Techniques for botnet detection and member identification
First Claim
1. A method in a botnet identification module (BIM) that is implemented by an electronic device and that is for identifying a subset of a plurality of end stations that collectively act as a suspected botnet, the method comprising:
- obtaining, by the BIM, traffic data from one or more traffic monitoring modules (TMMs) implemented by one or more electronic devices, wherein the traffic data includes or is based upon a plurality of request messages that were originated by ones of the plurality of end stations and that were destined to one or more servers, wherein each of the one or more TMMs is deployed in front of at least one of the one or more servers in that the TMM receives all network traffic originated by the plurality of end stations that is destined for the at least one server;
generating, by the BIM based upon the obtained traffic data, a set of identifiers corresponding to the subset of the plurality of end stations that are determined by the BIM to be collectively acting as the suspected botnet in that they have transmitted request messages, destined for one or more of the one or more servers, that collectively or individually satisfy one or more security rules which, when satisfied, indicate a malicious attack, wherein the set of identifiers comprises a plurality of identifiers, wherein said generating the set of identifiers comprises;
identifying, from the traffic data, a subset of the plurality of request messages that are malicious,generating an attacking-clusters graph based on the subset of request messages that is identified as being malicious, wherein the attacking-clusters graph includes vertices representing source clusters, wherein the attacking-clusters graph further includes edges between vertices in adjacent levels of the attacking-clusters graph, wherein an edge between vertices indicates that source clusters represented by those vertices share one or more common sources, wherein the vertices in the attacking-clusters graph are each assigned a weight representing a number of sources in a source cluster represented by that vertex, and wherein the edges in the attacking-clusters graph are each assigned a weight representing a number of common sources between source clusters represented by vertices connected by that edge, anddetermining, based upon analyzing the attacking-clusters graph, that the subset of end stations have collectively performed the malicious attack for at least a threshold number of consecutive time periods and that at least a threshold number of the subset of end stations have been involved in the malicious attack for each of the threshold number of consecutive time periods, wherein the analyzing includes finding paths in the attacking-clusters graph that only contain edges with a threshold weight, that only pass through vertices with a threshold weight, and that have a length longer than a threshold length; and
transmitting, by the BIM, the set of identifiers to the one or more TMMs to cause the one or more TMMs to utilize the set of identifiers while analyzing subsequent request messages destined to the one or more servers to detect an attack from the suspected botnet and to protect the one or more servers from the attack.
5 Assignments
0 Petitions
Accused Products
Abstract
A botnet identification module identifies members of one or more botnets based upon network traffic destined to one or more servers over time, and provides sets of botnet sources to a traffic monitoring module. Each set of botnet sources includes a plurality of source identifiers of end stations acting as part of a corresponding botnet. A traffic monitoring module receives the sets of botnet sources from the botnet identification module, and upon a receipt of traffic identified as malicious that was sent by a source identified within one of the sets of botnet sources, activates a protection mechanism with regard to all traffic from all of the sources identified by the one of the sets of botnet sources for an amount of time.
88 Citations
17 Claims
-
1. A method in a botnet identification module (BIM) that is implemented by an electronic device and that is for identifying a subset of a plurality of end stations that collectively act as a suspected botnet, the method comprising:
-
obtaining, by the BIM, traffic data from one or more traffic monitoring modules (TMMs) implemented by one or more electronic devices, wherein the traffic data includes or is based upon a plurality of request messages that were originated by ones of the plurality of end stations and that were destined to one or more servers, wherein each of the one or more TMMs is deployed in front of at least one of the one or more servers in that the TMM receives all network traffic originated by the plurality of end stations that is destined for the at least one server; generating, by the BIM based upon the obtained traffic data, a set of identifiers corresponding to the subset of the plurality of end stations that are determined by the BIM to be collectively acting as the suspected botnet in that they have transmitted request messages, destined for one or more of the one or more servers, that collectively or individually satisfy one or more security rules which, when satisfied, indicate a malicious attack, wherein the set of identifiers comprises a plurality of identifiers, wherein said generating the set of identifiers comprises; identifying, from the traffic data, a subset of the plurality of request messages that are malicious, generating an attacking-clusters graph based on the subset of request messages that is identified as being malicious, wherein the attacking-clusters graph includes vertices representing source clusters, wherein the attacking-clusters graph further includes edges between vertices in adjacent levels of the attacking-clusters graph, wherein an edge between vertices indicates that source clusters represented by those vertices share one or more common sources, wherein the vertices in the attacking-clusters graph are each assigned a weight representing a number of sources in a source cluster represented by that vertex, and wherein the edges in the attacking-clusters graph are each assigned a weight representing a number of common sources between source clusters represented by vertices connected by that edge, and determining, based upon analyzing the attacking-clusters graph, that the subset of end stations have collectively performed the malicious attack for at least a threshold number of consecutive time periods and that at least a threshold number of the subset of end stations have been involved in the malicious attack for each of the threshold number of consecutive time periods, wherein the analyzing includes finding paths in the attacking-clusters graph that only contain edges with a threshold weight, that only pass through vertices with a threshold weight, and that have a length longer than a threshold length; and transmitting, by the BIM, the set of identifiers to the one or more TMMs to cause the one or more TMMs to utilize the set of identifiers while analyzing subsequent request messages destined to the one or more servers to detect an attack from the suspected botnet and to protect the one or more servers from the attack. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer readable storage medium having instructions which, when executed by one or more processors of an electronic device, cause the electronic device to implement a botnet identification module (BIM) that performs operations for identifying a subset of a plurality of end stations that collectively act as a suspected botnet, the operations comprising:
