Detecting timing anomalies

Disclosed herein are system, method, and computer program product embodiments for adapting to malware activity on a compromised computer system. An embodiment operates by detecting an active adversary operating malware on a compromised system. A stream of data traffic associated with active adversary is intercepted. The stream of data traffic includes a command and control channel of the active adversary. The stream of data traffic is accessed. An emulation of the command and control channel is provided. An analysis of the accessed stream of traffic is executed. A plurality of response mechanisms is provided. The plurality of response mechanisms is based in part on the analysis of the stream of data traffic and a custom policy language tailored for the malware.

View patent on

Patent #: 9,541,649 Issue Date: January 10, 2017