Detecting altered applications using network traffic data
First Claim
1. A method for detecting an altered application, comprising:
- obtaining, by a processor, network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;
monitoring, by the processor, the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;
determining, by the processor, a ratio of endpoint devices having network traffic data that matches the network traffic signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the network traffic signature for the first application; and
determining, by the processor, that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, computer readable medium and apparatus for detecting an altered application are disclosed. Network traffic data is obtained for a number of endpoint devices to determine a network traffic signature for a first application. The signature comprises a set of flows within a time window. Network traffic data is monitored to determine a network traffic signature for a second application. The signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address. The method determines a ratio of endpoint devices having network traffic data that matches the signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the signature for the first application. When the percentage satisfies a threshold, the method determines that the second application is the altered application comprising an altered version of the first application.
-
Citations
20 Claims
-
1. A method for detecting an altered application, comprising:
-
obtaining, by a processor, network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window; monitoring, by the processor, the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application; determining, by the processor, a ratio of endpoint devices having network traffic data that matches the network traffic signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the network traffic signature for the first application; and determining, by the processor, that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable medium storing a plurality of instructions which, when executed by a processor, cause the processor to perform operations, the operations comprising:
-
obtaining network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window; monitoring the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application; determining a ratio of endpoint devices having network traffic data that matches the network traffic signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the network traffic signature for the first application; and determining that the second application is an altered application comprising an altered version of the first application when the percentage satisfies a threshold. - View Dependent Claims (18, 19)
-
-
20. An apparatus for detecting an altered application, the apparatus comprising:
a processor; and a non-transitory computer-readable medium in communication with the processor, storing a plurality of instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising; obtaining network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window; monitoring the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application; determining a ratio of endpoint devices having network traffic data that matches the network traffic signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the network traffic signature for the first application; and determining that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold.
Specification