额外操作同步或并行执行。然而,这些操作的定时可被大大更改。前面的操作流已经为了示例和论述目的提供。提供相当大的灵活性,因为可提供任何适合的设置、排列、配置和定时机构而不偏离本文提供的教导。
本领域内技术人员可弄清许多其他改变、替代、变化、更改和修改并且规定本公开包含所有这样的改变、替代、变换、更改和修改,它们落入附上的权利要求的范围内。为了帮助美国专利和商标局(USPTO)以及另外对该申请所授予的任何专利的任何读者解释随附的权利要求,申请人希望指出申请人:(a)不意在让附上的权利要求中的任何权利要求调用35U.S.C 章112的第六(6)段,因为它在本提交日时存在,除非词“用于…的部件”或“用于…的步骤”专门在特定权利要求中使用;以及(b)不意在通过该说明书中的任何阐述以未另外用别的方式在附上的权利要求中反映的任何方式限制该公开。
Claims (23)
1.一种用于网络安全的方法,包括:
检测从空闲源节点到目的地节点的重复连接;
基于所述重复连接的行为对所述空闲源节点计算分数;
如果所述分数超出阈值则采取策略动作,
其中检测所述重复连接包括:
检测通向超过X个地址的连接;
在预定时间段内检测通向少于Y个唯一地址的连接;以及
检测通向与所述唯一地址中的至少一个关联的少于Z个唯一资源标识符的连接;
其中X、Y和Z是指示与不是由人员用户产生的重复连接一致的模式的参数。
2.如权利要求1所述的方法,其中所述重复连接使用超文本传输协议。
3.如权利要求1所述的方法,其中X大于或等于10,Y小于或等于5并且Z小于或等于5。
4.如权利要求1所述的方法,其中所述时间段是至少八个小时。
5.如权利要求1所述的方法,其中计算所述分数包括使用启发法来识别指示威胁的行为。
6.如权利要求1所述的方法,其中计算所述分数包括使用启发法来识别指示bot命令和控制通道的行为。
7.如权利要求1-6中任一项所述的方法,其中计算所述分数包括如果所述目的地节点与在一年内注册的域关联则使所述分数增加。
8.如权利要求1-6中任一项所述的方法,其中计算所述分数包括如果所述重复连接中的至少一个不具有引用字段并且不具有根资源标识符则使所述分数增加。
9.如权利要求1-6中任一项所述的方法,其中计算所述分数包括如果所述重复连接中的至少一个未识别已知用户代理则使所述分数增加。
10.如权利要求1-6中任一项所述的方法,其中计算所述分数包括如果所述重复连接中的至少一个通过公共网络地址识别所述目的地节点则使所述分数增加。
11.如权利要求1-6中任一项所述的方法,其中计算所述分数包括如果所述重复连接具有小于V个平均请求首标行则使所述分数增加,其中V是指示通向所述目的地节点的malware连接的参数。
12.如权利要求1-6中任一项所述的方法,其中计算所述分数包括如果所述重复连接具有小于W的平均响应大小则使所述分数增加,其中W是指示来自命令和控制服务器的响应的参数。
13.如权利要求1-6中任一项所述的方法,其中计算所述分数包括请求与所述目的地节点关联的信誉值并且如果所述信誉值指示所述目的地节点与威胁关联则使所述分数增加。
14.如权利要求1-6中任一项所述的方法,其中计算所述分数包括如果所述目的地节点具有在与威胁关联的地带中的网络地址则使所述分数增加。
15.一种用于检测恶意命令和控制通道的设备,包括:
僵尸网络检测模块;以及
一个或多个处理器,能操作成执行与所述僵尸网络检测模块关联的指令,其中所述僵尸网络检测模块配置成用于:
检测从空闲源节点到目的地节点的重复连接;
基于所述重复连接的行为对所述空闲源节点计算分数;
如果所述分数超出阈值则采取策略动作,
其中检测所述重复连接包括:
检测通向超过X个地址的连接;
在预定时间段内检测通向少于Y个唯一地址的连接;以及
检测通向与所述唯一地址中的至少一个关联的少于Z个唯一资源标识符的连接;
其中X、Y和Z是指示与不是由人员用户产生的重复连接一致的模式的参数。
16.如权利要求15所述的设备,其中所述重复连接使用超文本传输协议。
17.如权利要求15所述的设备,其中计算所述分数包括使用启发法来识别指示威胁的行为。
18.如权利要求15所述的设备,其中计算所述分数包括使用启发法来识别指示bot命令和控制通道的行为。
19.如权利要求15-18中任一项所述的设备,其中计算所述分数包括如果所述目的地节点与在一年内注册的域关联则使所述分数增加。
20.如权利要求15-18中任一项所述的设备,其中计算所述分数包括如果所述重复连接中的至少一个不具有引用字段并且不具有根资源标识符则使所述分数增加。
21.如权利要求15-18中任一项所述的设备,其中计算所述分数包括如果所述重复连接中的至少一个未识别已知用户代理则使所述分数增加。
22.如权利要求15-18中任一项所述的设备,其中计算所述分数包括如果所述重复连接中的至少一个通过公共网络地址识别所述目的地节点则使所述分数增加。
23.一种用于网络安全的装置,配置成执行如权利要求1-6中任一项所述的方法。
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/276,244 US8677487B2 (en) | 2011-10-18 | 2011-10-18 | System and method for detecting a malicious command and control channel |
US13/276244 | 2011-10-18 | ||
PCT/US2012/058045 WO2013058964A1 (en) | 2011-10-18 | 2012-09-28 | System and method for detecting a malicious command and control channel |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104067280A CN104067280A (zh) | 2014-09-24 |
CN104067280B true CN104067280B (zh) | 2017-06-20 |
Family
ID=48086920
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201280053582.9A Active CN104067280B (zh) | 2011-10-18 | 2012-09-28 | 用于检测恶意命令和控制通道的系统和方法 |
Country Status (4)
Country | Link |
---|---|
US (1) | US8677487B2 (zh) |
EP (1) | EP2774070B1 (zh) |
CN (1) | CN104067280B (zh) |
WO (1) | WO2013058964A1 (zh) |
Families Citing this family (280)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US8549638B2 (en) | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8650648B2 (en) | 2008-03-26 | 2014-02-11 | Sophos Limited | Method and system for detecting restricted content associated with retrieved content |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8832829B2 (en) | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US8966625B1 (en) | 2011-05-24 | 2015-02-24 | Palo Alto Networks, Inc. | Identification of malware sites using unknown URL sites and newly registered DNS addresses |
