Method and apparatus for detecting compromised host computers

US 20080080518A1
Filed: 09/29/2006
Published: 04/03/2008
Est. Priority Date: 09/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting at least one Botnet, comprising:

identifying a plurality of candidate Bots;

analyzing network traffic of said plurality candidate Bots to identify a plurality suspect controllers;

classifying said plurality of candidate Bots into at least one group; and

identifying members of each of said at least one group that are connected to a same controller from said plurality suspect controllers, where said members are identified to be part of a Botnet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detecting compromised host computers (e.g., Bots) are disclosed. For example, the method identifies a plurality of suspicious hosts. Once identified, the method analyzes network traffic of the plurality suspicious hosts to identify a plurality suspicious hub-servers. The method then classifies the plurality of candidate Bots into at least one group. The method then identifies members of each of the at least one group that are connected to a same controller from the plurality suspicious controllers, where the members are identified to be part of a Botnet.

Citations

20 Claims

1. A method for detecting at least one Botnet, comprising:
- identifying a plurality of candidate Bots;
  
  analyzing network traffic of said plurality candidate Bots to identify a plurality suspect controllers;
  
  classifying said plurality of candidate Bots into at least one group; and
  
  identifying members of each of said at least one group that are connected to a same controller from said plurality suspect controllers, where said members are identified to be part of a Botnet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said plurality of candidate Bots is selected from a plurality of suspicious hosts.
  - 3. The method of claim 2, wherein said plurality of suspicious hosts is identified from at least one monitoring system.
  - 4. The method of claim 3, wherein each of said plurality of suspicious hosts is identified in a worm alarm or as having performed a scanning activity.
  - 5. The method of claim 2, wherein said identifying said plurality of candidate Bots comprises identifying a set of hosts from said plurality of suspicious hosts that has established a connection to at least one hub-server.
  - 6. The method of claim 1, wherein said classifying said plurality of candidate Bots into at least one group in accordance with similarity of behavior.
  - 7. The method of claim 1, wherein said analyzing network traffic of said plurality suspicious hosts to identify a plurality suspicious hub-servers comprises analyzing network traffic of said plurality suspicious hosts in view of a local Internet Protocol (IP) address (lip), a local port (Iport), a remote IP address (rip), and a remote port (rport).
  - 8. The method of claim 7, wherein said analyzing network traffic of said plurality suspicious hosts to identify a plurality suspicious hub-servers comprises identifying pairs of (Iport, lip) that are associated with multiple rips or rports.
  - 9. The method of claim 7, further comprising:
    - providing a list of suspect controllers from said plurality suspicious hub-servers.
  - 10. The method of claim 1, further comprising:
    - performing packet tracing to confirm said Botnet.

11. A computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform the steps of a method for detecting at least one Botnet, comprising:
- identifying a plurality of candidate Bots;
  
  analyzing network traffic of said plurality candidate Bots to identify a plurality suspect controllers;
  
  classifying said plurality of candidate Bots into at least one group; and
  
  identifying members of each of said at least one group that are connected to a same controller from said plurality suspect controllers, where said members are identified to be part of a Botnet.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer-readable medium of claim 11, wherein said plurality of candidate Bots is selected from a plurality of suspicious hosts.
  - 13. The computer-readable medium of claim 12, wherein said plurality of suspicious hosts is identified from at least one monitoring system.
  - 14. The computer-readable medium of claim 13, wherein each of said plurality of suspicious hosts is identified in a worm alarm or as having performed a scanning activity.
  - 15. The computer-readable medium of claim 12, wherein said identifying said plurality of candidate Bots comprises identifying a set of hosts from said plurality of suspicious hosts that has established a connection to at least one hub-server.
  - 16. The computer-readable medium of claim 11, wherein said classifying said plurality of candidate Bots into at least one group in accordance with similarity of behavior.
  - 17. The computer-readable medium of claim 11, wherein said analyzing network traffic of said plurality suspicious hosts to identify a plurality suspicious hub-servers comprises analyzing network traffic of said plurality suspicious hosts in view of a local Internet Protocol (IP) address (lip), a local port (Iport), a remote IP address (rip), and a remote port (rport).
  - 18. The computer-readable medium of claim 17, wherein said analyzing network traffic of said plurality suspicious hosts to identify a plurality suspicious hub-servers comprises identifying pairs of (Iport, lip) that are associated with multiple rips or rports.
  - 19. The computer-readable medium of claim 17, further comprising:
    - providing a list of suspect controllers from said plurality suspicious hub-servers.

20. An apparatus for detecting at least one Botnet, comprising:
- means for identifying a plurality of candidate Bots;
  
  means for analyzing network traffic of said plurality candidate Bots to identify a plurality suspect controllers;
  
  means for classifying said plurality of candidate Bots into at least one group; and
  
  means for identifying members of each of said at least one group that are connected to a same controller from said plurality suspect controllers, where said members are identified to be part of a Botnet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Hoeflin, David A., Karasaridis, Anestis, Rexroad, Carl Brian

Granted Patent

US 8,533,819 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/395.42
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Method and apparatus for detecting compromised host computers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting compromised host computers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links