×

Systematic mining of associated server herds for uncovering malware and attack campaigns

  • US 9,088,598 B1
  • Filed: 11/14/2013
  • Issued: 07/21/2015
  • Est. Priority Date: 11/14/2013
  • Status: Active Grant
First Claim
Patent Images

1. A method for detecting malicious servers, comprising:

  • analyzing, by a processor of a computer system, network traffic data to generate a main similarity measure for each server pair of a plurality of servers found in the network traffic data, wherein the main similarity measure represents first similarity between two servers of the server pair based on a plurality of clients found in the network traffic data that communicate to both of the two servers using at least a portion of the network traffic data;

    extracting, by the processor and based on a first pre-determined algorithm, a main subset representing a portion of the plurality of servers based on the main similarity measure;

    analyzing, by the processor, the network traffic data to generate a plurality of secondary similarity measures for each server pair of the plurality of servers, wherein a secondary similarity measure of the plurality of secondary similarity measures represents second similarity between the two servers of the server pair based on a pre-determined criterion;

    extracting, by the processor and based on a second pre-determined algorithm, a secondary subset representing another portion of the plurality of servers based on the secondary similarity measure;

    identifying a server of the plurality of servers that belongs to the main subset and the secondary subset; and

    determining, by the processor, a suspicious score of the server based on at least a first similarity density measure of the main subset, a second similarity density measure of the secondary subset, and a commonality measure of the main subset and the secondary subset.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×