US8555388B1 (en) * | 2011-05-24 | 2013-10-08 | Palo Alto Networks, Inc. | Heuristic botnet detection |
WO2012167066A2 (en) * | 2011-06-01 | 2012-12-06 | Wilmington Savings Fund Society, Fsb | Method and system for providing information from third party applications to devices |
US10356106B2 (en) | 2011-07-26 | 2019-07-16 | Palo Alto Networks (Israel Analytics) Ltd. | Detecting anomaly action within a computer network |
US8799482B1 (en) | 2012-04-11 | 2014-08-05 | Artemis Internet Inc. | Domain policy specification and enforcement |
US9264395B1 (en) | 2012-04-11 | 2016-02-16 | Artemis Internet Inc. | Discovery engine |
US9083727B1 (en) * | 2012-04-11 | 2015-07-14 | Artemis Internet Inc. | Securing client connections |
US9106661B1 (en) | 2012-04-11 | 2015-08-11 | Artemis Internet Inc. | Computing resource policy regime specification and verification |
US8990392B1 (en) | 2012-04-11 | 2015-03-24 | NCC Group Inc. | Assessing a computing resource for compliance with a computing resource policy regime specification |
GB2502254B (en) * | 2012-04-20 | 2014-06-04 | F Secure Corp | Discovery of suspect IP addresses |
IL219499B (en) * | 2012-04-30 | 2019-02-28 | Verint Systems Ltd | A system and method for detecting malicious software |
US9497212B2 (en) | 2012-05-21 | 2016-11-15 | Fortinet, Inc. | Detecting malicious resources in a network based upon active client reputation monitoring |
US9241009B1 (en) | 2012-06-07 | 2016-01-19 | Proofpoint, Inc. | Malicious message detection and processing |
US9055420B2 (en) * | 2012-06-25 | 2015-06-09 | International Business Machines Corporation | Mediation and presentation of communications |
US9088606B2 (en) * | 2012-07-05 | 2015-07-21 | Tenable Network Security, Inc. | System and method for strategic anti-malware monitoring |
US20150180878A1 (en) * | 2012-07-31 | 2015-06-25 | Alen Puzic | Unauthorized user classification |
KR101391781B1 (ko) * | 2012-08-07 | 2014-05-07 | 한국전자통신연구원 | 웹 트랜잭션 밀집도 기반 에이치티티피 봇넷 탐지 장치 및 방법 |
US9191399B2 (en) * | 2012-09-11 | 2015-11-17 | The Boeing Company | Detection of infected network devices via analysis of responseless outgoing network traffic |
US9215239B1 (en) | 2012-09-28 | 2015-12-15 | Palo Alto Networks, Inc. | Malware detection based on traffic analysis |
US9104870B1 (en) | 2012-09-28 | 2015-08-11 | Palo Alto Networks, Inc. | Detecting malware |
US9171151B2 (en) * | 2012-11-16 | 2015-10-27 | Microsoft Technology Licensing, Llc | Reputation-based in-network filtering of client event information |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9979739B2 (en) | 2013-01-16 | 2018-05-22 | Palo Alto Networks (Israel Analytics) Ltd. | Automated forensics of computer systems using behavioral intelligence |
US9286047B1 (en) | 2013-02-13 | 2016-03-15 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9430646B1 (en) * | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9971888B2 (en) * | 2013-03-15 | 2018-05-15 | Id Integration, Inc. | OS security filter |
US9413781B2 (en) | 2013-03-15 | 2016-08-09 | Fireeye, Inc. | System and method employing structured intelligence to verify and contain threats at endpoints |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
IL226747B (en) | 2013-06-04 | 2019-01-31 | Verint Systems Ltd | A system and method for studying malware detection |
CN103259805B (zh) * | 2013-06-09 | 2016-09-28 | 中国科学院计算技术研究所 | 基于用户评价的域名访问控制方法及系统 |
