Patents /

Malware detector

Inventors

Stavrou, AngelosJajodia, SushilGhosh, Anup K.Martin, RhandiAndrianakis, Charalampos

Assignees

George Mason UniversityGeorge Mason Research Foundation Inc

Publication Number

US-11916933-B2

Publication Date

2024-02-27

Expiration Date

2030-04-09

Interested in licensing this patent?

MTEC can help explore whether this patent might be available for licensing for your application.

Abstract

A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.

Core Innovation

The invention provides a transparent proxy for malware detection that includes a monitor module, protocol determination module, challenge generation module, response determination module, and data control module. The system intercepts data originating from applications toward remote servers, identifies the network protocol in use, and generates a protocol-specific active content challenge sent to the application. The proxy maintains state information for the data and challenge, and then analyzes the application's automatic, non-user-interactive responses to these challenges.

If a valid response is received within a predefined timeframe, the proxy allows the network communication to continue to the remote server; otherwise, it identifies the communication as likely originating from malware, blocks further transmission, and reports the detection. The approach applies both passive fingerprinting and active challenges, adapting the challenge type to the specific application and protocol (such as HTTP, HTTPS, and VoIP protocols).

The problem addressed is the inadequacy of traditional on-host and passive network methods in identifying all known and unknown malware, especially sophisticated malware that mimics legitimate application network behaviors. The invention aims to prevent malware from exfiltrating data or establishing command and control channels without requiring on-host software installation or frequent signature updates.

Claims Coverage

There are three main independent inventive features claimed in this patent, covering an apparatus, a method, and a non-transitory processor-readable medium implementing the malware detection functions.

Transparent proxy apparatus with application-specific active challenge and malicious application identification

An apparatus comprising a memory and hardware processor configured to: - Intercept communications from multiple different applications on different compute devices addressed to different servers. - Generate and send distinct active content challenges for each application based on their communications. - Identify whether each application is malicious based on receiving, within predefined time periods, respective automatic non-user-interactive application responses to the challenges.

Method intercepting communications and classifying applications as malware via protocol-specific active challenges

A method that includes: - Intercepting communications from multiple applications on different devices destined for different servers. - Generating different active content challenges for each application based on application type (and optionally protocol or state), sending challenges, and awaiting responses. - Classifying applications as malware if valid automatic, non-user-interactive responses are not received in time, and then preventing further communication from those applications to respective servers.

Processor-readable medium storing instructions for application-type-based active challenge and malware classification

A non-transitory processor-readable medium storing code to: - Receive communications from applications on respective devices and identify their application types. - Generate and send active content challenges based on application types. - Determine whether each application is malicious based on whether corresponding automatic non-user-interactive responses are received within predetermined time periods after challenge delivery.

These inventive features emphasize the use of application- and protocol-aware active content challenges to distinguish legitimate from malicious applications, integrating detection and response blocking into a transparent proxy system for malware prevention.

Stated Advantages

Provides an agentless or clientless passive network solution, eliminating the need for enterprise-wide on-host software deployment and reducing management overhead.

Reduces or eliminates the need for frequent signature updates on all machines, centralizing any required updates to the proxy itself.

Detects both known and unknown malware, including sophisticated malware that mimics legitimate application traffic, by using both passive fingerprinting and active content challenges.

Prevents malware from exfiltrating data or establishing command and control connections by blocking malicious communications at the network edge or workstation level.

Remains resilient to rootkits and on-host evasion tactics since detection occurs at the network proxy rather than on individual machines.

Offers non-disruptive operation to legitimate applications, maintaining a seamless user experience with virtually no delays and without requiring user involvement.

Supports extensibility for new protocols and behavioral rules, allowing adaptation to evolving networked environments and threat vectors.

Documented Applications

Enterprise networks for the detection and blocking of malware attempting to communicate with external servers via various protocols.

Deployment on workstations or laptops to examine and control all outgoing network traffic for malware detection.

Applicable in military, government agency, commercial, and academic network environments to monitor, identify, and prevent malware-driven communications.

Detection and classification of malware using both HTTP/HTTPS protocols and Voice Over IP (VOIP) protocols, including SIP, SDP, RTP, and RTCP.

Integration with network appliances or standalone hardware modules, such as rack-mounted servers, to function as a transparent proxy in diverse operational settings.

JOIN OUR MAILING LIST

Stay Connected with MTEC

Keep up with active and upcoming solicitations, MTEC news and other valuable information.