Method and apparatus for detecting zombie-generated spam
First Claim
1. A method for detecting a zombie attack in a network comprising a plurality of computers, the method comprising:
- determining, for each particular computer in the plurality of computers, a working set associated with the particular computer, the working set comprising;
a first list of email addresses including email addresses associated with emails sent by the particular computer and including email addresses associated with emails received by the particular computer;
determining whether at least a first threshold number of computers in the plurality of computers are transmitting email messages to email addresses not included in their working set;
determining whether at least a second threshold number of computers in the plurality of computers are transmitting at least a first threshold number of emails to a recipient computer;
determining, for each computer in the plurality of computers, whether at least a second threshold number of emails are being transmitted to email addresses not included in its working set;
storing, for each particular computer in the plurality of computers, data comprising;
a second list comprising;
an email address and a time associated with each sent email associated with the particular computer;
a third list comprising an email address and a time associated with each received email associated with the particular computer; and
a rate of emails sent by each particular computer in the plurality of computers;
determining a change in the rate of emails sent based on the rate and the data;
anddetecting a zombie attack based on;
whether at least the first threshold number of computers in the plurality of computers are transmitting email messages to email addresses not included in their working set, andwhether at least the second threshold number of computers in the plurality of computers are transmitting at least the first threshold number of emails to a recipient computer; and
whether the change in the rate of emails sent, associated with a particular computer is greater than a first threshold rate; and
whether, for each computer in the plurality of computers, at least the second threshold number of emails are being transmitted to email addresses not included in its working set.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a method and system for detecting a zombie attack in a network having a plurality of computers. The method and system include a network analysis module for determining, for each computer, a working set of email addresses associated with emails sent by each computer. A zombie attack is detected by determining at least one of: 1) at least one computer in the plurality is transmitting more than a threshold rate of emails, 2) that at least one of the computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set, 3) that a first threshold number of computers in the plurality are transmitting email messages to email addresses outside of their associated working set, and 4) that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer.
41 Citations
9 Claims
-
1. A method for detecting a zombie attack in a network comprising a plurality of computers, the method comprising:
-
determining, for each particular computer in the plurality of computers, a working set associated with the particular computer, the working set comprising;
a first list of email addresses including email addresses associated with emails sent by the particular computer and including email addresses associated with emails received by the particular computer;determining whether at least a first threshold number of computers in the plurality of computers are transmitting email messages to email addresses not included in their working set; determining whether at least a second threshold number of computers in the plurality of computers are transmitting at least a first threshold number of emails to a recipient computer; determining, for each computer in the plurality of computers, whether at least a second threshold number of emails are being transmitted to email addresses not included in its working set; storing, for each particular computer in the plurality of computers, data comprising; a second list comprising;
an email address and a time associated with each sent email associated with the particular computer;a third list comprising an email address and a time associated with each received email associated with the particular computer; and a rate of emails sent by each particular computer in the plurality of computers; determining a change in the rate of emails sent based on the rate and the data; and detecting a zombie attack based on; whether at least the first threshold number of computers in the plurality of computers are transmitting email messages to email addresses not included in their working set, and whether at least the second threshold number of computers in the plurality of computers are transmitting at least the first threshold number of emails to a recipient computer; and whether the change in the rate of emails sent, associated with a particular computer is greater than a first threshold rate; and whether, for each computer in the plurality of computers, at least the second threshold number of emails are being transmitted to email addresses not included in its working set.
-
-
2. The method of claim 1 wherein the first threshold number of computers is equal to the second threshold number of computers.
-
3. The method of claim 1 wherein determining, for each particular computer in the plurality of computers, a working set of email addresses comprises:
performing network analysis on the particular computer to determine a list of email addresses associated with the particular computer.
-
4. The method of claim 3 wherein determining, for each particular computer in the plurality of computers, a working set of email addresses comprises:
determining a working set for the particular computer by determining to which email addresses in the list of email addresses the particular computer sends email messages.
-
5. The method of claim 4 wherein determining, for each particular computer in the plurality of computers, a working set of email addresses comprises:
updating the working set of email addresses.
-
6. A computer system for detecting a zombie attack in a network comprising a plurality of computers, the computer system comprising:
a network analysis module configured to; determine, for each particular computer in the plurality of computers, a working set associated with the particular computer, the working set comprising;
a first list of email addresses including email addresses associated with emails sent by the particular computer and including email addresses associated with emails received by the particular computer;determine whether at least a first threshold number of computers in the plurality of computers are transmitting email messages to email addresses not included in their working set; determine whether at least a second threshold number of computers in the plurality of computers are transmitting at least a first threshold number of email messages to a recipient computer; determine, for each computer in the plurality of computers, whether at least a second threshold number of emails are being transmitted to email addresses not included in its working set; store, for each particular computer in the plurality of computers, data comprising; a second list comprising;
an email address and a time associated with each sent email associated with the particular computer;a third list comprising an email address and a time associated with each received email associated with the particular computer; and a rate of emails sent by each particular computer in the plurality of computers; determine a change in the rate of emails sent based on the rate and the data; and detect a zombie attack based on; whether at least the first threshold number of computers in the plurality or computers are transmitting email messages to email addresses not included in their working set, and whether at least the second threshold number of computers in the plurality of computers are transmitting at least the third threshold number of emails to a recipient computer; and whether the rate associated with a particular computer in a second predetermined time period is greater than a predetermined threshold; and whether, for each computer in the plurality of computers, at least the second threshold number of emails are being transmitted to email addresses not included in its working set.
-
7. The system of claim 6 wherein the first threshold number of computers is equal to the second threshold number of computers.
-
8. The system of claim 6 wherein the network analysis module is further configured to perform network analysis on each particular computer in the plurality of computers to determine a list of email addresses associated with each particular computer.
-
9. The system of claim 8 wherein the network analysis module is further configured to determine the working set associated with each particular computer by determining to which email addresses in the list of email addresses each particular computer sends email messages.
Specification