Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network

US 9,203,856 B2
Filed: 03/04/2013
Issued: 12/01/2015
Est. Priority Date: 03/04/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

detecting communication between a plurality of entities and a set of users in the network;

matching short messaging service data and internet protocol data from the communication with the users in the set of users;

determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, wherein the overlap is determined based on the matching;

determining a similarity metric between pairs of the entities comprising the plurality of entities based on the overlap of the subsets of the set of users for each of the pairs, respectively;

determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap; and

identifying a cluster of the entities comprising the plurality of entities based on the overlap and the similarity metric;

wherein the plurality of entities comprises domain names;

wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises;

determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each respective one of the domain names in the cluster of the entities resolves to over a time period;

determining whether the communication associated with the cluster of the entities is anomalous based on operating system types of devices the set of users use to communicate with the entities comprising the cluster; and

determining whether the communication associated with the cluster of the entities is anomalous based on the cluster of entities comprising prepaid phone numbers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Anomalies are detected in a network by detecting communication between a plurality of entities and a set of users in the network, determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, and determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap.

Citations

16 Claims

1. A method, comprising:
- detecting communication between a plurality of entities and a set of users in the network;
  
  matching short messaging service data and internet protocol data from the communication with the users in the set of users;
  
  determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, wherein the overlap is determined based on the matching;
  
  determining a similarity metric between pairs of the entities comprising the plurality of entities based on the overlap of the subsets of the set of users for each of the pairs, respectively;
  
  determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap; and
  
  identifying a cluster of the entities comprising the plurality of entities based on the overlap and the similarity metric;
  
  wherein the plurality of entities comprises domain names;
  
  wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each respective one of the domain names in the cluster of the entities resolves to over a time period;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on operating system types of devices the set of users use to communicate with the entities comprising the cluster; and
  
  determining whether the communication associated with the cluster of the entities is anomalous based on the cluster of entities comprising prepaid phone numbers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - monitoring the communication associated with the plurality of entities during a training period.
  - 3. The method of claim 2, wherein the plurality of entities further comprises internet protocol addresses, phone numbers, and short codes;
    - and wherein the method further comprises;
      
      removing the domain names that communicated during the training period from the plurality of entities.
  - 4. The method of claim 1, wherein identifying the cluster of the entities comprises:
    - excluding the overlap of the subsets of the set of users for each of the pairs of the entities comprising the plurality of entities when the similarity metric for the respective pair is less than a similarity threshold;
      
      excluding the overlap of the subsets of the set of users for each of the pairs of the entities comprising the plurality of entities when the overlap is less than a user threshold; and
      
      determining a modularity of a graph in which nodes are defined by the plurality of entities and edges between the nodes are defined by the overlap of the subsets of the set of users for each of the pairs of the entities comprising the plurality of entities.
  - 5. The method of claim 1, wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises:
    - determining that the communication associated with the cluster of the entities is not anomalous when a number of the entities comprising the cluster is not greater than three.
  - 6. The method of claim 1, wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises:
    - determining whether the communication associated with the cluster of the entities is anomalous based on reputations of the entities comprising the cluster.
  - 7. The method of claim 1, wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises:
    - determining whether the communication associated with the cluster of the entities is anomalous based on internet protocol addresses the domain names in the cluster resolve to.
  - 8. The method of claim 1, wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises:
    - determining whether the communication associated with the cluster of the entities is anomalous based on a number of different countries contacted by the phone numbers in the cluster.
  - 9. The method of claim 1, wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises:
    - determining whether the communication associated with the cluster of the entities is anomalous based on communication sequences between the set of users and the entities comprising the cluster.
  - 10. The method of claim 1, wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises:
    - determining whether the communication associated with the cluster of the entities is anomalous based on changes in the plurality of entities comprising the cluster of the entities.

11. A system for detecting communication anomalies in a network, comprising:
- processor; and
  
  a memory that is coupled to the processor and comprises computer readable program code embodied in the memory that when executed by the processor causes the processor to perform operations comprising;
  
  detecting communication between a plurality of entities and a set of users in the network;
  
  matching short messaging service data and internet protocol data from the communication with the users in the set of users;
  
  determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, wherein the overlap is determined based on the matching;
  
  determining a similarity metric between pairs of the entities comprising the plurality of entities based on the overlap of the subsets of the set of users for each of the pairs, respectively;
  
  determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap; and
  
  identifying a cluster of the entities comprising the plurality of entities based on the overlap and the similarity metric;
  
  wherein the plurality of entities comprises domain names;
  
  wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each respective one of the domain names in the cluster of the entities resolves to over a time period;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on operating system types of devices the set of users use to communicate with the entities comprising the cluster; and
  
  determining whether the communication associated with the cluster of the entities is anomalous based on the cluster of entities comprising prepaid phone numbers.
- View Dependent Claims (12, 13)
- - 12. The system of claim 11, wherein the operations further comprise:
    - monitoring the communication associated with the plurality of entities during a training period.
  - 13. The system of claim 12, wherein the plurality of entities further comprises internet protocol addresses, phone numbers, and short codes;
    - and wherein the operations further comprise;
      
      removing the domain names that communicated during the training period from the plurality of entities.

14. A non-transitory computer-readable medium comprising instructions, which when loaded and executed by a processor, cause the processor to perform operations, the operations comprising:
- detecting communication between a plurality of entities and a set of users in the network;
  
  matching short messaging service data and internet protocol data from the communication with the users in the set of users;
  
  determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, wherein the overlap is determined based on the matching;
  
  determining a similarity metric between pairs of the entities comprising the plurality of entities based on the overlap of the subsets of the set of users for each of the pairs, respectively;
  
  determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap; and
  
  identifying a cluster of the entities comprising the plurality of entities based on the overlap and the similarity metric;
  
  wherein the plurality of entities comprises domain names;
  
  wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each respective one of the domain names in the cluster of the entities resolves to over a time period;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on operating system types of devices the set of users use to communicate with the entities comprising the cluster; and
  
  determining whether the communication associated with the cluster of the entities is anomalous based on the cluster of entities comprising prepaid phone numbers.
- View Dependent Claims (15, 16)
- - 15. The computer program product of claim 14, wherein the operations further comprise:
    - monitoring communication associated with the plurality of entities during a training period.
  - 16. The computer program product of claim 15, wherein the plurality of entities further comprises internet protocol addresses, phone numbers, and short codes;
    - and wherein the operations further comprise;
      
      removing the domain names that communicated during the training period from the plurality of entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Boggs, Nathaniel, Wang, Wei, Coskun, Baris, Mathur, Suhas
Primary Examiner(s)
Nguyen, Quang N

Application Number

US13/784,410
Publication Number

US 20140250221A1
Time in Patent Office

1,002 Days
Field of Search

709/223, 709/224, 709/203, 709/217, 709/219
US Class Current

1/1
CPC Class Codes

H04L 41/14   Network analysis or design

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links