US9536091B2 (en) | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9443075B2 (en) * | 2013-06-27 | 2016-09-13 | The Mitre Corporation | Interception and policy application for malicious communications |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9075989B2 (en) * | 2013-07-11 | 2015-07-07 | Symantec Corporation | Identifying misuse of legitimate objects |
US8826434B2 (en) * | 2013-07-25 | 2014-09-02 | Splunk Inc. | Security threat detection based on indications in big data of access to newly registered domains |
US10019575B1 (en) | 2013-07-30 | 2018-07-10 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US9613210B1 (en) | 2013-07-30 | 2017-04-04 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using dynamic patching |
US9811665B1 (en) | 2013-07-30 | 2017-11-07 | Palo Alto Networks, Inc. | Static and dynamic security analysis of apps for mobile devices |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
WO2015051181A1 (en) | 2013-10-03 | 2015-04-09 | Csg Cyber Solutions, Inc. | Dynamic adaptive defense for cyber-security threats |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9191403B2 (en) | 2014-01-07 | 2015-11-17 | Fair Isaac Corporation | Cyber security adaptive analytics threat monitoring system and method |
US9507935B2 (en) | 2014-01-16 | 2016-11-29 | Fireeye, Inc. | Exploit detection system with threat-aware microvisor |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9203850B1 (en) * | 2014-02-12 | 2015-12-01 | Symantec Corporation | Systems and methods for detecting private browsing mode |
WO2015126924A1 (en) | 2014-02-18 | 2015-08-27 | Proofpoint, Inc. | Targeted attack protection using predictive sandboxing |
US9953163B2 (en) | 2014-02-23 | 2018-04-24 | Cyphort Inc. | System and method for detection of malicious hypertext transfer protocol chains |
WO2015128609A1 (en) * | 2014-02-28 | 2015-09-03 | British Telecommunications Public Limited Company | Profiling for malicious encrypted network traffic identification |
EP3111614B1 (en) | 2014-02-28 | 2018-04-18 | British Telecommunications public limited company | Malicious encrypted network traffic identification |
WO2015128612A1 (en) | 2014-02-28 | 2015-09-03 | British Telecommunications Public Limited Company | Malicious encrypted traffic inhibitor |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
CN104980309B (zh) * | 2014-04-11 | 2018-04-20 | 北京奇安信科技有限公司 | 网站安全检测方法及装置 |
JP6421436B2 (ja) * | 2014-04-11 | 2018-11-14 | 富士ゼロックス株式会社 | 不正通信検知装置及びプログラム |
WO2015163499A1 (ko) * | 2014-04-24 | 2015-10-29 | (주)지란지교시큐리티 | 파일 유출 방지 방법 및 그를 위한 장치 |
WO2015178933A1 (en) * | 2014-05-23 | 2015-11-26 | Hewlett-Packard Development Company, L.P. | Advanced persistent threat identification |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US20150379266A1 (en) * | 2014-06-26 | 2015-12-31 | DoubleVerify, Inc. | System And Method For Identification Of Non-Human Users Accessing Content |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9489516B1 (en) | 2014-07-14 | 2016-11-08 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US20160127412A1 (en) * | 2014-11-05 | 2016-05-05 | Samsung Electronics Co., Ltd. | Method and system for detecting execution of a malicious code in a web based operating system |
CN104320412B (zh) * | 2014-11-11 | 2018-04-17 | 福建联迪商用设备有限公司 | 一种蓝牙pos、蓝牙pos安全连接的方法及装置 |
WO2016093182A1 (ja) * | 2014-12-09 | 2016-06-16 | 日本電信電話株式会社 | 特定装置、特定方法および特定プログラム |
