U.S. Patent Attorneys in New Jersey & New York
New York City: 212-316-0381 New Jersey: 973-685-5280 What's App: Click Here to Call E-Mail: firm@patentlawny.com

Methods and devices for identifying the presence of malware in a network (Tech Patents and Software Patents)

Patent no: 10,015,193
Issued: July 03, 2018
Inventor: Kolton , et al.
Attorney: Michael Feigin

Abstract

A device and a method for identifying whether a network node is infected by malware, including identifying indicator events for each of a plurality of anomaly indicators, by counting the number of occurrences of an anomaly indicator in at least one of a network node and an entire network during a predetermined time duration and if the number of occurrences of the anomaly indicator during the predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with the anomaly indicator during the predetermined time duration and assigning an expiration duration for the indicator event, determining whether the identified indicator events fulfill at least one predetermined infection rule, and if the indicator events fulfill the at least one predetermined infection rule, identifying the network node as infected by malware.

 

Claims

The invention claimed is:

1. A method for identifying whether a network node is infected by malware, the method comprising: identifying indicator events for each of a plurality of anomaly indicators, by: counting a number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if said number of occurrences of said anomaly indicator during said predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with said anomaly indicator during said predetermined time duration and assigning an expiration duration to said indicator event; determining whether non-expired identified indicator events fulfill at least one predetermined infection rule; and if said identified indicator events fulfill at least one said predetermined infection rule, identifying said network node as infected by malware, wherein at least one said predetermined infection rule comprises a rule relating to a set of indicator events seen during a predetermined rule duration.

2. The method of claim 1, wherein at least one of said plurality of anomaly indicators comprise a global anomaly indicator.

3. The method of claim 1, wherein at least one of said plurality of anomaly indicators comprises a local anomaly indicator.

4. The method of claim 1, wherein at least one of said plurality of anomaly indicators is identified in a browsing session and comprises at least one of: an anomaly indicator relating to URI access out of context of said browsing session; an anomaly indicator relating to said browsing session requesting access to a resource that does not meet a pre-determined configuration profile; an anomaly indicator relating to correspondence between DNS queries and IP address accesses; an anomaly indicator relating to a number of TCP connections opened during said browsing session; an anomaly indicator relating to a value of a User Agent header of an HTTP request in said browsing session; an anomaly indicator relating to types of traffic passing through a single TCP connection; an anomaly indicator relating to longevity of domains accessed during said browsing session; an anomaly indicator relating to the HTML content of an HTTP response in said browsing session; an anomaly indicator relating to the HTML tags of an HTTP response in said browsing session; an anomaly indicator relating to the HTML content of all HTTP responses in said browsing session; an anomaly indicator relating to the HTML tags of all HTTP responses in said browsing session; and an anomaly indicator relating to the length of the said browsing session.

5. The method of claim 1, wherein at least one said predetermined infection rule comprises a rule relating to a sequence of indicator events seen during a predetermined rule duration.

6. The method of claim 1, also comprising assigning a score to each said identified indicator event, wherein at least one said predetermined infection rule comprises a rule relating to an arithmetic operation carried out on said scores of indicator events identified in said network node during a predetermined rule duration.

7. The method of claim 1, also comprising creating a browsing session by: creating an empty browsing session; upon identifying directly access to a specific URL adding said specific URI to said browsing session; and adding to said browsing session each URI accessed through a URI already in said browsing session, wherein said identifying indicator events comprises identifying at least one said indicator event in said browsing session.

8. The method of claim 1, wherein said identifying indicator events comprises identifying at least one indicator event in traffic within said network.

9. The method of claim 1, wherein said identifying indicator events comprises identifying at least one indicator event in traffic between said network and at least one IP address outside said network.

10. The method of claim 1, wherein said method is carried out inline, and wherein said method also comprises directing all traffic in said network through a proxy, such that said identifying indicator events and said identifying said network node as infected by malware are carried out by said proxy.

11. The method of claim 10, also comprising using at least one tool to identify whether a human user is conducting a browsing session used for said identifying indicator events.

12. The method of claim 1, wherein said method is carried out out-of-line, and wherein said identifying indicator events is carried out using at least one mirror port, without disrupting traffic flow in said network.

13. A device for identifying whether a network node is infected by malware, the device comprising: an indicator event identifier, configured to identify indicator events for each of a plurality of anomaly indicators, by: counting a number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if said number of occurrences of said anomaly indicator during said predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with said anomaly indicator during said predetermined time duration and assigning an expiration duration to said identified indicator event; a rule evaluator functionally associated with said indicator event identifier and configured to determine whether non-expired indicator events identified by said indicator event identifier fulfill at least one predetermined infection rule relating to a set of indicator events seen during a predetermined rule duration; and an infection identifier functionally associated with said rule evaluator and configured to identify said network node as infected by malware if said rule evaluator determined that said identified indicator events fulfill said at least one predetermined infection rule.

14. The device of claim 13, wherein said indicator event identifier is configured to identify indicator events for at least one global anomaly indicator.

15. The device of claim 13, wherein said indicator event identifier is configured to identify indicator events for at least one local anomaly indicator.

16. The device of claim 13, wherein said indicator event identifier is configured to identify indicator events for at least one of said plurality of anomaly indicators in a browsing session of said network node, said plurality of anomaly indicators comprising at least one of: an anomaly indicator relating to URI access out of context of said browsing session; an anomaly indicator relating to said browsing session requesting access to a resource that does not meet a pre-determined configuration profile; an anomaly indicator relating to correspondence between DNS queries and IP address accesses; an anomaly indicator relating to a number of TCP connections opened during said browsing session; an anomaly indicator relating to a value of a User Agent header of an HTTP request in said browsing session; an anomaly indicator relating to types of traffic passing through a single TCP connection; and an anomaly indicator relating to longevity of domains accessed during said browsing session; an anomaly indicator relating to the HTML content of an HTTP response in said browsing session; an anomaly indicator relating to the HTML tags of an HTTP response in said browsing session; an anomaly indicator relating to the HTML content of all HTTP responses in said browsing session; an anomaly indicator relating to the HTML tags of all HTTP responses in said browsing session; and an anomaly indicator relating to the length of the said browsing session.