-
obtaining traffic data from one or more traffic monitoring modules (TMMs) implemented by one or more electronic devices, wherein the traffic data includes or is based upon a plurality of request messages that were originated by ones of the plurality of end stations and that were destined to one or more servers, wherein each of the one or more TMMs is deployed in front of at least one of the one or more servers in that the TMM receives all network traffic originated by the plurality of end stations that is destined for the at least one server; generating, based upon the obtained traffic data, a set of identifiers corresponding to the subset of the plurality of end stations that are determined by the BIM to be collectively acting as the suspected botnet in that they have transmitted request messages, destined for one or more of the one or more servers, that collectively or individually satisfy one or more security rules which, when satisfied, indicate a malicious attack, wherein the set of identifiers comprises a plurality of identifiers, wherein said generating the set of identifiers comprises; identifying, from the traffic data, a subset of the plurality of request messages that are malicious, generating an attacking-clusters graph based on the subset of request messages that is identified as being malicious, wherein the attacking-clusters graph includes vertices representing source clusters, wherein the attacking-clusters graph further includes edges between vertices in adjacent levels of the attacking-clusters graph, wherein an edge between vertices indicates that source clusters represented by those vertices share one or more common sources, wherein the vertices in the attacking-clusters graph are each assigned a weight representing a number of sources in a source cluster represented by that vertex, and wherein the edges in the attacking-clusters graph are each assigned a weight representing a number of common sources between source clusters represented by vertices connected by that edge, and determining, based upon analyzing the attacking-clusters graph, that the subset of end stations have collectively performed the malicious attack for at least a threshold number of consecutive time periods and that at least a threshold number of the subset of end stations have been involved in the malicious attack for each of the threshold number of consecutive time periods; and transmitting the set of identifiers to the one or more TMMs to cause the one or more TMMs to utilize the set of identifiers while analyzing subsequent request messages destined to the one or more servers to detect an attack from the suspected botnet and to protect the one or more servers from the attack. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. An electronic device, comprising:
-
one or more processors; and one or more non-transitory computer readable storage media having instructions which, when executed by the one or more processors, cause the electronic device to implement a botnet identification module (BIM) to identify a subset of a plurality of end stations that collectively act as a suspected botnet, the BIM to; obtain traffic data from one or more traffic monitoring modules (TMMs) implemented by one or more electronic devices, wherein the traffic data includes or is based upon a plurality of request messages that were originated by ones of the plurality of end stations and that were destined to one or more servers, wherein each of the one or more TMMs is deployed in front of at least one of the one or more servers in that the TMM receives all network traffic originated by the plurality of end stations that is destined for the at least one server; generate, based upon the obtained traffic data, a set of identifiers corresponding to the subset of the plurality of end stations that are determined by the BIM to be collectively acting as the suspected botnet in that they have transmitted request messages, destined for one or more of the one or more servers, that collectively or individually satisfy one or more security rules which, when satisfied, indicate a malicious attack, wherein the set of identifiers comprises a plurality of identifiers, wherein to generate the set of identifiers the BIM is to; identify, from the traffic data, a subset of the plurality of request messages that are malicious, generate an attacking-clusters graph based on the subset of request messages that is identified as being malicious, wherein the attacking-clusters graph includes vertices representing source clusters, wherein the attacking-clusters graph further includes edges between vertices in adjacent levels of the attacking-clusters graph, wherein an edge between vertices indicates that source clusters represented by those vertices share one or more common sources, wherein the vertices in the attacking-clusters graph are each assigned a weight representing a number of sources in a source cluster represented by that vertex, and wherein the edges in the attacking-clusters graph are each assigned a weight representing a number of common sources between source clusters represented by vertices connected by that edge, and determine, based upon analyzing the attacking-clusters graph, that the subset of end stations have collectively performed the malicious attack for at least a threshold amount of time which includes a threshold number of consecutive time periods and that at least a threshold number of the subset of end stations have been involved in the malicious attack for each of the threshold number of time periods within the threshold amount of time, wherein the analyzing includes finding paths in the attacking-clusters graph that only contain edges with a threshold weight, that only pass through vertices with a threshold weight, and that have a length longer than a threshold length; and transmit the set of identifiers to the one or more TMMs to cause the one or more TMMs to utilize the set of identifiers while analyzing subsequent request messages destined to the one or more servers to detect an attack from the suspected botnet and to protect the one or more servers from the attack. - View Dependent Claims (14, 15, 16, 17)
-
Specification