System and method for detecting a malicious command and control channel
A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments,...
Saved in:
Main Authors | , , , |
---|---|
Format | Patent |
Language | Chinese English |
Published |
24.09.2014
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware. |
---|---|
Bibliography: | Application Number: CN201280053582 |