17. The device of claim 13, wherein said rule evaluator is further configured to determine whether said identified indicator events fulfill at least one infection rule relating to a sequence of indicator events seen during a predetermined rule duration.

18. The device of claim 13, wherein: said indicator event identifier is configured to assign a score to each said identified indicator event; and said rule evaluator is further configured to determine whether said identified indicator events fulfill at least one infection rule relating to an arithmetic operation carried out on said scores of said indicator events identified in said network node during a predetermined rule duration.

19. The device of claim 13, wherein said indicator event identifier comprises an internal indicator event identifier configured to identify indicator events in traffic within a Local Area Network (LAN) of which said network node forms part.

20. The device of claim 13, wherein said indicator event identifier comprises an external indicator event identifier configured to identify indicator events in traffic between said network and at least one IP address outside said network.

21. The device of claim 13, the device comprising a proxy configured to have all network traffic directed therethrough, wherein said indicator event identifier is configured to use inline traffic for identifying said indicator events.

22. The device of claim 21, also comprising a human user browsing identifier configured to use at least one tool to identify whether a human user is conducting a browsing session on said network node.

23. The device of claim 13, said device configured to identify an infected network node using out-of-line network traffic.

24. A method for identifying whether a network node is infected by malware, the method comprising: identifying indicator events for each of a plurality of anomaly indicators, by: counting a number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if said number of occurrences of said anomaly indicator during said predetermined time duration is greater than a predetermined event threshold; identifying an indicator event associated with said anomaly indicator during said predetermined time duration; and assigning an expiration duration to said indicator event, the expiration duration being dependent on a type of said indicator event; determining whether identified indicator events, whose expiration duration has not passed, fulfill at least one predetermined infection rule; and if said identified indicator events fulfill at least one said redetermined infection rule, identifying said network node as infected by malware.

Description

The invention claimed is:

1. A method for identifying whether a network node is infected by malware, the method comprising: identifying indicator events for each of a plurality of anomaly indicators, by: counting a number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if said number of occurrences of said anomaly indicator during said predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with said anomaly indicator during said predetermined time duration and assigning an expiration duration to said indicator event; determining whether non-expired identified indicator events fulfill at least one predetermined infection rule; and if said identified indicator events fulfill at least one said predetermined infection rule, identifying said network node as infected by malware, wherein at least one said predetermined infection rule comprises a rule relating to a set of indicator events seen during a predetermined rule duration.

2. The method of claim 1, wherein at least one of said plurality of anomaly indicators comprise a global anomaly indicator.

3. The method of claim 1, wherein at least one of said plurality of anomaly indicators comprises a local anomaly indicator.

4. The method of claim 1, wherein at least one of said plurality of anomaly indicators is identified in a browsing session and comprises at least one of: an anomaly indicator relating to URI access out of context of said browsing session; an anomaly indicator relating to said browsing session requesting access to a resource that does not meet a pre-determined configuration profile; an anomaly indicator relating to correspondence between DNS queries and IP address accesses; an anomaly indicator relating to a number of TCP connections opened during said browsing session; an anomaly indicator relating to a value of a User Agent header of an HTTP request in said browsing session; an anomaly indicator relating to types of traffic passing through a single TCP connection; an anomaly indicator relating to longevity of domains accessed during said browsing session; an anomaly indicator relating to the HTML content of an HTTP response in said browsing session; an anomaly indicator relating to the HTML tags of an HTTP response in said browsing session; an anomaly indicator relating to the HTML content of all HTTP responses in said browsing session; an anomaly indicator relating to the HTML tags of all HTTP responses in said browsing session; and an anomaly indicator relating to the length of the said browsing session.

5. The method of claim 1, wherein at least one said predetermined infection rule comprises a rule relating to a sequence of indicator events seen during a predetermined rule duration.

6. The method of claim 1, also comprising assigning a score to each said identified indicator event, wherein at least one said predetermined infection rule comprises a rule relating to an arithmetic operation carried out on said scores of indicator events identified in said network node during a predetermined rule duration.

7. The method of claim 1, also comprising creating a browsing session by: creating an empty browsing session; upon identifying directly access to a specific URL adding said specific URI to said browsing session; and adding to said browsing session each URI accessed through a URI already in said browsing session, wherein said identifying indicator events comprises identifying at least one said indicator event in said browsing session.

8. The method of claim 1, wherein said identifying indicator events comprises identifying at least one indicator event in traffic within said network.

9. The method of claim 1, wherein said identifying indicator events comprises identifying at least one indicator event in traffic between said network and at least one IP address outside said network.

10. The method of claim 1, wherein said method is carried out inline, and wherein said method also comprises directing all traffic in said network through a proxy, such that said identifying indicator events and said identifying said network node as infected by malware are carried out by said proxy.

11. The method of claim 10, also comprising using at least one tool to identify whether a human user is conducting a browsing session used for said identifying indicator events.

12. The method of claim 1, wherein said method is carried out out-of-line, and wherein said identifying indicator events is carried out using at least one mirror port, without disrupting traffic flow in said network.

13. A device for identifying whether a network node is infected by malware, the device comprising: an indicator event identifier, configured to identify indicator events for each of a plurality of anomaly indicators, by: counting a number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if said number of occurrences of said anomaly indicator during said predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with said anomaly indicator during said predetermined time duration and assigning an expiration duration to said identified indicator event; a rule evaluator functionally associated with said indicator event identifier and configured to determine whether non-expired indicator events identified by said indicator event identifier fulfill at least one predetermined infection rule relating to a set of indicator events seen during a predetermined rule duration; and an infection identifier functionally associated with said rule evaluator and configured to identify said network node as infected by malware if said rule evaluator determined that said identified indicator events fulfill said at least one predetermined infection rule.

14. The device of claim 13, wherein said indicator event identifier is configured to identify indicator events for at least one global anomaly indicator.

15. The device of claim 13, wherein said indicator event identifier is configured to identify indicator events for at least one local anomaly indicator.

