Abstract: A system for protecting computers against remote malware downloads includes a malware download detection system and participating client computers that provide download event information to the malware download detection system. A download event information identifies a file, a network address (e.g., uniform resource locator) from which the file was downloaded, and an identifier of the client computer that downloaded the file. The malware download detection system uses the download event information to build and update a tripartite download graph, and uses the download graph to train one or more classifiers. The malware download detection system consults the one or more classifiers to classify a download event. The download event is classified as malicious if either the file or the network address is classified as malicious.

Abstract: A method and system of detecting a malicious and/or botnet-related domain name, comprising: reviewing a domain name used in Domain Name System (DNS) traffic in a network; searching for information about the domain name, the information related to: information about the domain name in a domain name white list and/or a domain name suspicious list; and information about the domain name using an Internet search engine, wherein the Internet search engine determines if there are no search results or search results with a link to at least one malware analysis site; and designating the domain name as malicious and/or botnet-related based on the information.

Abstract: A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment for a predetermined time to obtain Hypertext Transfer Protocol. HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection.

Abstract: Systems and methods for event path traceback may utilize a processor and a path traceback and categorization (ATC) module in communication with the processor. The processor may be configured to perform processing associated with receiving network traffic from a network. The ATC module may be configured to perform processing associated with identifying an event within the network traffic, tracing a sequence of network transactions related to the event, and outputting an annotated event path (AMP) including data about the event and the sequence of network transactions related to the event. Performing processing associated with tracing the sequence of network transactions may comprise reconstructing a sequence of transactions within the network traffic that led to the event while filtering out unrelated traffic within the network traffic.

Abstract: System and method for detecting a domain generation algorithm (DGA), comprising: performing processing associated with clustering, utilizing a name-based features clustering module accessing information from an electronic database of NX domain information, the randomly generated domain names based on the similarity in the make-up of the randomly generated domain names; performing processing associated with clustering, utilizing a graph clustering module, the randomly generated domain names based on the groups of assets that queried the randomly generated domain names; performing processing associated with determining, utilizing a daily clustering correlation module and a temporal clustering correlation module, which clustered randomly generated domain names are highly correlated in daily use and in time; and performing processing associated with determining the DGA that generated the clustered randomly generated domain names.

Abstract: A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.

Abstract: A system and method for determining whether at least one domain is legitimate or malicious by obtaining passive DNS query information, using the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, and using the statistical features to determine at least one reputation for at least one new domain, where the reputation indicates whether the at least one new domain is likely to be for malicious or legitimate uses.

Abstract: Systems and methods for event path traceback may utilize a processor and a path traceback and categorization (ATC) module in communication with the processor. The processor may be configured to perform processing associated with receiving network traffic from a network. The ATC module may be configured to perform processing associated with identifying an event within the network traffic, tracing a sequence of network transactions related to the event, and outputting an annotated event path (AMP) including data about the event and the sequence of network transactions related to the event. Performing processing associated with tracing the sequence of network transactions may comprise reconstructing a sequence of transactions within the network traffic that led to the event while filtering out unrelated traffic within the network traffic.

Abstract: A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection.

Abstract: A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection.

Abstract: A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.

Abstract: A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.

Abstract: A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector.

Abstract: A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.

Abstract: A system and method for determining whether at least one domain is legitimate or malicious by obtaining passive DNS query information, using the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, and using the statistical features to determine at least one reputation for at least one new domain, where the reputation indicates whether the at least one new domain is likely to be for malicious or legitimate uses.

Abstract: A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment fbr a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection.

Abstract: A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector.

Abstract: A method and system of detecting a malicious and/or botnet-related domain name, comprising: reviewing a domain name used in Domain Name System (DNS) traffic in a network; searching for information about the domain name, the information related to: information about the domain name in a domain name white list and/or a domain name suspicious list; and information about the domain name using an Internet search engine, wherein the Internet search engine determines if there are no search results or search results with a link to at least one malware analysis site; and designating the domain name as malicious and/or botnet-related based on the information.