FIREWALL BASED BOTNET DETECTION

US 20140344912A1
Filed: 05/20/2013
Published: 11/20/2014
Est. Priority Date: 05/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious intrusions into a computer, the method comprising:

identifying, by one or more processors, a sequence of communications between a common source address and a common destination address through a firewall for the computer, and respective times of the communications; and

determining, by one or more processors, that the communications occur at substantially fixed intervals, and based at least in part on the determination, generating an alert indicating a suspected bot intrusion.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer detects malicious intrusions (or bots) into a computer. The computer receives firewall log data that includes communication records containing the source and destination of the communication, as well as, the time of the communication. The source or destination of the communication may be on a list of suspicious servers known to contain malicious software. The computer identifies a sequence of communications between a common source address and a common destination address. The computer further identifies substantially fixed intervals between the communications, and generates an alert indicating a suspected bot intrusion. The computer also identifies from the sequence of communication, patterns in the communication intervals, similarly generating an alert indicating a suspected bot intrusion.

Citations

20 Claims

1. A method for detecting malicious intrusions into a computer, the method comprising:
- identifying, by one or more processors, a sequence of communications between a common source address and a common destination address through a firewall for the computer, and respective times of the communications; and
  
  determining, by one or more processors, that the communications occur at substantially fixed intervals, and based at least in part on the determination, generating an alert indicating a suspected bot intrusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising comparing the source address to a list of suspect servers.
  - 3. The method of claim 1, further comprising comparing the destination address to a list of suspect servers.
  - 4. The method of claim 1, wherein the substantially fixed intervals exist between non-sequential communications.
  - 5. The method of claim 1, wherein the substantially fixed intervals exist between non-sequential intervals.
  - 6. The method of claim 1, further comprising storing the sequence of communications in a monitoring log.
  - 7. The method of claim 1, wherein the firewall is between the source address and the destination address.

8. A computer program product for detecting malicious intrusions into a computer, the computer program product comprising:
- one or more computer-readable tangible storage devices and program instructions stored on at least one of the one or more storage devices, the program instructions comprising;
  
  program instructions to identify a sequence of communications between a common source address and a common destination address through a firewall for the computer, and respective times of the communications; and
  
  program instructions to determine that the communications occur at substantially fixed intervals, and based at least in part on the determination, generating an alert indicating a suspected bot intrusion.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, further comprising program instructions to compare the source address to a list of suspect servers.
  - 10. The computer program product of claim 8, further comprising program instructions to compare the destination address to a list of suspect servers.
  - 11. The computer program product of claim 8, wherein the substantially fixed intervals exist between non-sequential communications.
  - 12. The computer program product of claim 8, wherein the substantially fixed intervals exist between non-sequential intervals.
  - 13. The computer program product of claim 8, further comprising program instructions to store the sequence of communications in a monitoring log.
  - 14. The computer program product of claim 8, wherein the firewall is between the source address and the destination address.

15. A system for detecting malicious intrusions into a computer, the system comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage devices, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the program instructions comprising;
  
  program instructions to identify a sequence of communications between a common source address and a common destination address through a firewall for the computer, and respective times of the communications; and
  
  program instructions to determine that the communications occur at substantially fixed intervals, and based at least in part on the determination, generating an alert indicating a suspected bot intrusion.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, further comprising program instructions to compare the source address to a list of suspect servers.
  - 17. The system of claim 15, further comprising program instructions to compare the destination address to a list of suspect servers.
  - 18. The system of claim 15, wherein the substantially fixed intervals exist between non-sequential communications.
  - 19. The system of claim 15, wherein the substantially fixed intervals exist between non-sequential intervals.
  - 20. The system of claim 15, further comprising program instructions to store the sequence of communications in a monitoring log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Chapman, Daniel E. II, Givental, Gary I., Kuhn, John D., Suzio, Michael J.

Granted Patent

US 9,124,626 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

FIREWALL BASED BOTNET DETECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FIREWALL BASED BOTNET DETECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links