16. The device of claim 13, wherein said indicator event identifier is configured to identify indicator events for at least one of said plurality of anomaly indicators in a browsing session of said network node, said plurality of anomaly indicators comprising at least one of: an anomaly indicator relating to URI access out of context of said browsing session; an anomaly indicator relating to said browsing session requesting access to a resource that does not meet a pre-determined configuration profile; an anomaly indicator relating to correspondence between DNS queries and IP address accesses; an anomaly indicator relating to a number of TCP connections opened during said browsing session; an anomaly indicator relating to a value of a User Agent header of an HTTP request in said browsing session; an anomaly indicator relating to types of traffic passing through a single TCP connection; and an anomaly indicator relating to longevity of domains accessed during said browsing session; an anomaly indicator relating to the HTML content of an HTTP response in said browsing session; an anomaly indicator relating to the HTML tags of an HTTP response in said browsing session; an anomaly indicator relating to the HTML content of all HTTP responses in said browsing session; an anomaly indicator relating to the HTML tags of all HTTP responses in said browsing session; and an anomaly indicator relating to the length of the said browsing session.

17. The device of claim 13, wherein said rule evaluator is further configured to determine whether said identified indicator events fulfill at least one infection rule relating to a sequence of indicator events seen during a predetermined rule duration.

18. The device of claim 13, wherein: said indicator event identifier is configured to assign a score to each said identified indicator event; and said rule evaluator is further configured to determine whether said identified indicator events fulfill at least one infection rule relating to an arithmetic operation carried out on said scores of said indicator events identified in said network node during a predetermined rule duration.

19. The device of claim 13, wherein said indicator event identifier comprises an internal indicator event identifier configured to identify indicator events in traffic within a Local Area Network (LAN) of which said network node forms part.

20. The device of claim 13, wherein said indicator event identifier comprises an external indicator event identifier configured to identify indicator events in traffic between said network and at least one IP address outside said network.

21. The device of claim 13, the device comprising a proxy configured to have all network traffic directed therethrough, wherein said indicator event identifier is configured to use inline traffic for identifying said indicator events.

22. The device of claim 21, also comprising a human user browsing identifier configured to use at least one tool to identify whether a human user is conducting a browsing session on said network node.

23. The device of claim 13, said device configured to identify an infected network node using out-of-line network traffic.

24. A method for identifying whether a network node is infected by malware, the method comprising: identifying indicator events for each of a plurality of anomaly indicators, by: counting a number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if said number of occurrences of said anomaly indicator during said predetermined time duration is greater than a predetermined event threshold; identifying an indicator event associated with said anomaly indicator during said predetermined time duration; and assigning an expiration duration to said indicator event, the expiration duration being dependent on a type of said indicator event; determining whether identified indicator events, whose expiration duration has not passed, fulfill at least one predetermined infection rule; and if said identified indicator events fulfill at least one said redetermined infection rule, identifying said network node as infected by malware.
Description


FIELD AND BACKGROUND OF THE INVENTION

The invention, in some embodiments, relates to the field of computer threats, and more specifically to identifying the presence of advanced persistent threats, or malware, on a computer network node.

Advanced persistent threats, such as computer viruses, computer worms, Trojan horses, and other malware, are some of the problematic issues that organization Chief Security Officers (CSO) need to handle. Current security mechanisms are generally unable to cope with, and to prevent, targeted attacks on organizations, and as a result third parties, such as crackers and cyber-terrorists, are able to insert malware into the networks of such organizations. Once malware is present on an organization's network, the malware communicates with command and control mechanisms, which direct the malware as to what data to obtain, where to find such data, and where to send the data once it is obtained. Typically, communication between malware and its command and control uses common protocols, such as HTTP and IRC.

One method currently used for identifying the presence of malware on a network involves signature matching or pattern matching of malware families. For this method to properly identify the presence of malware, the malware must first be caught and analyzed to derive one or more relevant signatures, which signatures are then used to prevent an malware infection by such malware in other computers in the network or in other networks.

Another method, known as "sandboxing", involves running suspicious code in a secluded emulation environment, also called a sandbox, in order to identify the purpose of the code without the code being able to access network data. For example, a sandbox may be implemented by installing a proxy at the entrance to a network, and executing all HTTP pages prior to forwarding them to the requesting computer within the network. However, some malware programmers have developed methods for circumventing emulation environments, thus reducing the effectiveness of sandboxing. Additionally, even if the malware does not circumvent the emulation environment, execution of all HTTP requests in the sandbox prior to transmission thereof to the requesting node in the network greatly reduces the rate at which data is provided to the network nodes.

In yet other methods, machine learning, behavioral analysis, and classification algorithms are used to find packets within the network traffic which include communication between malware within the network and the control and command mechanism controlling the malware, or other suspicious activities in the network.

Recent reports show that on average, Advanced Persistent Threat attacks remain unidentified within an organization's network for longer than six months, and that more than 66% of organizations are unaware that their network is under attack.

There is thus a need for a system and method for effectively identifying the presence of malware in a computer network, and for identifying a command and control entity with which the malware communicates from within the network.

SUMMARY OF THE INVENTION

The invention, in some embodiments, relates to the field of computer threats, and more specifically to identifying the presence of advanced persistent threats, or malware, on a computer network node.

Some embodiments of the invention relate to methods and devices for identifying safe URIs, resources or pages accessed by nodes in a network, also known as white-listing resources or pages.

According to an aspect of some embodiments of the invention there is provided a method for identifying safe URIs (whitelisting), the method comprising:

each time a browser directly accesses a specific Uniform Resource Identifier (URI), building a browsing session based on the specific URI by: adding the specific URI to the browsing session; and adding to the browsing session each URI accessed through a URI already in the browsing session;

if the browsing session is valid, increasing a reputation score of the specific URI and all other URIs in the browsing session; and

if the reputation score of the specific URI is above a threshold or if the specific URI has previously been identified as a safe URI, identifying the specific URI and all other URIs included in the browsing session as safe URIs.

In some embodiments, directly accessing a specific URI comprises sending an HTTP request for the URI including a blank value in the request referrer field.

The specific URI may be a URI for any suitable resource, including web pages, text documents, images, sound files, multimedia files, executable files, and anything that can be accessed through a web site or through any web interface technology.

In some embodiments, the browsing session is valid if no anomaly was identified during addition of URIs to the browsing session, or following addition of URIs to the browsing session and prior to validation thereof. Devices and methods for detecting anomalies are described in further detail hereinbelow.

In some embodiment, the reputation score of a URI is aggregated for all users of the network. In some embodiments, the reputation score of a URI is aggregated for all users using the method herein to build a browsing session, which users may be using devices located in different networks.

In some embodiments, a safe resource is a resource which does not contain, generate, or infect the network node with malware.

The method for identifying safe resources described herein may be carried out using any suitable device. That being said, according to an aspect of some embodiments of the invention there is provided a device for identifying safe URIs (whitelisting), the device comprising:

a direct access identifier configured to identify when a browser of a node in a network directly accesses a specific Uniform Resource Identifier (URI);

a browsing session builder functionally associated with the direct access identifier and configured, following identification of direct access to the specific URI, to build a browsing session based on the specific URI by: adding the specific URI to the browsing session; and adding to the browsing session each URI accessed through a URI already in the browsing session;

a browsing session validator configured to identify whether or not the browsing session is valid, and if the browsing session is valid to increase a reputation score of the specific URI and of all other URIs in the browsing session; and

a safe resource identifier functionally associated with the browsing session validator and configured to identify the specific URI and all other URIs included in the browsing session as safe URIs if the reputation score of the specific URI is above a threshold or if the specific URI has previously been identified as a safe URI.

In some embodiments, the direct access identifier is configured to identify sending a request for the URI including a blank value in the request referrer field.

The specific URI may be a URI for any suitable resource, including web pages, text documents, images, sound files, multimedia files, executable files, and anything that can be accessed through a web site or through any web interface technology.

In some embodiments, the browsing session validator is configured to identify the browsing session as valid if no anomaly was identified during addition of URIs to the browsing session by the browsing session builder or following addition of URIs to the browsing session but prior to validation thereof by the browsing session validator. Devices and methods of detecting anomalies are described in further detail hereinbelow.

In some embodiment, the browsing session validator is configured to update the reputation scores of the URIs in the browsing session in a reputation aggregator functionally associated therewith. In some embodiments, the reputation aggregator is configured to aggregate the reputation score of a URI for all users of the network. In some embodiments, the reputation aggregator is configured to aggregate the reputation score of a URI for users of the network and of other networks using devices as described herein.

In some embodiments, the safe resource identifier is configured to identify as a safe resource a resource which does not contain, generate, or infect the network node with malware.

Some embodiments of the invention relate to methods and devices for identifying whether a network node is infected by malware.

According to an aspect of some embodiments of the invention there is provided a method for identifying whether a network node is infected by malware, the method comprising:

identifying indicator events for each of a plurality of anomaly indicators, by: counting the number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if the number of occurrences of the anomaly indicator during the predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with the anomaly indicator during the predetermined time duration and assigning an expiration duration to the indicator event;

determining whether non-expired identified indicator events fulfill at least one predetermined infection rule; and

if the indicator events fulfill the at least one predetermined infection rule, identifying the network node as infected by malware.

The anomaly indicators may be any suitable anomaly indicators. That said, in some embodiments, some of the plurality of anomaly indicators comprise indicators of global anomalies, which, when found, are relevant to all nodes of the network or even to other networks. For example, if a specific web page is identified as malware or as a malware control and command element, all guards in the network are notified of the nature of the web page, and any access to the specific web page, from any the node in the network, is considered an anomaly indicator. In some embodiments, some of the plurality of anomaly indicators comprise indicators of local anomalies, which are specific to the network node in which they were identified and/or to the browsing session in which they were identified.

Anomaly indicators may be based on any suitable network traffic protocol. That said, in some embodiments, anomaly indicators are based on HTTP traffic in the network. In some embodiments, anomaly indicators are based on DNS traffic in the network. In some embodiments, anomaly indicators are based on IRC traffic in the network. In some embodiments, anomaly indicators are based on FTP traffic in the network.

In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to URI access out of context of a browsing session of the network node, for example access to a URI in which the referrer field does not include any URI or includes a URI not previously included in the browsing session, other than at the beginning of a browsing session.

In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to access to a resource, such as a web page, which does not meet a pre-determined configuration profile. For example, a common web page is expected to have a title, a few images, and a few scripts. Absence of some or all of these elements in a page being accessed is abnormal and, in some embodiments, may be considered an anomaly indicator.

In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to DNS correspondence with IP addresses. For example, each access to a URI located at a specific IP address should trigger a corresponding DNS query. The absence of such a DNS query may be considered an anomaly indicator.

In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to a number of TCP connections opened during a browsing session. For example, a specific number of TCP connections is expected for each browsing session. Opening of a smaller or greater number of TCP connections during the browsing session may be considered an anomaly indicator.

In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to the user agent attribute of an HTTP request in a browsing session. For example, all HTTP requests in a given browsing session are expected to have the same value in the "User Agent" header of the request. An HTTP request having a different value in the "User Agent" header is often a request which did not originate from the browser but from another tool or source, such as from malware. Therefore, identification of an HTTP request having a different "User Agent" value than all other requests in the browsing session may be considered an anomaly indicator.

In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to the type of traffic passing through a single TCP connection. For example, a TCP connection is expected to carry only HTTP traffic. Identification of non HTTP traffic, such as a stream of data, passing through a TCP connection, may be indicative of a TCP connection to a malware command and control web server which would know how to parse the stream of data, and thus may be considered an anomaly indicator.

In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to the longevity of domains accessed during the browsing session. For example, an anomaly indicator may be identified when the browsing session of a network node accesses a domain having a short lifespan.

In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to the HTML content of an HTTP response in the browsing session. In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to the HTML tags of an HTTP response in the browsing session. In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to the HTML content of all HTTP responses in the browsing session. In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to the HTML tags of all HTTP responses in the browsing session. In some embodiments, the plurality of anomaly indicators includes anomaly indicators relating to the length of the browsing session.

In some embodiments, the predetermined time duration is the same for all types of anomaly indicators. In some embodiments, the predetermined time duration is specific to each type of anomaly indicator in the plurality of anomaly indicators. In some embodiments, the predetermined time duration is specific to the network node.

In some embodiments, the predetermined event threshold is the same for all types of anomaly indicators. In some embodiments, the predetermined event threshold is specific to each type of anomaly indicator in the plurality of anomaly indicators. In some embodiments, the predetermined event threshold is specific to the network node.

In some embodiments, the expiration duration is the same for indicator events of all types of anomaly indicators. In some embodiments, the expiration duration is specific to indicator events of each type of anomaly indicator in the plurality of anomaly indicators.

The predetermined infection rule may be any suitable rule relating to the indicator events which, when fulfilled, indicates infection of a node by malware.

In some embodiments, the predetermined infection rule comprises a rule relating to a set of indicator events seen during a rule time duration. For example, the rule may state that seeing at least one indicator event of each of three different types of anomaly indicators is indicative of an infected network node. As another example, the rule may state that seeing at least two local, or browsing session specific, indicator events of two different types of anomaly indicators, as well as at least two global, or network general, indicator events, is indicative of an infected network node.

In some embodiments, the predetermined rule comprises a rule relating to a sequence of indicator events seen during a rule time duration. For example, the rule may specify a specific order of indicator events of different types of anomaly indicators, which is indicative of an infected node.

In some embodiments, the method also comprises assigning a score to each indicator event and the predetermined rule comprises a rule relating to an arithmetic operation of the scores of indicator events identified in the network node during a predetermined rule duration. In some such embodiments, the rule comprises identifying the network node as being infected if a sum, average, or weighted average of the scores of indicator events is above a predetermined infection threshold. In some such embodiments, the rule comprises identifying the network node as being infected if the result of subtraction of the scores of indicator events from an initial value is below a predetermined infection threshold.

The browsing session used to determine whether or not a network node is infected with malware may be created in any suitable way. That being said, in some embodiments the browsing session is created by creating an empty browsing session, when the user directly accesses a specific URI, adding the specific URI to the browsing session, and adding to the browsing session each URI accessed through a URI already in the browsing session.

In some embodiments, identifying indicator events comprises identifying indicator events in traffic within a Local Area Network (LAN) of which the network node forms part. In some embodiments, identifying indicator events comprises identifying indicator events in traffic between the network and IP addresses outside the network, such as, for example, within a Wide Area Network (WAN) including the network of which the network node forms part.

In some embodiments, the method for identifying an infected network node is carried out inline. In some such embodiments, the method also includes directing all traffic in the network through a proxy, and the identifying indicator events and identifying the network node are carried out by the proxy. In some such embodiments, the method also includes using at least one tool to identify whether a human user is conducting the browsing session. The tool may be any suitable tool, and may include one or more of identifying mouse movements, identifying suitable CPU usage patterns, or requesting that the user respond to a Captcha challenge.

In some embodiments, the method for identifying an infected network node is carried out out-of-line. In some such embodiments, copies of the traffic in the network or in part of the network are used for identifying indicator events without disrupting traffic flow in the network.

The method for identifying whether a network node is infected by malware can be carried out using any suitable device. That being said, according to an aspect of some embodiments of the invention there is also provided a device for identifying whether a network node is infected by malware, the device comprising:

an indicator event identifier, configured to identify indicator events for each of a plurality of anomaly indicators, by: counting the number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if the number of occurrences of the anomaly indicator during the predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with the anomaly indicator during the predetermined time duration and assigning an expiration duration to the identified indicator event;

a rule evaluator functionally associated with the indicator event identifier and configured to determine whether non-expired identified indicator events fulfill at least one predetermined infection rule; and

an infection identifier functionally associated with the rule evaluator and configured to identifying the network node as infected by malware if the rule evaluator determined that the indicator events fulfill the at least one predetermined infection rule.

In some embodiments, the indicator event identifier is configured to identify indicator events for global anomaly indicators, which, when found, are relevant to all nodes of the network or even to other networks. For example, if a specific web page is identified as malware or as a malware control and command element, all guards are notified of the nature of the web page, and any access to the specific web page, from any the node in the network, is considered an anomaly indicator. In some embodiments, the indicator event identifier is configured to identify indicator events for local anomaly indicators, which are specific to the network node in which they were identified and/or to the browsing session in which they were identified.

The anomaly event indicator may identify indicator events for anomaly indicators based on any suitable network traffic protocol. That said, in some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators based on HTTP traffic in the network. In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators based on DNS traffic in the network. In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators based on IRC traffic in the network. In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators based on FTP traffic in the network.

In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to URI access out of context of a browsing session of the network node, for example access to a URI in which the referrer field does not include any URI or includes a URI not included in the browsing session, other than at the beginning of a browsing session.

In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to access to a resource, such as a web page, which does not meet a pre-determined configuration profile. For example, a common web page is expected to have a title, a few images, and a few scripts. Absence of some or all of these elements in a page being accessed is abnormal and, in some embodiments, may be considered an anomaly indicator.

In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to DNS correspondence with IP addresses. For example, each access to a URI located at a specific IP address should trigger a corresponding DNS query. The absence of such a DNS query may be considered an anomaly indicator.

In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to a number of TCP connections opened during a browsing session. For example, a specific number of TCP connections is expected for each browsing session. Opening of a smaller or greater number of TCP connections during the browsing session may be considered an anomaly indicator.

In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to the user agent attribute of an HTTP request in a browsing session. For example, all HTTP requests in a given browsing session are expected to have the same value in the "User Agent" header of the request. An HTTP request having a different value in the "User Agent" header is often a request which did not originate from the browser but from another tool or source, such as from malware. Therefore, identification of an HTTP request having a different "User Agent" value than all other requests in the browsing session may be considered an anomaly indicator.

In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to the type of traffic passing through a single TCP connection. For example, a TCP connection is expected to carry only HTTP traffic. Identification of non HTTP traffic, such as a stream of data, passing through a TCP connection, may be indicative of a TCP connection to a malware command and control web server which would know how to parse the stream of data, and thus may be considered an anomaly indicator.

In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to the longevity of domains accessed during the browsing session. For example, an anomaly indicator may be identified when the browsing session of a network node accesses a domain having a short lifespan.

In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to the HTML content of an HTTP response in the browsing session. In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to the HTML tags of an HTTP response in the browsing session. In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to the HTML content of all HTTP responses in the browsing session. In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to the HTML tags of all HTTP responses in the browsing session. In some embodiments, the indicator event identifier is configured to identify indicator events for anomaly indicators relating to the length of the browsing session.

In some embodiments, the predetermined time duration is the same for all types of anomaly indicators. In some embodiments, the predetermined time duration is specific to each type of anomaly indicator in the plurality of anomaly indicators. In some embodiments, the predetermined time duration is specific to the network node.

