Graph-based method to detect malware command-and-control infrastructure
First Claim
1. A method for identifying one or more potentially infected internal devices and one or more potential malware command and control devices, comprising:
- generating a bipartite graph that includes one or more internal devices inside a protected network and one or more destinations outside the protected network which communicate over a period of time, including by receiving communication information that includes;
(1) one or more internal devices, (2) one or more destinations that those internal devices communicated with, and (3) one or more times at which those internal devices communicated with those destinations;
reducing the bipartite graph to obtain a reduced bipartite graph, including by;
eliminating any communication information associated with times outside of the period of time; and
eliminating those connections that include a whitelisted internal device inside the protected network and those connections that include a whitelisted destination outside the protected network;
determining a degree of isolation representative of a degree to which a cluster, within the reduced bipartite graph and which includes one or more internal devices and one or more destinations, is isolated from one or more other clusters based at least in part on a number of connections between the cluster and said other clusters; and
using a processor to identify the cluster as being a potentially infected cluster of one or more potentially infected internal devices inside the protected network and one or more potential malware command and control devices outside the protected network in the event the cluster'"'"'s degree of isolation from other clusters exceeds an isolation threshold.
9 Assignments
0 Petitions
Accused Products
Abstract
Potentially infected internal device(s) and potential malware command and control device(s) are identified by generating a bipartite graph that includes internal device(s) inside a network and destination(s) outside the network which communicate over a period of time. The bipartite graph is reduced to obtain a reduced bipartite graph, including by eliminating those connections that include a whitelisted internal device and those connections that include a whitelisted destination. From the reduced graph, a cluster of potentially infected internal device(s) and potential malware command and control device(s) are identified based at least in part on (1) the cluster'"'"'s degree of isolation from other clusters and (2) an isolation threshold.
79 Citations
20 Claims
-
1. A method for identifying one or more potentially infected internal devices and one or more potential malware command and control devices, comprising:
-
generating a bipartite graph that includes one or more internal devices inside a protected network and one or more destinations outside the protected network which communicate over a period of time, including by receiving communication information that includes;
(1) one or more internal devices, (2) one or more destinations that those internal devices communicated with, and (3) one or more times at which those internal devices communicated with those destinations;reducing the bipartite graph to obtain a reduced bipartite graph, including by; eliminating any communication information associated with times outside of the period of time; and eliminating those connections that include a whitelisted internal device inside the protected network and those connections that include a whitelisted destination outside the protected network; determining a degree of isolation representative of a degree to which a cluster, within the reduced bipartite graph and which includes one or more internal devices and one or more destinations, is isolated from one or more other clusters based at least in part on a number of connections between the cluster and said other clusters; and using a processor to identify the cluster as being a potentially infected cluster of one or more potentially infected internal devices inside the protected network and one or more potential malware command and control devices outside the protected network in the event the cluster'"'"'s degree of isolation from other clusters exceeds an isolation threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product for identifying one or more potentially infected internal devices and one or more potential malware command and control devices, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
generating a bipartite graph that includes one or more internal devices inside a protected network and one or more destinations outside the protected network which communicate over a period of time, including by receiving communication information that includes;
(1) one or more internal devices, (2) one or more destinations that those internal devices communicated with, and (3) one or more times at which those internal devices communicated with those destinations;reducing the bipartite graph to obtain a reduced bipartite graph, including by; eliminating any communication information associated with times outside of the period of time; and eliminating those connections that include a whitelisted internal device inside the protected network and those connections that include a whitelisted destination outside the protected network; determining a degree of isolation representative of a degree to which a cluster, within the reduced bipartite graph and which includes one or more internal devices and one or more destinations, is isolated from one or more other clusters based at least in part on a number of connections between the cluster and said other clusters; and identifying the cluster as being a potentially infected cluster of one or more potentially infected internal devices inside the protected network and one or more potential malware command and control devices outside the protected network in the event the cluster'"'"'s degree of isolation from other clusters exceeds an isolation threshold. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A system for identifying one or more potentially infected internal devices and one or more potential malware command and control devices, comprising:
-
a processor; and a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to; generate a bipartite graph that includes one or more internal devices inside a protected network and one or more destinations outside the protected network which communicate over a period of time, including by receiving communication information that includes;
(1) one or more internal devices, (2) one or more destinations that those internal devices communicated with, and (3) one or more times at which those internal devices communicated with those destinations;reduce the bipartite graph to obtain a reduced bipartite graph, including by; eliminating any communication information associated with times outside of the period of time; and eliminating those connections that include a whitelisted internal device inside the protected network and those connections that include a whitelisted destination outside the protected network; determine a degree of isolation representative of a degree to which a cluster, within the reduced bipartite graph and which includes one or more internal devices and one or more destinations, is isolated from one or more other clusters based at least in part on a number of connections between the cluster and said other clusters; and identify the cluster as being a potentially infected cluster of one or more potentially infected internal devices inside the protected network and one or more potential malware command and control devices outside the protected network in the event the cluster'"'"'s degree of isolation from other clusters exceeds an isolation threshold. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification