Malicious C and C channel to fixed IP detection

Assignee

• PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD. · IL

Inventors

• Yinnon Meshi · Yeroham, IL
• Idan Amit · Ramat Gan, IL
• Jonathan Allon · Haifa, IL
• Aviad Meyer · Hod HaSharon, IL

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2463/144
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local notes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.