In some embodiments, the predetermined event threshold is the same for all types of anomaly indicators. In some embodiments, the predetermined event threshold is specific to each type of anomaly indicator in the plurality of anomaly indicators. In some embodiments, the predetermined event threshold is specific to the network node.

In some embodiments, the expiration duration is the same for indicator events of all types of anomaly indicators. In some embodiments, the expiration duration is specific to indicator events of each type of anomaly indicator in the plurality of anomaly indicators.

The rule evaluator is configured to evaluate whether or not the identified indicator events fulfill any suitable rule relating to the indicator events, which rule, when fulfilled, indicates infection of a node by malware.

In some embodiments, the rule evaluator is configured to determine whether the identified indicator events fulfill an infection rule relating to a set of indicator events seen during a rule time duration. For example, the rule evaluator may determine whether or not the identified indicator events fulfill a rule requiring identification of at least one indicator event of each of three different types of anomaly indicators within a rule time duration. As another example, the rule evaluator may determine whether or not the identified indicator events fulfill a rule requiring identification of at least two local, or browsing session specific, indicator events of two different types of anomaly indicators, as well as at least two global, or network general, indicator events, within a rule time duration.

In some embodiments, the rule evaluator is configured to determine whether the identified indicator events fulfill an infection rule relating to a sequence of indicator events seen during a rule time duration. For example, the rule evaluator may determine whether or not the identified indicator events fulfill a rule requiring identification of indicator events of different types of anomaly indicators in a specific order.

In some embodiments, the rule evaluator is configured to determine whether the identified indicator events fulfill an infection rule relating to an arithmetic operation of the scores of indicator events identified in the network node during a predetermined rule duration. In some such embodiments, the rule evaluator is configured to identify whether a sum or average of scores of indicator events identified in the network node during a predetermined rule duration is above a predetermined infection threshold. In some embodiments the rule evaluator is configured to determine whether or not the result of subtraction of the scores of indicator events identified during a predetermined rule duration from an initial value is below a predetermined infection threshold.

The browsing session used to determine whether or not the network node is infected with malware may be created in any suitable way. That being said, in some embodiments the device also includes a browsing session creator configured to:

create an empty browsing session;

when the user directly accesses a specific URI, add the specific URI to the browsing session; and

add to the browsing session each URI accessed through a URI already in the browsing session.

In some embodiments, the indicator event identifier comprises an internal indicator event identifier configured to identify indicator events in traffic within a Local Area Network (LAN) of which the network node forms part. In some embodiments, the indicator event identifier comprises an external indicator event identifier configured to identify indicator events in traffic between the network and IP addresses outside the network, such as, for example, within a Wide Area Network (WAN) including the network of which the network node forms part.

In some embodiments, the device is configured to identify an infected network node using inline network traffic. In some such embodiments, the device comprises a proxy through which all network traffic is directed for identification of indicator events and thereby for identification of infected network nodes. In some such embodiments, the device also includes a human user identifier configured to use at least one tool to identify whether a human user is conducting the browsing session. The at least one tool may be any suitable tool, and may be configured for one or more of identifying mouse movements, identifying suitable CPU usage patterns, or requesting that the user fulfill a Captcha challenge.

In some embodiments, the device is configured to identify an infected network node using out-of-line network traffic. In some such embodiments, the device includes a receiver configured to receive copies of the traffic sent from and received by the node, and the indicator event identifier operates on the received copies without disrupting traffic flow in the network.

Some embodiments of the invention relate to methods and devices for identifying and stopping communication traffic between a network node infected by malware and the command and control of the infecting malware, in order to prevent further infection on the network and to prevent the malware from obtaining data from the network.

According to an aspect of some embodiments of the invention there is provided a method for identifying and stopping communication traffic between a malicious URI and an infected network node, the method comprising:

obtaining a list of safe Universal Resource Identifiers (URIs) identifying safe resources;

for each communication of an infected network node with a specific URI not included in the list, sending to the infected network node a challenge requiring a specific response;

if, in response to the challenge, the infected network node provides the required specific response, allowing communication between the specific URI and the infected network node; and

if the infected network node does not provide a suitable response to the challenge, identifying the specific URI as malicious and blocking all communication between the infected network node and the specific URI.

In some embodiments, blocking also comprises blocking all communication between the infected network node and any URI within a domain or website including the specific URI.

In some embodiments, the method also includes notifying other guards in the network and/or other networks of the identification of the specific resource and the specific URI as malicious.

In some embodiments, the method also includes blocking all communication of all nodes in the network with the specific URI identified as malicious and/or with any URI within a domain or website including the specific URI.

Any method of obtaining a list of safe URIs may be used for implementing the teachings herein.

In some embodiments, obtaining the list comprises generating at least part of the list of safe URIs, as described hereinabove, by:

building a browsing session based on an initial URI directly accessed by a user by: adding the initial URI to the browsing session, and adding to the browsing session each URI accessed through a URI already in the browsing session,

if the browsing session is valid, increasing a reputation score of the initial URI and all other URIs in the browsing session, and

if the reputation score of the initial URI is above a threshold or if the initial URI has previously been identified as a safe URI, identifying the initial URI and all other URIs included in the browsing session as safe URIs.

In some embodiments, obtaining the list comprises generating at least part of the list of safe URIs by identifying automatically generated communications with resources that are known to be safe.

In some embodiments, the resources known to be safe are identical for multiple networks. For example, though downloading of software updates such as Microsoft.RTM. updates and the like comprises automatic browsing and not human browsing, because the origin of the software updates is known to be safe, a URI associated with this origin is included in the list of safe URIs.

In some embodiments, the resources known to be safe are specific to the network, the network node, or an organization to which the network belongs. For example, network nodes in a hospital may automatically access updates from the Center for Disease Control, which may be considered safe communication because the origin--the Center for Disease Control, is a known origin for the hospital network.

In some embodiments, obtaining the list comprises generating at least part of the list of safe URIs by including in the list URIs identified as safe URIs in other nodes in the network and/or in other networks. In some embodiments obtaining the list comprises generating at least part of the list of safe URIs by excluding from the list URIs that were identified as malicious or unsafe by another node in the network and/or by another network.

