USRE50199EActiveUtility

System and method for detecting a malicious activity in a computing environment

58
Assignee: AWAKE SECURITY LLCPriority: Feb 11, 2016Filed: Feb 22, 2022Granted: Nov 5, 2024
Est. expiryFeb 11, 2036(~9.6 yrs left)· nominal 20-yr term from priority
H04L 63/1433H04L 63/1416
58
PatentIndex Score
0
Cited by
22
References
20
Claims

Abstract

System and method for detecting a likely threat from a malicious attack is disclosed. Communication between a user computer and a destination computer is monitored by a security appliance. Selective information from the communication is extracted. One or more weak signals of a threat is detected based on the selective information. One or more weak signals are evaluated for a likely threat based on a threshold value. A corrective action is initiated for the likely threat, based on the evaluation.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method for detecting a likely malware threat from a malicious attack by malware, comprising:
 monitoring a communication between a user computer and at least one destination computer by a security appliance; 
 extracting selective information from the communication by the security appliance; 
 detecting one or more weak signals indicative of a likely malware threat based on the extracted selective information from the communication, by the security appliance, wherein each of the one or more weak signals is associated with one of a plurality of attack phases; 
 evaluating one or more weak signals for the likely malware threat based on a threshold value by the security appliance; and, including:
 determining a first plurality of threat levels based at least on the one or more weak signals and their associated attack phases; 
 selecting a highest threat level among the first plurality of threat levels; and 
 increasing a value of the selected threat level based on interactions of the user computer with at least one destination computer; and  
 
 initiating a corrective action for the likely malware threat based at least on the evaluation of the one or more weak signals for the likely malware threat by the security appliance increased value of the selected threat level. 
 
     
     
       2. The method of  claim 1 , wherein, the malicious attack by the malware has a plurality of phases. 
     
     
       3. The method of claim  2   1 , wherein, at least more than one weak signal for the likely malware threat is detected in at least one of the plurality of phases of the malicious attack by the malware. 
     
     
       4. The method of claim  2   1 , wherein, communication during a single session between the user computer and the at least one destination computer is in a single session and, one or more weak signals for the likely malware threat are detected in the single session. 
     
     
       5. The method of  claim 4 , wherein one or more weak signals for the likely malware threat are detected in at least two of the phases of the malicious attack by the malware in during the single session. 
     
     
       6. The method of  claim 1 , wherein one of the at least one destination computer is a compromised server and another one of the at least one destination computer is a command and control server for the malware. 
     
     
       7. The method of  claim 6 , wherein determining one or more weak signals comprises increasing a priority of a the likely malware threat is increased if in response to the command and control server domain registration based on a having an indicator of a bad domain reputation. 
     
     
       8. The method of  claim 4 , wherein determining one or more weak signals comprises evaluating communication between the user computer and the at least one destination computer in prior one or more sessions is evaluated for indication of weak signals for the likely malware threat, and if in response to an indication of weak signals for the likely malware threat are indicated, increasing a priority of a the likely malware threat is increased. 
     
     
       9. The method of  claim 8 , wherein one of the at least one destination computer is a command and control server for the malware, wherein determining one or more weak signals comprises comparing a number of communications between the user computer and a the command and control server for the malware is compared to a threshold value, and if in response to the number of communications is being below a the threshold value, a increasing the priority of a the likely malware threat is increased. 
     
     
       10. A system to detect a likely malware threat of a malware attack, by malware comprising:
 a security appliance comprising a hardware computing device configured to: 
 monitor a communication between a user computer and a destination computer; 
 extract selective information from the communication; 
 detect one or more weak signals indicative of a likely malware threat based on the extracted selective information from the communication, wherein each of the one or more weak signals is associated with one of a plurality of attack phases; 
 evaluate one or more weak signals for the likely malware threat based on a threshold value; and, including:
 determine a first plurality of threat levels based at least on the one or more weak signals and their associated attack phases; 
 select a highest threat level among the first plurality of threat levels; and 
 increase a value of the selected threat level based on interactions of the user computer with at least one destination computer; and  
 
 initiate a corrective action for the likely malware threat based at least on the evaluation of the one or more weak signals for the likely malware threat increased value of the selected threat level. 
 
 
     
     
       11. The system of  claim 10 , wherein, the malicious attack by the malware has a plurality of phases. 
     
     
       12. The method of claim  11   10 , wherein, at least more than one weak signal of the likely malware threat is detected in at least one of the plurality of phases of the malicious malware attack by the malware. 
     
     
       13. The system of claim  11   10 , wherein, communication during a single session between the user computer and the at least one destination computer is in a single session and, one or more weak signals of the likely malware threat are detected in the single session. 
     
     
       14. The system of  claim 13 , wherein one or more weak signals of the likely malware threat are detected in at least two of the phases in during the single session. 
     
     
       15. The system of  claim 10 , wherein one of the at least one destination computer is a compromised server and another one of the at least one destination computer is a command and control server of the malware. 
     
     
       16. The system of  claim 15 , wherein to determine one or more weak signals comprises increasing a priority of a the likely malware threat is increased if the command and control server domain registration is based on a has an indicator of a bad domain reputation. 
     
     
       17. The system of  claim 13 , wherein to determine one or more weak signals comprises evaluating communication between the user computer and the at least one destination computer in a prior one or more sessions is evaluated for indication of weak signals of the likely malware threat, and if weak signals of the likely malware threat are indicated, increasing a priority of the likely malware threat is increased. 
     
     
       18. The system of  claim 17 , wherein one of the at least one destination computer is a command and control server of the malware, wherein to determine one or more weak signals comprises comparing a number of communications between the user computer and a the command and control server of the malware is compared to a threshold value, and if the number of communications is below a the threshold value, increasing the priority of a the likely malware threat is increased. 
     
     
       19. The method of  claim 1 , wherein one of the weak signals of the likely malware threat is based on the selective information of the communication indicative of a file size. 
     
     
       20. The system of claim  1   10 , wherein one of the weak signals of the likely malware threat is based on the selective information of the communication indicative of a file size.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.