SYSTEM AND METHOD FOR MODELING ACTIVITY PATTERNS OF NETWORK TRAFFIC TO DETECT BOTNETS
First Claim
1. A system for modeling activity patterns of network traffic to detect botnets, the system comprising:
- a botnet traffic collector sensor configured to collect traffic within a network and classify the traffic according to destination; and
a botnet detector system configured to detect a botnet based on botnet traffic collected by the botnet traffic collector sensor.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention relates to a system and method that can detect botnets by classifying the communication activities for each client according to destination or based on similarity between the groups of collected traffic. According to certain aspects of the invention, the communication activities for each client can be classified to model network activity by differentiating the protocols of the collected network traffic based on destination and patterning the subgroups for the respective protocols. Those servers that are estimated to be C&C servers can be classified into download and upload, spam servers and command control servers, within a botnet group detected by modeling network activity, i.e. analyzing network-based activity patterns. Also, botnet groups can be detected by way of a group information management function, for generating an activity pattern-based group matrix based on group data, and a mutual similarity analysis, performed on groups suspected to be botnets from the group information.
-
Citations
18 Claims
-
1. A system for modeling activity patterns of network traffic to detect botnets, the system comprising:
-
a botnet traffic collector sensor configured to collect traffic within a network and classify the traffic according to destination; and a botnet detector system configured to detect a botnet based on botnet traffic collected by the botnet traffic collector sensor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for modeling activity patterns of network traffic to detect botnets, the method comprising:
-
collecting traffic; classifying protocols of the collected traffic; and modeling activities for the classified traffic. - View Dependent Claims (10, 11)
-
-
12. A method for modeling activity patterns of network traffic to detect botnets, the method comprising:
-
collecting traffic; generating group information for the collected traffic; and determining a botnet group based on the group information, wherein the group information includes group data and a group matrix, the group data including information on a plurality of sources for a single destination, the group matrix including stored data obtained after analyzing an IP count according to an access activity pattern occurring in the group data. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification