Detecting timing anomalies


Disclosed herein are system, method, and computer program product embodiments for adapting to malware activity on a compromised computer system. An embodiment operates by detecting an active adversary operating malware on a compromised system. A stream of data traffic associated with active adversary is intercepted. The stream of data traffic includes a command and control channel of the active adversary. The stream of data traffic is accessed. An emulation of the command and control channel is provided. An analysis of the accessed stream of traffic is executed. A plurality of response mechanisms is provided. The plurality of response mechanisms is based in part on the analysis of the stream of data traffic and a custom policy language tailored for the malware.

Note: There are two MITRE patents associated with this work:

1. View patent on

Patent Number: 11,143,764

Date Issued: October 12, 2021

2. View patent on

Patent Number: 9,541,649

Date Issued: January 10, 2017