As mentioned above, a challenge requiring a specific response is sent to the infected network node prior to communicating with a URI for the first time in a new connection, if the URI is not included in the safe list at the time of first communication therewith. The challenge may require any suitable response, and typically requires a response which is indicative a human browsing at the infected network node. In some embodiments, the challenge may include an HTTP status code 302 redirecting to the specific URI and requires specific browser operations as a response. In some embodiments, the challenge requires adding one or more cookies as the response. In some embodiments, the challenge comprises a Captcha challenge. In some embodiments the challenge requires running of a program or script, such as a javascript code segment, on the node to calculate a value, and providing the calculated value as the response.

In some embodiments, the method for identifying and stopping communication traffic between a malicious URI or resource and an infected network node is carried out inline. In some such embodiments, the method includes directing all communication traffic through a proxy, such that sending the challenge, receiving the response to the challenge, and blocking communication with the specific URI is carried out by the proxy.

In some embodiments, the method for identifying and stopping communication traffic between a malicious URI or resource and an infected network node is carried out out-of-line. In some such embodiments, the method comprises a controlling node in the network spoofing a reply from a web server associated with the specific URI to the infected network node thereby to send the challenge to the infected network node.

In such embodiments, the response from the infected node is received by the controlling node. If the response does not correspond to the required response, this is indicative of the browsing being carried out by the malware trying to communicate with its command and control, and thus the specific URI and resource are identified as malicious. In such embodiments, blocking is carried out in any suitable way such as by using a firewall to block communication with the malicious URI, using the firewall to block all communication exiting from the infected network node, or by sending TCP resets to the infected network node.

The method for identifying and stopping communication traffic between a malicious URI or resource and an infected network node can be carried out using any suitable device. That being said, according to an aspect of some embodiments of the invention there is also provided a device for identifying and stopping communication traffic between a malicious URI and an infected network node, the device comprising:

a safe list obtainer configured to obtain a list of safe Universal Resource Identifiers (URIs) identifying safe resources;

a requestor configured, for each communication of an infected network node with a specific URI not included in the list, to send to the infected network node a challenge requiring a specific response;

a response evaluator, configured: if, in response to the challenge, the infected network node provides the required specific response, to allow communication between the specific URI and the infected network node; and if the infected network node does not provide a suitable response to the challenge, to identify the specific URI as malicious and to block all communication between the infected network node and the specific URI.

In some embodiments, the response evaluator is configured to block all communication between the infected network node and any URI within a domain or website including the specific URI.

In some embodiments, the response evaluator is configured to block only communication between the infected network node and the specific malicious URI.

In some embodiments, the response evaluator is also configured to notify other guards in the network and/or other networks of the identification of the specific URI as malicious.

In some embodiments, the device is also configured to block all communication of all nodes in the network with the specific URI identified as malicious and/or with any URI within a domain or website including the specific URI.

The safe list obtainer may obtain the list of safe URIs using any suitable method.

In some embodiments, the safe list obtainer is configured to obtain at least part of the list of safe URIs, as described hereinabove, by:

building a browsing session based on an initial URI directly accessed by a user by: adding the initial URI to the browsing session, and adding to the browsing session each URI accessed through a URI already in the browsing session,

if the browsing session is valid, increasing a reputation score of the initial URI and all other URIs in the browsing session, and

if the reputation score of the initial URI is above a threshold or if the initial URI has previously been identified as a safe URI, identifying the initial URI and all other URIs included in the browsing session as safe URIs.

In some embodiments, the safe list obtainer is configured to obtain at least part of the list of safe URIs by identifying automatically generated communications with resources that are known to be safe.

In some embodiments, the resources known to be safe are identical for multiple networks. For example, though downloading of software updates such as Microsoft.RTM. updates and the like comprises automatic browsing and not human browsing, because the origin of the software updates is known to be safe, a URI associated with this origin is included in the list of safe URIs.

In some embodiments, the resources known to be safe are specific to the network, the network node, or an organization to which the network belongs. For example, network nodes in a hospital may automatically access updates from the Center for Disease Control, which may be considered safe communication because the origin--the Center for Disease Control, is a known origin for the hospital network.

In some embodiments, the safe list obtainer is configured to obtain at least part of the list of safe URIs by including in the list URIs identified as safe URIs in other nodes in the network and/or in other networks. In some embodiments the safe list obtainer is configured to obtain at least part of the list of safe URIs by excluding from the list URIs that were identified as malicious or unsafe by another node in the network and/or by another network.

As mentioned above, the requestor is configured to send to the infected network node a challenge requiring a specific response prior to communication of the infected network node with a specific URI for the first time in a new connection, if the specific URI is not included in the safe list at the time of first communication therewith. The challenge may require any suitable response, and typically requires a response which is indicative a human browsing at the infected network node. In some embodiments, the requestor is configured to send a challenge including an HTTP status code 302 redirecting to the specific URI and requiring as a response specific browser operations. In some embodiments, the requestor is configured to send a challenge requiring adding one or more cookies as the response. In some embodiments, the requestor is configured to send a Captcha challenge. In some embodiments the requestor is configured to send a challenge requiring running of a program or script, such as a javascript code segment, on the node to calculate a value, and providing the calculated value as the response.

In some embodiments, at least two of the safe list obtainer, the requestor and the response evaluator may comprise a single component. In some embodiments, all of the safe list obtainer, the requestor and the response evaluator comprise a single component.

In some embodiments, the device comprises a proxy configured to identify and to stop communication traffic between the infected network node and the malicious URI inline.

In some embodiments, the device comprises a controlling node configured to identify and stop communication traffic between the infected network node and the malicious URI out-of-line. In some such embodiments, the requestor is configured to spoof a reply from a web server associated with the specific URI to the infected network node, thereby to send the challenge to the infected network node. The controlling node is configured to sniff the response to the challenge. If the response does not correspond to the required response, this is indicative of the browsing being carried out by the malware trying to communicate with its command and control, and thus the specific URI and resource are identified as malicious.

Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the invention pertains. In case of conflict, the specification, including definitions, will take precedence.

As used herein, the terms "comprising", "including", "having" and grammatical variants thereof are to be taken as specifying the stated features, integers, steps or components but do not preclude the addition of one or more additional features, integers, steps, components or groups thereof. These terms encompass the terms "consisting of" and "consisting essentially of".

As used herein, the indefinite articles "a" and "an" mean "at least one" or "one or more" unless the context clearly dictates otherwise.

Embodiments of methods and/or devices of the invention may involve performing or completing selected tasks manually, automatically, or a combination thereof. Some embodiments of the invention are implemented with the use of components that comprise hardware, software, firmware or combinations thereof. In some embodiments, some components are general-purpose components such as general purpose computers or monitors.

In some embodiments, some components are dedicated or custom components such as circuits, integrated circuits or software.

For example, in some embodiments, some of an embodiment is implemented as a plurality of software instructions executed by a data processor, for example which is part of a general-purpose or custom computer. In some embodiments, the data processor or computer comprises volatile memory for storing instructions and/or data and/or a non-volatile storage, for example, a magnetic hard-disk and/or removable media, for storing instructions and/or data. In some embodiments, implementation includes a network connection. In some embodiments, implementation includes a user interface, generally comprising one or more of input devices (e.g., allowing input of commands and/or parameters) and output devices (e.g., allowing reporting parameters of operation and results.

BRIEF DESCRIPTION OF THE FIGURES

Some embodiments of the invention are described herein with reference to the accompanying figures. The description, together with the figures, makes apparent to a person having ordinary skill in the art how some embodiments of the invention may be practiced. The figures are for the purpose of illustrative discussion and no attempt is made to show structural details of an embodiment in more detail than is necessary for a fundamental understanding of the invention. For the sake of clarity, some objects depicted in the figures are not to scale.

In the Figures:

FIG. 1 is a simplified graphic representation of an embodiment of a network for use with methods and devices in accordance with the teachings herein;

FIG. 2 is a block diagram of an embodiment of a device for identifying safe URIs in accordance with an embodiment of the teachings herein;

FIG. 3 is a flow chart of an embodiment of a method for identifying safe URIs in accordance with an embodiment of the teachings herein;

FIG. 4 is a block diagram of an embodiment of a device for identifying whether a network node is infected by malware in accordance with an embodiment of the teachings herein;

FIG. 5 is a flow chart of an embodiment of a method for identifying whether a network node is infected by malware in accordance with an embodiment of the teachings herein;

FIG. 6 is a block diagram of an embodiment of a device for identifying and stopping communication traffic between an infected network node and a malicious URI in accordance with an embodiment of the teachings herein; and

FIG. 7 is a flow chart of an embodiment of a method for identifying and stopping communication traffic between an infected network node and a malicious URI in accordance with an embodiment of the teachings herein.

DESCRIPTION OF SOME EMBODIMENTS OF THE INVENTION

The invention, in some embodiments, relates to the field of computer threats, and more specifically to identifying the presence of advanced persistent threats, or malware, on a computer network node.

The principles, uses and implementations of the teachings herein may be better understood with reference to the accompanying description and figures. Upon perusal of the description and figures present herein, one skilled in the art is able to implement the invention without undue effort or experimentation.

Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not limited in its applications to the details of construction and the arrangement of the components and/or methods set forth in the following description and/or illustrated in the drawings and/or the Examples. The invention can be implemented with other embodiments and can be practiced or carried out in various ways. It is also understood that the phraseology and terminology employed herein is for descriptive purpose and should not be regarded as limiting.

Some aspects of the invention herein relate to methods and devices for identifying safe URIs and resources in a network (whitelisting resources).

Thus, according to an aspect of some embodiments of the invention there is provided a method for identifying safe URIs, the method comprising:

each time a browser of a node in a network directly accesses a specific Uniform Resource Identifier (URI), building a browsing session based on the specific URI by: adding the specific URI to the browsing session; and adding to the browsing session each URI accessed through a URI already in the browsing session;

if the browsing session is valid, increasing a reputation score of the specific URI and of all other URIs in the browsing session; and

if the reputation score of the specific URI is above a threshold or if the specific URI has previously been identified as a safe URI, identifying the specific URI and all other URIs included in the browsing session as safe URIs.

According to an aspect of some embodiments of the invention there is also provided a device for identifying safe URIs, the device comprising:

a direct access identifier configured to identify when a browser of a node in a network directly accesses a specific Uniform Resource Identifier (URI);

a browsing session builder functionally associated with the direct access identifier and configured, following identification of direct access to the specific URI, to build a browsing session based on the specific URI by: adding the specific URI to the browsing session; and adding to the browsing session each URI accessed through a URI already in the browsing session;

a browsing session validator configured to identify whether or not the browsing session is valid, and if the browsing session is valid to increase a reputation score of the specific URI and of all other URIs in the browsing session; and

a safe resource identifier functionally associated with the browsing session validator and configured to identify the specific URI and all other URIs included in the browsing session as safe URIs if the reputation score of the specific URI is above a threshold or if the specific URI has previously been identified as a safe URI.

Some aspects of the invention herein relate to methods and devices for identifying whether or not a network node is infected by malware.

Thus, according to an aspect of some embodiments of the invention there is provided a method for identifying whether a network node is infected by malware, the method comprising:

identifying indicator events for each of a plurality of anomaly indicators, by: counting a number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if the number of occurrences of the anomaly indicator during the predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with the anomaly indicator during the predetermined time duration and assigning an expiration duration to the indicator event;

determining whether non-expired identified indicator events fulfill at least one predetermined infection rule; and

if the identified indicator events fulfill at least one the predetermined infection rule, identifying the network node as infected by malware.

According to an aspect of some embodiments of the invention there is also provided a device for identifying whether a network node is infected by malware, the device comprising:

an indicator event identifier, configured to identify indicator events for each of a plurality of anomaly indicators, by: counting a number of occurrences of an anomaly indicator in at least one of a network node and a network during a predetermined time duration; and if the number of occurrences of the anomaly indicator during the predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with the anomaly indicator during the predetermined time duration and assigning an expiration duration to the identified indicator event;

a rule evaluator functionally associated with the indicator event identifier and configured to determine whether non-expired indicator events identified by the indicator event identifier fulfill at least one predetermined infection rule; and

an infection identifier functionally associated with the rule evaluator and configured to identify the network node as infected by malware if the rule evaluator determined that the identified indicator events fulfill the at least one predetermined infection rule.

Some embodiments of the invention herein relate to methods and devices for ide Back to patents

transparent gif
transparent gif