Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network

US 9,641,545 B2
Filed: 10/26/2015
Issued: 05/02/2017
Est. Priority Date: 03/04/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory that stores instructions; and

a processor that executes the instructions to perform operations, the operations comprising;

determining an overlap between subsets of a set of users that entities of a plurality of entities communicated with, respectively, wherein the plurality of entities comprise domain names;

identifying, based on the overlap and based on a similarity metric between pairs of the entities of the plurality of entities, a cluster of the entities of the plurality of entities; and

determining whether communication between the cluster of the entities and the set of users is anomalous based on the overlap, wherein determining whether the communication between the cluster of the entities and the set of users is anomalous comprises;

determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each of the domain names in the cluster of the entities resolves to over a time period; and

determining whether the communication associated with the cluster of entities is anomalous based on a sequence in which users of the set of users communicate with the cluster of the entities.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Anomalies are detected in a network by detecting communication between a plurality of entities and a set of users in the network, determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, and determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap.

25 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a memory that stores instructions; and
  
  a processor that executes the instructions to perform operations, the operations comprising;
  
  determining an overlap between subsets of a set of users that entities of a plurality of entities communicated with, respectively, wherein the plurality of entities comprise domain names;
  
  identifying, based on the overlap and based on a similarity metric between pairs of the entities of the plurality of entities, a cluster of the entities of the plurality of entities; and
  
  determining whether communication between the cluster of the entities and the set of users is anomalous based on the overlap, wherein determining whether the communication between the cluster of the entities and the set of users is anomalous comprises;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on a number of internet protocol addresses each of the domain names in the cluster of the entities resolves to over a time period; and
  
  determining whether the communication associated with the cluster of entities is anomalous based on a sequence in which users of the set of users communicate with the cluster of the entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the operations further comprise detecting the communication between the cluster of the entities and the set of users.
  - 3. The system of claim 1, wherein the operations further comprise determining, based on the overlap of the subsets of the set of users for each of the pairs, respectively, the similarity metric between the pairs of the entities of the plurality of entities.
  - 4. The system of claim 1, wherein the operations further comprise matching short messaging service data and internet protocol data from the communication with the users of the set of users.
  - 5. The system of claim 1, wherein the operations further comprise determining whether the communication between the cluster of the entities and the set of users is anomalous based on an operating system type of a device utilized to communicate with the cluster of the entities.
  - 6. The system of claim 1, wherein the operations further comprise determining whether the communication between the cluster of the entities and the set of users is anomalous based on a reputation of the entities in the cluster.
  - 7. The system of claim 1, wherein the operations further comprise determining whether the communication between the cluster of the entities and the set of users is anomalous based on a stability of the cluster of the entities over time.
  - 8. The system of claim 1, wherein the operations further comprise determining whether the communication between the cluster of the entities and the set of users is anomalous based on the cluster of the entities comprising phone numbers.
  - 9. The system of claim 1, wherein the operations further comprise determining that the communication between the cluster of the entities and the set of users is not anomalous when a quantity of the entities in the cluster is less than a threshold.
  - 10. The system of claim 1, wherein the operations further comprise determining whether the communication between the cluster of the entities and the set of users is anomalous based on changes in the entities in the cluster.
  - 11. The system of claim 1, wherein the operations further comprise comparing the cluster of the entities of the plurality of entities to a new cluster of the entities of the plurality of entities.
  - 12. The system of claim 1, wherein the operations further comprise labeling the cluster for a blacklist if the communication between the cluster of the entities and the set of users is determined to be anomalous.

13. A method, comprising:
- determining, by utilizing instructions from a memory that are executed by a processor, an overlap between subsets of a set of users that entities of a plurality of entities communicated with, respectively, wherein the plurality of entities comprise domain names;
  
  identifying, based on the overlap and based on a similarity metric between pairs of the entities of the plurality of entities, a cluster of the entities of the plurality of entities; and
  
  determining whether communication between the cluster of the entities and the set of users is anomalous based on the overlap, wherein determining whether the communication between the cluster of the entities and the set of users is anomalous comprises;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on an operating system type of a device utilized to communicate with the cluster of the entities; and
  
  determining whether the communication associated with the cluster of entities is anomalous based on a sequence in which users of the set of users communicate with the cluster of the entities.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, further comprising determining whether the communication between the cluster of the entities and the set of users is anomalous based on a number of internet protocol addresses each of the domain names in the cluster of the entities resolves to over a time period.
  - 15. The method of claim 13, further comprising determining, based on the overlap of the subsets of the set of users for each of the pairs, respectively, the similarity metric between the pairs of the entities of the plurality of entities.
  - 16. The method of claim 13, further comprising determining that the communication between the cluster of the entities and the set of users is not anomalous when a quantity of the entities in the cluster is less than a threshold.
  - 17. The method of claim 13, further comprising determining whether the communication between the cluster of the entities and the set of users is anomalous based on a number of countries contacted by phone numbers in the cluster.
  - 18. The method of claim 13, further comprising labeling the cluster for a blacklist if the communication between the cluster of the entities and the set of users is determined to be anomalous.
  - 19. The method of claim 13, further comprising determining whether the communication between the cluster of the entities and the set of users is anomalous based on a stability of the cluster of the entities over time.

20. A non-transitory computer-readable medium comprising instructions, which when loaded and executed by a processor, cause the processor to perform operations, the operations comprising:
- determining an overlap between subsets of a set of users that entities of a plurality of entities communicated with, respectively, wherein the plurality of entities comprise domain names;
  
  identifying, based on the overlap and based on a similarity metric between pairs of the entities of the plurality of entities, a cluster of the entities of the plurality of entities; and
  
  determining whether communication between the cluster of the entities and the set of users is anomalous based on the overlap, wherein determining whether the communication between the cluster of the entities and the set of users is anomalous comprises;
  
  determining whether the communication associated with the cluster of the entities is anomalous based on an operating system type of a device utilized to communicate with the cluster of the entities; and
  
  determining whether the communication associated with the cluster of entities is anomalous based on a stability of the cluster of the entities over time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Boggs, Nathaniel, Wang, Wei, Coskun, Baris, Mathur, Suhas
Primary Examiner(s)
Nguyen, Quang N

Application Number

US14/922,744
Publication Number

US 20160044056A1
Time in Patent Office

554 Days
Field of Search

726 25, 706 21, 706 46, 600481
US Class Current
CPC Class Codes

H04L 41/14   Network analysis or design

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others