Systematic mining of associated server herds for uncovering malware and attack campaigns
First Claim
1. A method for detecting malicious servers, comprising:
- analyzing, by a processor of a computer system, network traffic data to generate a main similarity measure for each server pair of a plurality of servers found in the network traffic data, wherein the main similarity measure represents first similarity between two servers of the server pair based on a plurality of clients found in the network traffic data that communicate to both of the two servers using at least a portion of the network traffic data;
extracting, by the processor and based on a first pre-determined algorithm, a main subset representing a portion of the plurality of servers based on the main similarity measure;
analyzing, by the processor, the network traffic data to generate a plurality of secondary similarity measures for each server pair of the plurality of servers, wherein a secondary similarity measure of the plurality of secondary similarity measures represents second similarity between the two servers of the server pair based on a pre-determined criterion;
extracting, by the processor and based on a second pre-determined algorithm, a secondary subset representing another portion of the plurality of servers based on the secondary similarity measure;
identifying a server of the plurality of servers that belongs to the main subset and the secondary subset; and
determining, by the processor, a suspicious score of the server based on at least a first similarity density measure of the main subset, a second similarity density measure of the secondary subset, and a commonality measure of the main subset and the secondary subset.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting malicious servers. The method includes analyzing network traffic data to generate a main similarity measure and a secondary similarity measure for each server pair found in the network traffic data, extracting a main subset and a secondary subset of servers based on the main similarity measure and the secondary similarity measure, identifying a server that belongs to the main subset and the secondary subset, and determining a suspicious score of the server based on at least a first similarity density measure of the main subset, a second similarity density measure of the secondary subset, and a commonality measure of the main subset and the secondary subset.
-
Citations
20 Claims
-
1. A method for detecting malicious servers, comprising:
-
analyzing, by a processor of a computer system, network traffic data to generate a main similarity measure for each server pair of a plurality of servers found in the network traffic data, wherein the main similarity measure represents first similarity between two servers of the server pair based on a plurality of clients found in the network traffic data that communicate to both of the two servers using at least a portion of the network traffic data; extracting, by the processor and based on a first pre-determined algorithm, a main subset representing a portion of the plurality of servers based on the main similarity measure; analyzing, by the processor, the network traffic data to generate a plurality of secondary similarity measures for each server pair of the plurality of servers, wherein a secondary similarity measure of the plurality of secondary similarity measures represents second similarity between the two servers of the server pair based on a pre-determined criterion; extracting, by the processor and based on a second pre-determined algorithm, a secondary subset representing another portion of the plurality of servers based on the secondary similarity measure; identifying a server of the plurality of servers that belongs to the main subset and the secondary subset; and determining, by the processor, a suspicious score of the server based on at least a first similarity density measure of the main subset, a second similarity density measure of the secondary subset, and a commonality measure of the main subset and the secondary subset. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting malicious servers, comprising:
-
a processor of a computer system; memory comprising instructions executable by the processor, wherein the instructions comprises; a main similarity analyzer configured to; analyze network traffic data to generate a main similarity measure for each server pair of a plurality of servers found in the network traffic data, wherein the main similarity measure represents first similarity between two servers of the server pair based on a plurality of clients found in the network traffic data that communicate with both of the two servers using at least a portion of the network traffic data; and extract, based on a first pre-determined algorithm, a main subset representing a portion of the plurality of servers based on the main similarity measure; a secondary similarity analyzer configured to; analyze the network traffic data to generate a plurality of secondary similarity measures for each server pair of the plurality of servers, wherein a secondary similarity measure of the plurality of secondary similarity measures represents second similarity between the two servers of the server pair based on a pre-determined criterion; and extract, based on a second pre-determined algorithm, a secondary subset representing another portion of the plurality of servers based on the secondary similarity measure; and a correlation analyzer configured to; identify a server of the plurality of servers that belongs to the main subset and the secondary subset; and determine a suspicious score of the server based on at least a first similarity density measure of the main subset, a second similarity density measure of the secondary subset, and a commonality measure of the main subset and the secondary subset; and a repository configured to store the main subset, the secondary subset, the first similarity density measure of the main subset, the second similarity density measure of the secondary subset, and the commonality measure of the main subset and the secondary subset. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium embodying instructions for detecting malicious servers, the instructions when executed by a processor comprising functionality for:
-
analyzing network traffic data to generate a main similarity measure for each server pair of a plurality of servers found in the network traffic data, wherein the main similarity measure represents first similarity between two servers of the server pair based on a plurality of clients found in the network traffic data that communicate to both of the two servers using at least a portion of the network traffic data; extracting, based on a first pre-determined algorithm, a main subset representing a portion of the plurality of servers based on the main similarity measure; analyzing the network traffic data to generate a plurality of secondary similarity measures for each server pair of the plurality of servers, wherein a secondary similarity measure of the plurality of secondary similarity measures represents second similarity between the two servers of the server pair based on a pre-determined criterion; extracting, based on a second pre-determined algorithm, a secondary subset representing another portion of the plurality of servers based on the secondary similarity measure; identifying a server of the plurality of servers that belongs to the main subset and the secondary subset; and determining a suspicious score of the server based on at least a first similarity density measure of the main subset, a second similarity density measure of the secondary subset, and a commonality measure of the main subset and the secondary subset. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification