DETECTING ALTERED APPLICATIONS USING NETWORK TRAFFIC DATA

US 20140150102A1
Filed: 11/29/2012
Published: 05/29/2014
Est. Priority Date: 11/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an altered application, comprising:

obtaining, by a processor, network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;

monitoring, by the processor, the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;

determining, by the processor, a ratio of endpoint devices having network traffic data that matches the network traffic signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the network traffic signature for the first application; and

determining, by the processor, that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer readable medium and apparatus for detecting an altered application are disclosed. Network traffic data is obtained for a number of endpoint devices to determine a network traffic signature for a first application. The signature comprises a set of flows within a time window. Network traffic data is monitored to determine a network traffic signature for a second application. The signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address. The method determines a ratio of endpoint devices having network traffic data that matches the signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the signature for the first application. When the percentage satisfies a threshold, the method determines that the second application is the altered application comprising an altered version of the first application.

31 Citations

View as Search Results

20 Claims

1. A method for detecting an altered application, comprising:
- obtaining, by a processor, network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;
  
  monitoring, by the processor, the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;
  
  determining, by the processor, a ratio of endpoint devices having network traffic data that matches the network traffic signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the network traffic signature for the first application; and
  
  determining, by the processor, that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein each of the flows in the set of flows comprises a flow between one of the plurality of endpoint devices and an address.
  - 3. The method of claim 1, wherein the plurality of endpoint devices comprise mobile endpoint devices.
  - 4. The method of claim 1, further comprising:
    - performing a remedial action in response to determining that the second application is the altered application.
  - 5. The method of claim 4, wherein the remedial action comprises:
    - notifying an endpoint device that is determined to have network traffic data matching a network traffic signature of the second application that the endpoint device is infected with the altered application.
  - 6. The method of claim 4, wherein the remedial action comprises:
    - blocking new flows to the additional address.
  - 7. The method of claim 4, wherein the remedial action comprises:
    - determining that the second application comprises an updated version of the first application.
  - 8. The method of claim 7, wherein the determining that the second application comprises the updated version of the first application is based upon an observation of subsequent network traffic data.
  - 9. The method of claim 1, wherein the network traffic data comprises a plurality of network traffic data records.
  - 10. The method of claim 9, wherein each of the network traffic data records includes a source address and a destination address of a flow.
  - 11. The method of claim 10, wherein one of the source address and the destination address comprises a uniform resource locator of a domain.
  - 12. The method of claim 9, wherein the network traffic data records comprise call detail records.
  - 13. The method of claim 1, wherein the network traffic data for each flow is collected from a plurality of network elements processing the flow.
  - 14. The method of claim 1, wherein the additional address is associated with a server.
  - 15. The method of claim 14, wherein the server comprises an advertising server.
  - 16. The method of claim 14, wherein the server comprises a command and control server.

17. A tangible computer readable medium storing a plurality of instructions which, when executed by a processor, cause the processor to perform operations, the operations comprising:
- obtaining network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;
  
  monitoring the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;
  
  determining a ratio of endpoint devices having network traffic data that matches the network traffic signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the network traffic signature for the first application; and
  
  determining that the second application is an altered application comprising an altered version of the first application when the percentage satisfies a threshold.
- View Dependent Claims (18, 19)
- - 18. The tangible computer readable medium of claim 17, further comprising:
    - performing a remedial action in response to determining that the second application is the altered application.
  - 19. The tangible computer readable medium of claim 17, wherein the remedial action comprises:
    - notifying an endpoint device that is determined to have network traffic data matching a network traffic signature of the second application that it is infected with the altered application.

20. An apparatus for detecting an altered application, the apparatus comprising:
- a processor; and
  
  a computer-readable medium in communication with the processor, storing a plurality of instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising;
  
  obtaining network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;
  
  monitoring the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;
  
  determining a ratio of endpoint devices having network traffic data that matches the network traffic signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the network traffic signature for the first application; and
  
  determining that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Wang, Wei, Bickford, Jeffrey E.

Granted Patent

US 8,973,139 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

DETECTING ALTERED APPLICATIONS USING NETWORK TRAFFIC DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING ALTERED APPLICATIONS USING NETWORK TRAFFIC DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links