US9805193B1 (en) | 2014-12-18 | 2017-10-31 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US9542554B1 (en) | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
EP3272096B1 (en) | 2015-03-17 | 2020-09-30 | British Telecommunications public limited company | Learned profiles for malicious encrypted network traffic identification |
US10778700B2 (en) | 2015-03-17 | 2020-09-15 | British Telecommunications Public Limited Company | Malicious encrypted network traffic identification using fourier transform |
US10165004B1 (en) * | 2015-03-18 | 2018-12-25 | Cequence Security, Inc. | Passive detection of forged web browsers |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
CN107787574A (zh) * | 2015-04-24 | 2018-03-09 | 诺基亚通信公司 | 移动通信网络中的恶意软件的减轻 |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US9800497B2 (en) | 2015-05-27 | 2017-10-24 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
US10075461B2 (en) | 2015-05-31 | 2018-09-11 | Palo Alto Networks (Israel Analytics) Ltd. | Detection of anomalous administrative actions |
US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10033766B2 (en) | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
US10536357B2 (en) | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
US11418520B2 (en) | 2015-06-15 | 2022-08-16 | Cequence Security, Inc. | Passive security analysis with inline active security device |
WO2016209993A1 (en) | 2015-06-22 | 2016-12-29 | Invotas Cyber Solutions, Inc. | Graphical user interface environment for creating threat response courses of action for computer networks |
US10050980B2 (en) * | 2015-06-27 | 2018-08-14 | Mcafee, Llc | Enterprise reputations for uniform resource locators |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10382469B2 (en) * | 2015-07-22 | 2019-08-13 | Rapid7, Inc. | Domain age registration alert |
CN105072120A (zh) * | 2015-08-14 | 2015-11-18 | 中国传媒大学 | 基于域名服务状态分析的恶意域名检测方法及装置 |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
CN105072119A (zh) * | 2015-08-14 | 2015-11-18 | 中国传媒大学 | 基于域名解析会话模式分析的恶意域名检测方法及装置 |
CN105119915A (zh) * | 2015-08-14 | 2015-12-02 | 中国传媒大学 | 基于情报分析的恶意域名检测方法及装置 |
CN105141598B (zh) * | 2015-08-14 | 2018-11-20 | 中国传媒大学 | 基于恶意域名检测的apt攻击检测方法及装置 |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
US10097511B2 (en) * | 2015-12-22 | 2018-10-09 | Cloudflare, Inc. | Methods and systems for identification of a domain of a command and control server of a botnet |
WO2017108576A1 (en) | 2015-12-24 | 2017-06-29 | British Telecommunications Public Limited Company | Malicious software identification |
US10931689B2 (en) | 2015-12-24 | 2021-02-23 | British Telecommunications Public Limited Company | Malicious network traffic identification |
WO2017108575A1 (en) | 2015-12-24 | 2017-06-29 | British Telecommunications Public Limited Company | Malicious software identification |
CN106561024B (zh) * | 2015-12-28 | 2020-05-19 | 哈尔滨安天科技集团股份有限公司 | 一种基于企业级的远程apt检测方法及高性能服务器 |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
IL243825B (en) * | 2016-01-28 | 2021-05-31 | Verint Systems Ltd | A system and method for automated forensic investigation |
US10931713B1 (en) | 2016-02-17 | 2021-02-23 | Cequence Security, Inc. | Passive detection of genuine web browsers based on security parameters |
US10673719B2 (en) | 2016-02-25 | 2020-06-02 | Imperva, Inc. | Techniques for botnet detection and member identification |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10826933B1 (en) | 2016-03-31 | 2020-11-03 | Fireeye, Inc. | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US10425436B2 (en) | 2016-09-04 | 2019-09-24 | Palo Alto Networks (Israel Analytics) Ltd. | Identifying bulletproof autonomous systems |
US10574681B2 (en) * | 2016-09-04 | 2020-02-25 | Palo Alto Networks (Israel Analytics) Ltd. | Detection of known and unknown malicious domains |
US10686829B2 (en) | 2016-09-05 | 2020-06-16 | Palo Alto Networks (Israel Analytics) Ltd. | Identifying changes in use of user credentials |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10764311B2 (en) | 2016-09-21 | 2020-09-01 | Cequence Security, Inc. | Unsupervised classification of web traffic users |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US11824880B2 (en) * | 2016-10-31 | 2023-11-21 | Armis Security Ltd. | Detection of vulnerable wireless networks |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
CN108243142A (zh) * | 2016-12-23 | 2018-07-03 | 阿里巴巴集团控股有限公司 | 识别方法和装置以及反垃圾内容系统 |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10931686B1 (en) | 2017-02-01 | 2021-02-23 | Cequence Security, Inc. | Detection of automated requests using session identifiers |
US10614222B2 (en) * | 2017-02-21 | 2020-04-07 | Microsoft Technology Licensing, Llc | Validation of security monitoring through automated attack testing |
US20180270248A1 (en) | 2017-03-14 | 2018-09-20 | International Business Machines Corporation | Secure resource access based on psychometrics |
US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
US11677757B2 (en) | 2017-03-28 | 2023-06-13 | British Telecommunications Public Limited Company | Initialization vector identification for encrypted malware traffic detection |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10554507B1 (en) | 2017-03-30 | 2020-02-04 | Fireeye, Inc. | Multi-level control for enhanced resource and object evaluation management of malware detection system |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10616267B2 (en) | 2017-07-13 | 2020-04-07 | Cisco Technology, Inc. | Using repetitive behavioral patterns to detect malware |
US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
CN107733925A (zh) * | 2017-11-27 | 2018-02-23 | 广西塔锡科技有限公司 | 一种恶意链接检测方法及系统 |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US10999304B2 (en) | 2018-04-11 | 2021-05-04 | Palo Alto Networks (Israel Analytics) Ltd. | Bind shell attack detection |
CN108768934B (zh) * | 2018-04-11 | 2021-09-07 | 北京立思辰新技术有限公司 | 恶意程序发布检测方法、装置以及介质 |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11010474B2 (en) | 2018-06-29 | 2021-05-18 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US10956573B2 (en) | 2018-06-29 | 2021-03-23 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
EP3623980B1 (en) | 2018-09-12 | 2021-04-28 | British Telecommunications public limited company | Ransomware encryption algorithm determination |
EP3623982B1 (en) | 2018-09-12 | 2021-05-19 | British Telecommunications public limited company | Ransomware remediation |
WO2020053292A1 (en) | 2018-09-12 | 2020-03-19 | British Telecommunications Public Limited Company | Encryption key seed determination |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US10972477B1 (en) * | 2018-09-26 | 2021-04-06 | NortonLifeLock, Inc. | Systems and methods for performing micro-segmenting |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11316872B2 (en) | 2019-01-30 | 2022-04-26 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious port scan detection using port profiles |
US11184376B2 (en) | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Port scan detection using destination profiles |
US11070569B2 (en) | 2019-01-30 | 2021-07-20 | Palo Alto Networks (Israel Analytics) Ltd. | Detecting outlier pairs of scanned ports |
US11184377B2 (en) | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious port scan detection using source profiles |
US11184378B2 (en) | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Scanner probe detection |
US11418539B2 (en) * | 2019-02-07 | 2022-08-16 | International Business Machines Corporation | Denial of service attack mitigation through direct address connection |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11196765B2 (en) | 2019-09-13 | 2021-12-07 | Palo Alto Networks, Inc. | Simulating user interactions for malware analysis |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
US11012492B1 (en) | 2019-12-26 | 2021-05-18 | Palo Alto Networks (Israel Analytics) Ltd. | Human activity detection in computing device transmissions |
US11606385B2 (en) | 2020-02-13 | 2023-03-14 | Palo Alto Networks (Israel Analytics) Ltd. | Behavioral DNS tunneling identification |
US11811820B2 (en) | 2020-02-24 | 2023-11-07 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious C and C channel to fixed IP detection |
US11425162B2 (en) | 2020-07-01 | 2022-08-23 | Palo Alto Networks (Israel Analytics) Ltd. | Detection of malicious C2 channels abusing social media sites |
US11509680B2 (en) | 2020-09-30 | 2022-11-22 | Palo Alto Networks (Israel Analytics) Ltd. | Classification of cyber-alerts into security incidents |
US11575694B2 (en) * | 2021-01-20 | 2023-02-07 | Bank Of America Corporation | Command and control steganographic communications detection engine |
CN113794692B (zh) * | 2021-08-24 | 2023-06-27 | 杭州迪普科技股份有限公司 | 攻击溯源装置、方法与系统及代理链路表学习装置和方法 |
US11799880B2 (en) | 2022-01-10 | 2023-10-24 | Palo Alto Networks (Israel Analytics) Ltd. | Network adaptive alert prioritization system |
US11968222B2 (en) | 2022-07-05 | 2024-04-23 | Palo Alto Networks (Israel Analytics) Ltd. | Supply chain attack detection |
CN116456340B (zh) * | 2023-06-12 | 2023-08-15 | 北京中鼎昊硕科技有限责任公司 | 一种用于5g加密终端通信的访问安全监管方法 |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6073142A (en) | 1997-06-23 | 2000-06-06 | Park City Group | Automated post office based rule analysis of e-mail messages and other data objects for controlled distribution in network environments |
US5987610A (en) | 1998-02-12 | 1999-11-16 | Ameritech Corporation | Computer virus screening methods and systems |
US6460050B1 (en) | 1999-12-22 | 2002-10-01 | Mark Raymond Pace | Distributed content identification system |
US6901519B1 (en) | 2000-06-22 | 2005-05-31 | Infobahn, Inc. | E-mail virus protection system and method |
EP1490768B1 (en) | 2002-03-29 | 2007-09-26 | Global Dataguard, Inc. | Adaptive behavioural intrusion detection |
US9160755B2 (en) * | 2004-12-21 | 2015-10-13 | Mcafee, Inc. | Trusted communication network |
US8566928B2 (en) * | 2005-10-27 | 2013-10-22 | Georgia Tech Research Corporation | Method and system for detecting and responding to attacking networks |
JP2009515426A (ja) | 2005-11-07 | 2009-04-09 | ジーディーエックス ネットワーク, インコーポレイテッド | 高信頼性通信ネットワーク |
WO2008005526A2 (en) * | 2006-07-06 | 2008-01-10 | Fair Isaac Corporation | Auto adaptive anomaly detection system for streams |
US8280993B2 (en) | 2007-10-04 | 2012-10-02 | Yahoo! Inc. | System and method for detecting Internet bots |
KR101080293B1 (ko) | 2009-01-13 | 2011-11-09 | 창신정보통신(주) | 무선 센서 네트워크에서의 악성 노드 탐지 장치 및 탐지 방법 |
