Method and system for statistical analysis of botnets

US 8,468,601 B1
Filed: 02/27/2009
Issued: 06/18/2013
Est. Priority Date: 10/22/2008
Status: Active Grant

First Claim

Patent Images

1. A method for updating a botnet based on statistical data, the method comprising:

(a) acquiring, by a computer, botnet distribution of message size-based and timestamp-based statistics for all messages, including any non-spare messages, received from a known botnet over a time period, without acquiring contents of the messages from a remote server;

(b) analyzing the botnet distribution statistics based on messages and determining an activity pattern of the botnet based on the botnet distribution statistics of a number of messages, with timestamps of the messages from the botnet distributed into a set of time intervals;

(c) acquiring a continuous host distribution of message size-based statistics or timestamp-based statistics for all messages received from a single host over the time period, without acquiring contents of the messages from the remote server;

(d) analyzing the host distribution statistics and determining a distribution pattern of the single host, with timestamps of the messages from the single host distributed into a set of time intervals, based on the host distribution statistics;

(e) comparing the distribution statistics of the botnet with the distribution statistics of the single host; and

(f) determining if the single host belongs to the botnet based on a degree of similarity of the distribution statistics and a similarity of their approximating functions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, and computer program product for updating botnets are described. A statistical method for analyzing the hosts that send out SPAM and updating botnets is provided. The proposed method uses the fact that a computer in a botnet has to distribute content using the activity patterns closely resembling the distribution patterns of other computers in the same botnet over the same time period. The distribution statistical data obtained for different sources are compared using approximation of graphical data. Based on comparison it is determined whether the computer belongs to a botnet and the botnet is updated accordingly.

Citations

16 Claims

1. A method for updating a botnet based on statistical data, the method comprising:
- (a) acquiring, by a computer, botnet distribution of message size-based and timestamp-based statistics for all messages, including any non-spare messages, received from a known botnet over a time period, without acquiring contents of the messages from a remote server;
  
  (b) analyzing the botnet distribution statistics based on messages and determining an activity pattern of the botnet based on the botnet distribution statistics of a number of messages, with timestamps of the messages from the botnet distributed into a set of time intervals;
  
  (c) acquiring a continuous host distribution of message size-based statistics or timestamp-based statistics for all messages received from a single host over the time period, without acquiring contents of the messages from the remote server;
  
  (d) analyzing the host distribution statistics and determining a distribution pattern of the single host, with timestamps of the messages from the single host distributed into a set of time intervals, based on the host distribution statistics;
  
  (e) comparing the distribution statistics of the botnet with the distribution statistics of the single host; and
  
  (f) determining if the single host belongs to the botnet based on a degree of similarity of the distribution statistics and a similarity of their approximating functions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 15, 16)
- - 2. The method of claim 1, further comprising generating a graph representing each distribution statistics.
  - 3. The method of claim 1, wherein the determining of the distribution pattern is also based on any of:
    - a distribution of messages by time of a day;
      
      a distribution of messages by word count; and
      
      a distribution of specific word occurrences.
  - 4. The method of claim 1, further comprising adding an IP address of the single host to a list of known botnet IP addresses, if it is determined in step (f) that the single host belongs to the botnet.
  - 5. The method of claim 1, further comprising determining peaks in the distribution patterns of the botnet and of the single host.
  - 6. The method of claim 1, further comprising deleting a particular host from the botnet if its distribution pattern over the time period does not match the distribution pattern of the botnet.
  - 7. The method of claim 5, wherein the comparing comprises comparing the peaks in the distribution patterns.
  - 15. The method of claim 1, wherein the distributions statistics are based on a message time stamp.
  - 16. The method of claim 1, wherein the distribution statistics are based on a message size and message time stamp pair.

8. A system for updating a botnet based on statistical data, the system comprising:
- a processor;
  
  a memory coupled to the processor;
  
  computer code loaded into the memory for implementing the following functionality;
  
  (a) acquiring botnet distribution of messages size-based and timestamp-based statistics for all messages, including any non-spam messages, received from a known botnet over a time period, without acquiring contents of the messages from a remote server;
  
  (b) analyzing the botnet distribution statistics and determining a distribution pattern of the botnet, with timestamps of the messages from the botnet distributed into a set of time intervals, based on the botnet distribution statistics;
  
  (c) acquiring a continuous host distribution of messages size-based statistics or timestamp-based statistics for all messages received from a single host over the time period, without acquiring contents of the messages from the remote server, with timestamps of the messages from the single host distributed into the set of time intervals;
  
  (d) analyzing the host distribution statistics and determining a distribution pattern of the single host based on the host distribution statistics;
  
  (e) comparing the distribution statistics of the botnet with the distribution statistics of the single host; and
  
  (f) determining if the single host belongs to the botnet based on a degree of similarity of the distribution statistics and a similarity of their approximating functions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the system generates a graph representing each distribution statistics.
  - 10. The system of claim 8, wherein the determining of the distribution pattern is also based on any of:
    - a distribution of messages by time of a day;
      
      a distribution of messages by word count; and
      
      a distribution of specific word occurrences.
  - 11. The system of claim 8, wherein the system adds an IP address of the single host to a list of known botnet IP addresses, the system determines that the single host belongs to the botnet.
  - 12. The system of claim 8, wherein the system determines peaks in the distribution patterns of the botnet and of the single host.
  - 13. The system of claim 8, wherein the system deletes a particular host from the botnet if its distribution pattern over the time period does not match the distribution pattern of the botnet.
  - 14. The system of claim 13, wherein the system compares the peaks in the distribution patterns.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Bakhmutov, Andrey V.
Primary Examiner(s)
SHAW, YIN CHEN

Application Number

US12/395,477
Time in Patent Office

1,572 Days
Field of Search

726 22- 24, 709/206
US Class Current

726/23
CPC Class Codes

H04L 2463/144 Detection or countermeasure...

H04L 63/1425 Traffic logging, e.g. anoma...

Method and system for statistical analysis of botnets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for statistical analysis of botnets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links