Method and apparatus for detecting compromised host computers
First Claim
Patent Images
1. A method for detecting at least one Botnet, comprising:
- identifying a plurality of candidate Bots;
analyzing network traffic of said plurality candidate Bots to identify a plurality suspect controllers;
classifying said plurality of candidate Bots into at least one group; and
identifying members of each of said at least one group that are connected to a same controller from said plurality suspect controllers, where said members are identified to be part of a Botnet.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for detecting compromised host computers (e.g., Bots) are disclosed. For example, the method identifies a plurality of suspicious hosts. Once identified, the method analyzes network traffic of the plurality suspicious hosts to identify a plurality suspicious hub-servers. The method then classifies the plurality of candidate Bots into at least one group. The method then identifies members of each of the at least one group that are connected to a same controller from the plurality suspicious controllers, where the members are identified to be part of a Botnet.
-
Citations
20 Claims
-
1. A method for detecting at least one Botnet, comprising:
-
identifying a plurality of candidate Bots; analyzing network traffic of said plurality candidate Bots to identify a plurality suspect controllers; classifying said plurality of candidate Bots into at least one group; and identifying members of each of said at least one group that are connected to a same controller from said plurality suspect controllers, where said members are identified to be part of a Botnet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform the steps of a method for detecting at least one Botnet, comprising:
-
identifying a plurality of candidate Bots; analyzing network traffic of said plurality candidate Bots to identify a plurality suspect controllers; classifying said plurality of candidate Bots into at least one group; and identifying members of each of said at least one group that are connected to a same controller from said plurality suspect controllers, where said members are identified to be part of a Botnet. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. An apparatus for detecting at least one Botnet, comprising:
-
means for identifying a plurality of candidate Bots; means for analyzing network traffic of said plurality candidate Bots to identify a plurality suspect controllers; means for classifying said plurality of candidate Bots into at least one group; and means for identifying members of each of said at least one group that are connected to a same controller from said plurality suspect controllers, where said members are identified to be part of a Botnet.
-
Specification