US20100251370A1 (en) * | 2009-03-26 | 2010-09-30 | Inventec Corporation | Network intrusion detection system |
US8914878B2 (en) | 2009-04-29 | 2014-12-16 | Juniper Networks, Inc. | Detecting malicious network software agents |
US8789173B2 (en) * | 2009-09-03 | 2014-07-22 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
US20110153811A1 (en) * | 2009-12-18 | 2011-06-23 | Hyun Cheol Jeong | System and method for modeling activity patterns of network traffic to detect botnets |
-
2011
- 2011-10-18 US US13/276,244 patent/US8677487B2/en active Active
-
2012
- 2012-09-28 CN CN201280053582.9A patent/CN104067280B/zh active Active
- 2012-09-28 EP EP12842148.4A patent/EP2774070B1/en active Active
- 2012-09-28 WO PCT/US2012/058045 patent/WO2013058964A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
EP2774070B1 (en) | 2018-08-22 |
CN104067280A (zh) | 2014-09-24 |
EP2774070A4 (en) | 2015-03-11 |
WO2013058964A1 (en) | 2013-04-25 |
EP2774070A1 (en) | 2014-09-10 |
US20130097699A1 (en) | 2013-04-18 |
US8677487B2 (en) | 2014-03-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104067280B (zh) | 用于检测恶意命令和控制通道的系统和方法 | |
Razzaq et al. | Security issues in the Internet of Things (IoT): A comprehensive study | |
KR101689299B1 (ko) | 보안이벤트 자동 검증 방법 및 장치 | |
CN103229185B (zh) | 用于针对恶意软件的本地保护的系统和方法 | |
Giura et al. | A context-based detection framework for advanced persistent threats | |
US8079080B2 (en) | Method, system and computer program product for detecting security threats in a computer network | |
WO2020210538A1 (en) | Systems and methods for detecting injection exploits | |
US20190182286A1 (en) | Identifying communicating network nodes in the presence of Network Address Translation | |
US20100262688A1 (en) | Systems, methods, and devices for detecting security vulnerabilities in ip networks | |
WO2010056379A1 (en) | Systems, methods, and devices for detecting security vulnerabilities in ip networks | |
KR101991737B1 (ko) | 공격자 가시화 방법 및 장치 | |
Shin et al. | Unsupervised multi-stage attack detection framework without details on single-stage attacks | |
Beigh et al. | Intrusion detection and prevention system: issues and challenges | |
Arul et al. | Supervised deep learning vector quantization to detect MemCached DDOS malware attack on cloud | |
KR101991736B1 (ko) | 공격자 상관정보 가시화 방법 및 장치 | |
Meng et al. | Towards effective and robust list-based packet filter for signature-based network intrusion detection: an engineering approach | |
Repp | Theoretical Aspects of Cyber-Atack Modeling | |
Hsiao et al. | Detecting stepping‐stone intrusion using association rule mining | |
Gregorio-de Souza et al. | Detection of complex cyber attacks | |
Aakash et al. | Security Issues in IoT, Cloud and their Convergence | |
Lakshmi Narayanan et al. | Design and Implementation of Cyber Threat Intelligence Data Mining Model | |
Sousa | Cyber Threats to Healthcare Technology Services: A Case Study | |
Parameswaran et al. | Incentive mechanisms for internet security | |
Kumbhar et al. | Challenges and Opportunities of Bigdata with Enhancing Cyber Security | |
Narita et al. | A distributed detecting method for SYN Flood attacks and its implementation using mobile agents |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: American California Patentee after: McAfee limited liability company Address before: American California Patentee before: Mai Kefei company |
|
CP01 | Change in the name or title of a patent holder |