MOBILE BOTNET MITIGATION

US 20120151033A1
Filed: 12/08/2010
Published: 06/14/2012
Est. Priority Date: 12/08/2010
Status: Active Grant

First Claim

Patent Images

1. A method for botnet mitigation in a wireless network, comprising:

analyzing data traffic in the wireless network;

detecting at least one device, operable on the wireless network, that is engaging in bot behavior;

generating a profile for the bot behavior; and

communicating the profile to the at least one mobile device that is engaging in the bot behavior.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mitigation of bot networks in wireless networks and/or on mobile devices is provided. A botnet detection component is provided that inspects data traffic and data flows on the wireless network to identify mobile devices that are suspected of behaving as bots. A traffic profile of the suspected bot behavior can be generated and forwarded to the mobile devices that are suspected of behaving as bots. The mobile device can correlate data traffic on the device to the traffic profile in order to identify applications responsible for the suspected bot behavior, and remove the identified applications.

Citations

20 Claims

1. A method for botnet mitigation in a wireless network, comprising:
- analyzing data traffic in the wireless network;
  
  detecting at least one device, operable on the wireless network, that is engaging in bot behavior;
  
  generating a profile for the bot behavior; and
  
  communicating the profile to the at least one mobile device that is engaging in the bot behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the analyzing comprises analyzing the data traffic in at least one of:
    - a core network, or a edge of the network where the core network connects with a mobility network, wherein the core network and the edge have visibility into data traffic generated by mobile devices connected to the wireless network.
  - 3. The method of claim 1, further comprising identifying at least one mobile device via an Internet Protocol Address.
  - 4. The method of claim 1, wherein the detecting includes comparing the data traffic in the network to at least one of known bot behavior, or a set of traffic anomalies.
  - 5. The method of claim 4, wherein the comparing to the known bot behavior includes comparing to at least one of generating spam messages, scanning the wireless network, or a set of predetermined suspicious traffic patterns.
  - 6. The method of claim 1, wherein the detecting includes identifying the at least one device by communications with a set of known command and control servers.
  - 7. The method of claim 1, wherein the detecting includes determining the at least one device engaging in bot behavior based on cluster analysis.

8. A system for botnet mitigation, comprising:
- an analysis component configured to monitor data flows in a network, and identify at least one device exhibiting bot behavior;
  
  a profile generation component configured to produce a traffic profile of the bot behavior; and
  
  an alert component configured to send the traffic profile of the bot behavior to the at least one device exhibiting the bot behavior.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the network is a wireless network, and at least one of the analysis component, the profile generation component, or alert component is configured to execute in at least one of a core network or at the edge of the network, where the core network and a mobility network connect.
  - 10. The system of claim 8, wherein the analysis component is configured to identify the at least one device via at least one of an Internet Protocol Address.
  - 11. The system of claim 8, wherein the analysis component is configured to correlate the data traffic in the network to predetermined bot actions in order to identify the at least one device exhibiting the bot behavior.
  - 12. The system of claim 8, wherein the predetermined bot actions include at least one of generation of spam messages, scanning of the network, or generation of a set of traffic anomalies.
  - 13. The system of claim 8, wherein the analysis component is configured to inspect data traffic to a set of predetermined command and control servers in order to identify the at least one mobile device exhibiting the bot behavior.
  - 14. The system of claim 8, further comprising a decision component configured to automate at least one of the analysis component or the profile generation component.
  - 15. The system of claim 8, wherein the analysis component is configured to identify the at least one device exhibiting bot behavior by at least one of:
    - comparing the data traffic in the wireless network to known bot behavior, observing communications with a known command and control server, cluster analysis, or peer-to-peer botnet detection.

16. A communications device, comprising:
- an information acquisition component configured to obtain at least one profile of bot behavior occurring on the communications device;
  
  a detection component configured to inspect data traffic on the communications device, and configured to compare the data traffic to the at least one profile of bot behavior; and
  
  a protection component configured to at least one of;
  
  erase at least one application from the communications device identified as generating the data traffic correlating to the at least one profile of bot behavior, or perform automatic mitigation including at least one of selectively dropping at least one data packet generated via the at least one application, quarantining the at least one application, or blocking user access to the at least one application.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The communications device of claim 16, wherein the detection component operates in the kernel space of the communications device.
  - 18. The communications device of claim 16, further comprising a user prompt component that provides at least one prompt to a user, instructing the user to determine whether to erase the at least one application identified as generating the data traffic correlating to the at least one profile of bot behavior.
  - 19. The communications device of claim 18, wherein the protection component performs automatic mitigation if the user determines not to erase the at least one application identified as generating the data traffic correlating to the at least one profile of bot behavior.
  - 20. The communications device of claim 16, wherein the at least one profile of bot behavior includes at least one of generating spam messages, scanning a network, or generating a set of traffic anomalies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Baliga, Arati, Coskun, Baris

Granted Patent

US 9,219,744 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 2463/144   Detection or countermeasure...

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/164   at the network layer

H04W 12/06   Authentication

H04W 12/122   Counter-measures against at...

H04W 12/128   Anti-malware arrangements, ...

MOBILE BOTNET MITIGATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MOBILE BOTNET MITIGATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links