System and method for detecting a malicious command and control channel

A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments,...

Full description

Saved in:
Bibliographic Details
Main Authors SHAH CHINTAN H, MAHADIK VINAY, BALUPARI RAVINDRA, MADHUSUDAN BHARATH
Format Patent
LanguageChinese
English
Published 24.09.2014
Subjects
CALCULATING
COMPUTING
COUNTING
ELECTRIC DIGITAL DATA PROCESSING
PHYSICS
Online AccessGet full text

Cover

More Information
Summary:A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware.
Bibliography:Application Number: CN201280053582