Detecting malware infestations in large-scale networks

Assignee

• Narus, Inc. · US

Inventors

• Luca Invernizzi · Goleta, US
• Stanislav Miskovic · San Jose, US
• Ruben Torres · Sunnyvale, US
• Sabyasachi Saha · Sunnyvale, US
• Christopher Kruegel · Lompoc, US
• Antonio Nucci · San Jose, US
• Sung-Ju Lee · Redwood City, US
• Giovanni Vigna · Midland School, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1408
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method for detecting a malicious activity in a network. The method includes obtaining file download flows from the network, analyzing, the file download flows to generate malicious indications using a pre-determined malicious behavior detection algorithm, extracting a file download attribute from a suspicious file download flow of a malicious indication, wherein the file download attribute represents one or more of the URL, the FQDN, the top-level domain name, the URL path, the URL file name, and the payload of the suspicious file download flow, determining the file download attribute as being shared by at least two suspicious file download flows, identifying related suspicious file download flows and determining a level of association between based at least on the file download attribute, computing a malicious score of the suspicious file download flow based on the level of association, and presenting the malicious score to an analyst user of the network.