Method and system for statistical analysis of botnets
First Claim
Patent Images
1. A method for updating a botnet based on statistical data, the method comprising:
- (a) acquiring, by a computer, botnet distribution of message size-based and timestamp-based statistics for all messages, including any non-spare messages, received from a known botnet over a time period, without acquiring contents of the messages from a remote server;
(b) analyzing the botnet distribution statistics based on messages and determining an activity pattern of the botnet based on the botnet distribution statistics of a number of messages, with timestamps of the messages from the botnet distributed into a set of time intervals;
(c) acquiring a continuous host distribution of message size-based statistics or timestamp-based statistics for all messages received from a single host over the time period, without acquiring contents of the messages from the remote server;
(d) analyzing the host distribution statistics and determining a distribution pattern of the single host, with timestamps of the messages from the single host distributed into a set of time intervals, based on the host distribution statistics;
(e) comparing the distribution statistics of the botnet with the distribution statistics of the single host; and
(f) determining if the single host belongs to the botnet based on a degree of similarity of the distribution statistics and a similarity of their approximating functions.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, and computer program product for updating botnets are described. A statistical method for analyzing the hosts that send out SPAM and updating botnets is provided. The proposed method uses the fact that a computer in a botnet has to distribute content using the activity patterns closely resembling the distribution patterns of other computers in the same botnet over the same time period. The distribution statistical data obtained for different sources are compared using approximation of graphical data. Based on comparison it is determined whether the computer belongs to a botnet and the botnet is updated accordingly.
-
Citations
16 Claims
-
1. A method for updating a botnet based on statistical data, the method comprising:
-
(a) acquiring, by a computer, botnet distribution of message size-based and timestamp-based statistics for all messages, including any non-spare messages, received from a known botnet over a time period, without acquiring contents of the messages from a remote server; (b) analyzing the botnet distribution statistics based on messages and determining an activity pattern of the botnet based on the botnet distribution statistics of a number of messages, with timestamps of the messages from the botnet distributed into a set of time intervals; (c) acquiring a continuous host distribution of message size-based statistics or timestamp-based statistics for all messages received from a single host over the time period, without acquiring contents of the messages from the remote server; (d) analyzing the host distribution statistics and determining a distribution pattern of the single host, with timestamps of the messages from the single host distributed into a set of time intervals, based on the host distribution statistics; (e) comparing the distribution statistics of the botnet with the distribution statistics of the single host; and (f) determining if the single host belongs to the botnet based on a degree of similarity of the distribution statistics and a similarity of their approximating functions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 15, 16)
-
-
8. A system for updating a botnet based on statistical data, the system comprising:
-
a processor; a memory coupled to the processor;
computer code loaded into the memory for implementing the following functionality;(a) acquiring botnet distribution of messages size-based and timestamp-based statistics for all messages, including any non-spam messages, received from a known botnet over a time period, without acquiring contents of the messages from a remote server; (b) analyzing the botnet distribution statistics and determining a distribution pattern of the botnet, with timestamps of the messages from the botnet distributed into a set of time intervals, based on the botnet distribution statistics; (c) acquiring a continuous host distribution of messages size-based statistics or timestamp-based statistics for all messages received from a single host over the time period, without acquiring contents of the messages from the remote server, with timestamps of the messages from the single host distributed into the set of time intervals; (d) analyzing the host distribution statistics and determining a distribution pattern of the single host based on the host distribution statistics; (e) comparing the distribution statistics of the botnet with the distribution statistics of the single host; and (f) determining if the single host belongs to the botnet based on a degree of similarity of the distribution statistics and a similarity of their approximating functions. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification