METHOD TO PERFORM BOTNET DETECTION

US 20080307526A1
Filed: 06/07/2007
Published: 12/11/2008
Est. Priority Date: 06/07/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

monitoring network activities associated with a computer connected to a network;

detecting a bot activity associated with the computer;

attributing a bot status to the computer, based on a bot activity type associated with the bot activity, prior detections of bot activities, and considering time stamps; and

updating the bot status attributed to the computer, based on detection of subsequent bot activities associated with the computer, the bot activity types associated with the subsequent bot activities, and at least one other criterion.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system for monitoring network activities associated with a computer connected to a network are provided. The method may include detecting a bot activity associated with the computer; attributing a bot status to the computer, based on a bot activity type associated with the bot activity, prior detections of bot activities, and considering time stamps. The method may also include updating the bot status attributed to the computer, based upon detection of subsequent bot activities associated with the computer, the bot activity types associated with the subsequent bot activities, and one or more other criteria. In one example embodiment, the network activities may include network transmissions and behavioral patterns. According to example embodiments, the system may include a network monitor, a bot activity detection module, a bot status module, and a bot status update module.

52 Citations

View as Search Results

20 Claims

1. A method comprising:
- monitoring network activities associated with a computer connected to a network;
  
  detecting a bot activity associated with the computer;
  
  attributing a bot status to the computer, based on a bot activity type associated with the bot activity, prior detections of bot activities, and considering time stamps; and
  
  updating the bot status attributed to the computer, based on detection of subsequent bot activities associated with the computer, the bot activity types associated with the subsequent bot activities, and at least one other criterion.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the network activities include network transmissions and network behavioral patterns.
  - 3. The method of claim 1, wherein monitoring the network activities is performed from within the network.
  - 4. The method of claim 1, further comprising recording timestamps associated with the subsequent bot activities.
  - 6. The method of claim 1, wherein the bot status includes at least one of a suspect, an active, an inactive, or a clean.
  - 7. The method of claim 1, wherein the bot activity type includes at least one of:
    - a botnet control,an Internet Protocol (IP) scanning,a spamming, ora Distributed Denial of Service (DDoS) attack.
  - 8. The method of claim 1, wherein updating the bot status attributed to the computer is performed using a long-term memory algorithm.
  - 9. The method of claim 2, wherein the behavioral patterns include a behavioral pattern mixed with a signature.

5. The method of claim 5, wherein the at least one other criterion includes the timestamps associated with the subsequent bot activities.

10. A system comprising:
- a network monitor to monitor network activities associated with a computer connected to a network;
  
  a bot activity detection module to detect a bot activity associated with the computer;
  
  a bot status module to attribute a bot status to the computer, based on a bot activity type associated with the bot activity, prior detections of bot activities, and considering time stamps;
  
  the bot activity detection module to detect subsequent bot activities associated with the computer; and
  
  a bot status update module to update the bot status attributed to the computer, based on detection of the subsequent bot activities associated with the computer, the bot activity types associated with the subsequent bot activities, and at least one other criterion.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the network monitor is to monitor network activities including network transmissions and network behavioral patterns.
  - 12. The system of claim 10, wherein the network monitor is to monitor the network activities from within the network.
  - 13. The system of claim 10, wherein the at least one other criterion used by the bot status module includes the timestamp associated with the subsequent bot activities.
  - 14. The system of claim 10, wherein the bot status module is to attribute the bot status, the bot status including at least one of a suspect, an active, an inactive, or a clean.
  - 15. The system of claim 10, wherein the bot activity detection module is to detect the bot activity type, the bot activity type including at least one of:
    - a botnet control,an Internet Protocol (IP) scanning,a spamming, ora Distributed Denial of Service (DDoS) attack.
  - 16. The system of claim 10, wherein the bot status update module is to update the bot status attributed to the computer using a long-term memory algorithm.
  - 17. The system of claim 10, wherein the bot status includes at least one of a suspect, an active, an inactive, or a clean.

18. A system comprising:
- means for monitoring network activities associated with a computer connected to a network;
  
  means for detecting a bot activity associated with the computer;
  
  means for attributing a bot status to the computer, based on a bot activity type associated with the bot activity, prior detections of bot activities, and considering time stamps;
  
  means for detecting subsequent bot activities associated with the computer; and
  
  means for updating the bot status attributed to the computer, based on detection of the subsequent bot activities associated with the computer, the bot activity types associated with the subsequent bot activities, and at least one other criterion.
- View Dependent Claims (19)
- - 19. The system of claim 18, further comprising means for recording timestamps associated with the subsequent bot activities.

20. A machine readable medium comprising instructions, which when implemented by one or more processors perform following operations:
- monitor network activities associated with a computer connected to a network;
  
  detect a bot activity associated with the computer;
  
  attribute a bot status to the computer, based on a bot activity type associated with the bot activity, prior detections of bot activities, and considering time stamps;
  
  detect subsequent bot activities associated with the computer; and
  
  update the bot status attributed to the computer, based on detection of the subsequent bot activities associated with the computer, the bot activity types associated with the subsequent bot activities, and at least one other criterion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Mi5 Networks
Inventors
Chung, Yishin, Doitel, Ofer, Davidson, Ron

Application Number

US11/759,807
Publication Number

US 20080307526A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

METHOD TO PERFORM BOTNET DETECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD TO PERFORM BOTNET DETECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links