Method and Apparatus for Botnet Analysis and Visualization

US 20110126136A1
Filed: 11/25/2009
Published: 05/26/2011
Est. Priority Date: 11/25/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for botnet message analysis and visualization comprising the steps of:

tokenizing each message in a list of messages;

aggregating the tokenized messages into groups;

identifying frequency changes in content and attributes of tokenized messages in the aggregated groups;

grouping the identified frequency changes in the aggregated groups of tokenized messages; and

generating a user display of the aggregated groups of tokenized messages and of the identified frequency changes in the aggregated groups of tokenized messages.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for botnet analysis and visualization. Network traffic is filtered to compile a list of messages. The identified messages are tokenized, classified, and aggregated and changes in the frequency of tokenized messages are identified. A display of the tokenized messages is generated and displayed via a user interface. The user interface is configured to a allow a user to review data generated based on the filtered network traffic in order to detect potential botnet activity. User input may be used to adjust filtering and tokenization of the messages.

120 Citations

20 Claims

1. A computer-implemented method for botnet message analysis and visualization comprising the steps of:
- tokenizing each message in a list of messages;
  
  aggregating the tokenized messages into groups;
  
  identifying frequency changes in content and attributes of tokenized messages in the aggregated groups;
  
  grouping the identified frequency changes in the aggregated groups of tokenized messages; and
  
  generating a user display of the aggregated groups of tokenized messages and of the identified frequency changes in the aggregated groups of tokenized messages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising the steps of:
    - filtering network traffic comprised of messages;
      
      compiling the list of messages matching filter criteria; and
      
      classifying the tokenized messages.
  - 3. The method of claim 1 wherein the step of generating a user display further comprises:
    - displaying the aggregated groups of tokenized messages in a graph with columns representing timeslots based on the time the messages were originally sent.
  - 4. The method of claim 3 wherein each of the timeslots is comprised of messages sent within a specified time frame.
  - 5. The method of claim 3 further comprising:
    - receiving user input requesting additional detail for messages received in one or more timeslots, by indicating columns on the graph, where each column is associated with a timeslot.
  - 6. The method of claim 5 further comprising:
    - displaying additional detail for messages contained in columns indicated by user input.
  - 7. The method of claim 6 further comprising:
    - receiving user input requesting a display of classifications for a single segment of a column associated with a timeslot.
  - 8. The method of claim 7 further comprising:
    - displaying the classifications for a single segment of a column associated with a timeslot in response to receiving user input requesting a display of classification for a single segment.
  - 9. The method of claim 3 further comprising:
    - displaying an icon indicating the change in frequency of an aggregated group of tokenized messages in a particular timeslot compared to a frequency of an aggregated group of tokenized messages in a previous timeslot.
  - 10. The method of claim 3 further comprising:
    - receiving user input requesting modification of filtering criteria; and
      
      modifying the filtering criteria based on the received user input requesting modification of the filtering criteria.
  - 11. The method of claim 3 further comprising:
    - receiving user input requesting modification of tokenization criteria; and
      
      modifying the tokenization criteria based on the received user input requesting modification of the tokenization criteria.

12. A device for botnet message analysis and visualization comprising:
- means for tokenizing each message in a list of messages;
  
  means for aggregating the tokenized messages into groups;
  
  means for identifying frequency changes in content and attributes of tokenized messages in the aggregated groups;
  
  means for grouping the identified frequency changes in the aggregated groups of tokenized messages; and
  
  means for generating a user display of the aggregated groups of tokenized messages and of the identified frequency changes in the aggregated groups of tokenized messages.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The device of claim 12 further comprising:
    - means for filtering network traffic comprised of messages;
      
      means for compiling the list of messages matching the filter criteria; and
      
      means for classifying the tokenized messages.
  - 14. The device of claim 12 wherein the means for generating a user display further comprises:
    - means for displaying the aggregated groups of tokenized messages in a graph with columns representing timeslots based on the time the messages were originally sent.
  - 15. The device of claim 14 wherein each of the timeslots is comprised of messages sent within a specified time frame.
  - 16. The device of claim 14 further comprising:
    - means for receiving user input requesting additional detail for messages received in one or more timeslots, by indicating columns on the graph, where each column is associated with a timeslot.
  - 17. The device of claim 16 further comprising:
    - means for displaying additional detail for messages contained in columns indicated by user input.

18. A computer readable medium having stored thereon computer executable instructions for botnet message analysis and visualization, the computer executable instructions defining steps comprising:
- tokenizing each message in a list of messages;
  
  aggregating the tokenized messages into groups;
  
  identifying frequency changes in content and attributes of tokenized messages in the aggregated groups;
  
  grouping the identified frequency changes in the aggregated groups of tokenized messages; and
  
  generating a user display of the aggregated groups of tokenized messages and of the identified frequency changes in the aggregated groups of tokenized messages.
- View Dependent Claims (19, 20)
- - 19. The computer readable medium of claim 18, further comprising computer executable instructions defining the steps of:
    - filtering network traffic comprised of messages;
      
      compiling the list of messages matching the filter criteria;
      
      classifying the tokenized messages;
  - 20. The computer readable medium of claim 18 wherein computer executable instruction defining the step of generating a user display further comprises:
    - displaying the aggregated groups of tokenized messages in a graph with columns representing timeslots based on the time the messages were originally sent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Wright, Jeremy, Gross, David, Isenhour, Philip, Abella, Alicia

Granted Patent

US 8,965,981 B2
Time in Patent Office

Days
Field of Search
US Class Current

715/764
CPC Class Codes

H04L 43/028   by filtering

H04L 43/045   for graphical visualisation...

H04L 43/067   using time frame reporting

H04L 63/1408   by monitoring network traff...

Method and Apparatus for Botnet Analysis and Visualization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

120 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Botnet Analysis and Visualization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links