FIREWALL BASED BOTNET DETECTION
First Claim
1. A method for detecting malicious intrusions into a computer, the method comprising:
- identifying, by one or more processors, a sequence of communications between a common source address and a common destination address through a firewall for the computer, and respective times of the communications; and
determining, by one or more processors, that the communications occur at substantially fixed intervals, and based at least in part on the determination, generating an alert indicating a suspected bot intrusion.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer detects malicious intrusions (or bots) into a computer. The computer receives firewall log data that includes communication records containing the source and destination of the communication, as well as, the time of the communication. The source or destination of the communication may be on a list of suspicious servers known to contain malicious software. The computer identifies a sequence of communications between a common source address and a common destination address. The computer further identifies substantially fixed intervals between the communications, and generates an alert indicating a suspected bot intrusion. The computer also identifies from the sequence of communication, patterns in the communication intervals, similarly generating an alert indicating a suspected bot intrusion.
-
Citations
20 Claims
-
1. A method for detecting malicious intrusions into a computer, the method comprising:
-
identifying, by one or more processors, a sequence of communications between a common source address and a common destination address through a firewall for the computer, and respective times of the communications; and determining, by one or more processors, that the communications occur at substantially fixed intervals, and based at least in part on the determination, generating an alert indicating a suspected bot intrusion. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product for detecting malicious intrusions into a computer, the computer program product comprising:
-
one or more computer-readable tangible storage devices and program instructions stored on at least one of the one or more storage devices, the program instructions comprising; program instructions to identify a sequence of communications between a common source address and a common destination address through a firewall for the computer, and respective times of the communications; and program instructions to determine that the communications occur at substantially fixed intervals, and based at least in part on the determination, generating an alert indicating a suspected bot intrusion. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for detecting malicious intrusions into a computer, the system comprising:
-
one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage devices, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the program instructions comprising; program instructions to identify a sequence of communications between a common source address and a common destination address through a firewall for the computer, and respective times of the communications; and program instructions to determine that the communications occur at substantially fixed intervals, and based at least in part on the determination, generating an alert indicating a suspected bot intrusion. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification