Microsoft Corporation
DETECTING HACKER TOOLS BY LEARNING NETWORK SIGNATURES

Abstract:

Methods, systems and computer program products are provided for detection of hacker tools based on their network signatures. A suspicious process detector (SPD) may be implemented on local computing devices or on servers to identify suspicious (e.g., potentially malicious) or malicious executables. An SPD may detect suspicious and/or malicious executables based on the network signatures they generate when executed as processes. An SPD may include a model, which may be trained based on network signatures generated by multiple processes on multiple computing devices. Computing devices may log information about network events, including the process that generated each network event. Network activity logs may record the network signatures of one or more processes. Network signatures may be used to train a model for a local and/or server-based SPD. Network signatures may be provided to an SPD to detect suspicious or malicious executables using a trained model.