Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network
First Claim
Patent Images
1. A method, comprising:
- detecting communication between a plurality of entities and a set of users in the network;
matching short messaging service data and internet protocol data from the communication with the users in the set of users;
determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, wherein the overlap is determined based on the matching;
determining a similarity metric between pairs of the entities comprising the plurality of entities based on the overlap of the subsets of the set of users for each of the pairs, respectively;
determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap; and
identifying a cluster of the entities comprising the plurality of entities based on the overlap and the similarity metric;
wherein the plurality of entities comprises domain names;
wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises;
determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each respective one of the domain names in the cluster of the entities resolves to over a time period;
determining whether the communication associated with the cluster of the entities is anomalous based on operating system types of devices the set of users use to communicate with the entities comprising the cluster; and
determining whether the communication associated with the cluster of the entities is anomalous based on the cluster of entities comprising prepaid phone numbers.
1 Assignment
0 Petitions
Accused Products
Abstract
Anomalies are detected in a network by detecting communication between a plurality of entities and a set of users in the network, determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, and determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap.
-
Citations
16 Claims
-
1. A method, comprising:
-
detecting communication between a plurality of entities and a set of users in the network; matching short messaging service data and internet protocol data from the communication with the users in the set of users; determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, wherein the overlap is determined based on the matching; determining a similarity metric between pairs of the entities comprising the plurality of entities based on the overlap of the subsets of the set of users for each of the pairs, respectively; determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap; and identifying a cluster of the entities comprising the plurality of entities based on the overlap and the similarity metric; wherein the plurality of entities comprises domain names; wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises; determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each respective one of the domain names in the cluster of the entities resolves to over a time period; determining whether the communication associated with the cluster of the entities is anomalous based on operating system types of devices the set of users use to communicate with the entities comprising the cluster; and determining whether the communication associated with the cluster of the entities is anomalous based on the cluster of entities comprising prepaid phone numbers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting communication anomalies in a network, comprising:
-
processor; and a memory that is coupled to the processor and comprises computer readable program code embodied in the memory that when executed by the processor causes the processor to perform operations comprising; detecting communication between a plurality of entities and a set of users in the network; matching short messaging service data and internet protocol data from the communication with the users in the set of users; determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, wherein the overlap is determined based on the matching; determining a similarity metric between pairs of the entities comprising the plurality of entities based on the overlap of the subsets of the set of users for each of the pairs, respectively; determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap; and identifying a cluster of the entities comprising the plurality of entities based on the overlap and the similarity metric; wherein the plurality of entities comprises domain names; wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises; determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each respective one of the domain names in the cluster of the entities resolves to over a time period; determining whether the communication associated with the cluster of the entities is anomalous based on operating system types of devices the set of users use to communicate with the entities comprising the cluster; and determining whether the communication associated with the cluster of the entities is anomalous based on the cluster of entities comprising prepaid phone numbers. - View Dependent Claims (12, 13)
-
-
14. A non-transitory computer-readable medium comprising instructions, which when loaded and executed by a processor, cause the processor to perform operations, the operations comprising:
-
detecting communication between a plurality of entities and a set of users in the network; matching short messaging service data and internet protocol data from the communication with the users in the set of users; determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, wherein the overlap is determined based on the matching; determining a similarity metric between pairs of the entities comprising the plurality of entities based on the overlap of the subsets of the set of users for each of the pairs, respectively; determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap; and identifying a cluster of the entities comprising the plurality of entities based on the overlap and the similarity metric; wherein the plurality of entities comprises domain names; wherein determining whether the communication between the plurality of entities and the set of users is anomalous comprises; determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each respective one of the domain names in the cluster of the entities resolves to over a time period; determining whether the communication associated with the cluster of the entities is anomalous based on operating system types of devices the set of users use to communicate with the entities comprising the cluster; and determining whether the communication associated with the cluster of the entities is anomalous based on the cluster of entities comprising prepaid phone numbers. - View Dependent Claims (15, 16)
-
Specification