Detecting altered applications using network traffic data

US 9,300,685 B2
Filed: 03/02/2015
Issued: 03/29/2016
Est. Priority Date: 11/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an altered application, the method comprising:

obtaining, by a processor, network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;

monitoring, by the processor, the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;

determining, by the processor, a percentage of a number of endpoint devices using the second application versus a total number of endpoint devices using the first application and the second application; and

determining, by the processor, that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer readable medium and apparatus for detecting an altered application are disclosed. Network traffic data is obtained for a number of endpoint devices to determine a network traffic signature for a first application. The signature comprises a set of flows within a time window. Network traffic data is monitored to determine a network traffic signature for a second application. The signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address. The method determines a ratio of endpoint devices having network traffic data that matches the signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the signature for the first application. When the percentage satisfies a threshold, the method determines that the second application is the altered application comprising an altered version of the first application.

16 Citations

20 Claims

1. A method for detecting an altered application, the method comprising:
- obtaining, by a processor, network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;
  
  monitoring, by the processor, the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;
  
  determining, by the processor, a percentage of a number of endpoint devices using the second application versus a total number of endpoint devices using the first application and the second application; and
  
  determining, by the processor, that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein each of the flows in the set of flows comprises a flow between one of the plurality of endpoint devices and an address.
  - 3. The method of claim 1, wherein the plurality of endpoint devices comprises mobile endpoint devices.
  - 4. The method of claim 1, further comprising:
    - performing a remedial action in response to determining that the second application is the altered application.
  - 5. The method of claim 4, wherein the remedial action comprises:
    - notifying an endpoint device that is determined to have network traffic data matching a network traffic signature of the second application that the endpoint device is infected with the altered application.
  - 6. The method of claim 4, wherein the remedial action comprises:
    - blocking new flows to the additional address.
  - 7. The method of claim 4, wherein the remedial action comprises:
    - determining that the second application comprises an updated version of the first application.
  - 8. The method of claim 7, wherein the determining that the second application comprises the updated version of the first application is based upon an observation of subsequent network traffic data.
  - 9. The method of claim 1, wherein the network traffic data comprises a plurality of network traffic data records.
  - 10. The method of claim 9, wherein each of the network traffic data records includes a source address and a destination address of a flow.
  - 11. The method of claim 10, wherein one of the source address and the destination address comprises a uniform resource locator of a domain.
  - 12. The method of claim 9, wherein the network traffic data records comprise call detail records.
  - 13. The method of claim 1, wherein the network traffic data for each flow is collected from a plurality of network elements processing the set of flows and the flow to the additional address.
  - 14. The method of claim 1, wherein the additional address is associated with a server.
  - 15. The method of claim 14, wherein the server comprises an advertising server.
  - 16. The method of claim 14, wherein the server comprises a command and control server.

17. A non-transitory computer readable medium storing a plurality of instructions which, when executed by a processor, cause the processor to perform operations, the operations comprising:
- obtaining network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;
  
  monitoring the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;
  
  determining a percentage of a number of endpoint devices using the second application versus a total number of endpoint devices using the first application and the second application; and
  
  determining that the second application is an altered application comprising an altered version of the first application when the percentage satisfies a threshold.
- View Dependent Claims (18, 19)
- - 18. The non-transitory computer readable medium of claim 17, further comprising:
    - performing a remedial action in response to determining that the second application is the altered application.
  - 19. The non-transitory computer readable medium of claim 18, wherein the remedial action comprises:
    - notifying an endpoint device that is determined to have network traffic data matching a network traffic signature of the second application that the endpoint device is infected with the altered application.

20. An apparatus for detecting an altered application, the apparatus comprising:
- a hardware processor; and
  
  a non-transitory computer-readable medium, storing a plurality of instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising;
  
  obtaining network traffic data for a plurality of endpoint devices to determine a network traffic signature for a first application, wherein the network traffic signature for the first application comprises a set of flows within a time window;
  
  monitoring the network traffic data to determine a network traffic signature for a second application, wherein the network traffic signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address that is not included in the set of flows of the network traffic signature of the first application;
  
  determining a percentage of a number of endpoint devices using the second application versus a total number of endpoint devices using the first application and the second application; and
  
  determining that the second application is the altered application comprising an altered version of the first application when the percentage satisfies a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Wang, Wei, Bickford, Jeffrey E.
Primary Examiner(s)
Williams, Jeffery
Assistant Examiner(s)
SARKER, SANCHIT K

Application Number

US14/635,636
Publication Number

US 20150172312A1
Time in Patent Office

393 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Detecting altered applications using network traffic data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting altered applications using network traffic data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links