Methods and apparatus for identifying suspicious domains using common user clustering
First Claim
1. A method comprising:
- obtaining network event data comprising a plurality of network connections;
identifying users and domain names associated with said network connections in said network event data;
creating a connection between each user/domain pair that communicate with one another in said identified users and said identified domain names to generate a graph;
connecting domain names in said graph using inter-domain edges that share common users to obtain a graph of interconnected domains;
identifying bi-connected components in said graph of interconnected domain names, wherein said bi-connected components comprise node pairs having at least two paths in said graph of interconnected domain names between them; and
processing said bi-connected components to identify a plurality of suspicious domain names that are likely to participate in a computer security attack.
4 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus are provided for identifying suspicious domains using common user clustering. An exemplary method comprises obtaining network event data comprising a plurality of network connections; identifying users and domains associated with the network connections in the network event data; creating a connection between each user/domain pair that communicate with one another in the identified users and the identified domains to generate a graph; connecting domains in the graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in the graph of interconnected domains, wherein the bi-connected components comprise node pairs having at least two paths in the graph of interconnected domains between them; and processing the bi-connected components to identify a plurality of suspicious domains that are likely to participate in a computer security attack. The graph of interconnected domains is optionally pruned and/or filtered to remove one or more inter-domain edges.
-
Citations
20 Claims
-
1. A method comprising:
-
obtaining network event data comprising a plurality of network connections; identifying users and domain names associated with said network connections in said network event data; creating a connection between each user/domain pair that communicate with one another in said identified users and said identified domain names to generate a graph; connecting domain names in said graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in said graph of interconnected domain names, wherein said bi-connected components comprise node pairs having at least two paths in said graph of interconnected domain names between them; and processing said bi-connected components to identify a plurality of suspicious domain names that are likely to participate in a computer security attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system, comprising:
-
a memory; and at least one processing device, coupled to the memory, operative to; obtain network event data comprising a plurality of network connections, identify users and domain names associated with said network connections in said network event data; create a connection between each user/domain pair that communicate with one another in said identified users and said identified domain names to generate a graph; connect domain names in said graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identify bi-connected components in said graph of interconnected domain names, wherein said bi-connected components comprise node pairs having at least two paths in said graph of interconnected domain names between them; and process said bi-connected components to identify a plurality of suspicious domain names that are likely to participate in a computer security attack. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. An article of manufacture comprising a non-transitory machine readable recordable medium containing one or more programs which when executed by at least one processing device implement the steps of:
-
obtaining network event data comprising a plurality of network connections; identifying users and domain names associated with said network connections in said network event data; creating a connection between each user/domain pair that communicate with one another in said identified users and said identified domain names to generate a graph; connecting domain names in said graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in said graph of interconnected domain names, wherein said bi-connected components comprise node pairs having at least two paths in said graph of interconnected domain names between them; and processing said bi-connected components to identify a plurality of suspicious domain names that are likely to participate in a computer security attack. - View Dependent Claims (17, 18, 19, 20)
-
Specification