×

Periodicity detection of network traffic

  • US 10,204,214 B2
  • Filed: 09/14/2016
  • Issued: 02/12/2019
  • Est. Priority Date: 09/14/2016
  • Status: Active Grant
First Claim
Patent Images

1. A method for identifying potential malware in a network environment, comprising:

  • detecting, on a server within the network environment, a communication from a process running on the server, wherein the communication is addressed to a remote device that is not part of the network environment;

    determining a tuple comprising a process identifier for the process and an address for the remote device;

    determining whether a periodicity object including the tuple currently exists;

    in response to determining that the periodicity object currently exists, determining whether the communication is part of an ongoing message or is part of a new message;

    in response to determining that the communication is part of the ongoing message, updating a last transmission time maintained by the periodicity object;

    in response to determining that the communication is part of the new message;

    calculating a time variance for the new message;

    updating a message counter maintained by the periodicity object;

    updating an average time variance maintained by the periodicity object based on the average time variance, the time variance, and the message counter;

    updating a standard deviation maintained by the periodicity object based on the average time variance, the time variance, the standard deviation, and the message counter;

    in response to updating the standard deviation, determining whether the standard deviation satisfies a suspicion condition; and

    in response to determining that the standard deviation satisfies the suspicion condition, generating an alert.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×