System for identifying illegitimate communications between computers by comparing evolution of data flows

US 9,847,924 B2
Filed: 04/02/2015
Issued: 12/19/2017
Est. Priority Date: 10/10/2012
Status: Active Grant

First Claim

Patent Images

1. A real-time method of identifying similar and coordinated communications between a plurality of computers connected by a network, the method comprising:

monitoring communications between a plurality of pairs of computers over the network to obtain a first flow metric for a first pair of computers and a second flow metric for a second pair of computers, wherein the first flow metric represents at least one property of a first data flow between the first pair of computers and the second flow metric represents at least one property of a second data flow between the second pair of computers;

updating a representation of the evolution of the first data flow between the first pair of computers using the first flow metric or updating a representation of the evolution of the second data flow between the second pair of computers using the second flow metric;

comparing the representation of the evolution of the first data flow and the representation of the evolution of the second data flow to determine the similarity of the first data flow and the second data flow; and

identifying the first pair of computers and the second pair of computers as exhibiting similar and coordinated communication if the first data flow and second data flow are determined to be similar.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for identifying similar and coordinated communications between computers connected by a network are described. Communications between a plurality of pairs of computers are monitored to obtain respective flow metrics for a first and second pair of computers. The flow metric represents at least one property of the data flow between the pair of computers. Representations of the evolution of the data flows between the pairs of computers are updated using the flow metrics. The representations of the evolution of the data flows are compared to determine the similarity of the data flows between the pairs of computers. The first pair of computers and the second pair of computers are identified as exhibiting similar and coordinated communication if their data flows are determined to be similar.

16 Citations

View as Search Results

20 Claims

1. A real-time method of identifying similar and coordinated communications between a plurality of computers connected by a network, the method comprising:
- monitoring communications between a plurality of pairs of computers over the network to obtain a first flow metric for a first pair of computers and a second flow metric for a second pair of computers, wherein the first flow metric represents at least one property of a first data flow between the first pair of computers and the second flow metric represents at least one property of a second data flow between the second pair of computers;
  
  updating a representation of the evolution of the first data flow between the first pair of computers using the first flow metric or updating a representation of the evolution of the second data flow between the second pair of computers using the second flow metric;
  
  comparing the representation of the evolution of the first data flow and the representation of the evolution of the second data flow to determine the similarity of the first data flow and the second data flow; and
  
  identifying the first pair of computers and the second pair of computers as exhibiting similar and coordinated communication if the first data flow and second data flow are determined to be similar.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the flow metric includes the average number of bytes per unit time transmitted between the pair of computers.
  - 3. The method of claim 1, wherein the flow metric includes the average number of bytes per packet transmitted between the pair of computers.
  - 4. The method of claim 1, and further comprising:
    - identifying computers that are a source of similar and coordinated communication; and
      
      only monitoring communications between a pair of computers if at least one of the computers of the pair has been identified as a source of similar and coordinated communication.
  - 5. The method of claim 1, and further comprising:
    - using a self-organizing map to arrange the representations of the evolution of the data flow by similarity, and wherein only representations within a limited range of similarity are compared.
  - 6. The method of claim 1, wherein clustering is used and wherein the representation of the evolution of the data flow comprises a sequence of clusters of the flow metric.
  - 7. The method of claim 6, wherein comparing the representations includes determining if any cluster of the representation of the evolution of the first data flow matches more than one cluster of the representation of the evolution of the second data flow.
  - 8. The method of claim 7, wherein a match between clusters is determined based on the separation of the centres of the clusters, the support of the clusters or the radius of the clusters.
  - 9. The method of claim 8, wherein remediating communication comprises one or more of:
    - blocking;
      
      filtering, and switching.
  - 10. The method of claim 6, wherein comparing the representations includes determining if a pair of first clusters and a pair of second clusters of the representation of the evolution of the first data flow and the representation of the evolution of the second data flow match.
  - 11. The method of claim 1, further comprising:
    - remediating communication between the first pair of computers and/or the second pair of computers if they are identified as exhibiting illegitimate communication.
  - 12. The method of claim 1, further comprising clearing a representation of the evolution of a data flow from memory when the data flow is determined unlikely to correspond to illegitimate communication.
  - 13. The method of claim 12, wherein the representation of the evolution is removed from memory if the age of the representation of the evolution is greater than the age of the representation of the evolution of the first data flow or second data flow for the first pair of computers and the second pair of computers that have been identified as exhibiting illegitimate communication.
  - 14. The method of claim 12, wherein the representation of the evolution is removed from memory a fixed period of time after the first pair of computers and the second pair of computers that have been identified as exhibiting illegitimate communication.
  - 15. The method of claim 1, wherein each data flow over the network is treated separately at a network level by a tuple including a source IP address and a destination IP address.
  - 16. The method of claim 1, wherein the method identifies botnets and pairs of computers exhibiting botnet communication behaviour.

17. A data processing apparatus comprising one or more data processing devices and one or more non-transitory computer readable media, the non-transitory computer readable medium or media storing computer program code executable by the data processing device or devices to carry out a real-time method of identifying similar and coordinated communications between a plurality of computers connected by a network, the method comprising:
- monitoring communications between a plurality of pairs of computers over the network to obtain a first flow metric for a first pair of computers and a second flow metric for a second pair of computers, wherein the first flow metric represents at least one property of a first data flow between the first pair of computers and the second flow metric represents at least one property of a second data flow between the second pair of computers;
  
  updating a representation of the evolution of the first data flow between the first pair of computers using the first flow metric or updating a representation of the evolution of the second data flow between the second pair of computers using the second flow metric;
  
  comparing the representation of the evolution of the first data flow and the representation of the evolution of the second data flow to determine the similarity of the first data flow and the second data flow; and
  
  identifying the first pair of computers and the second pair of computers as exhibiting similar and coordinated communication if the first data flow and second data flow are determined to be similar.
- View Dependent Claims (18, 19)
- - 18. The data processing apparatus of claim 17, wherein the data processing apparatus includes or comprises a router.
  - 19. The data processing apparatus of claim 17, wherein the apparatus is distributed over different physical devices which are in communication.

20. One or more non-transitory computer readable media storing computer program code executable by one or more data processing devices to carry out a real-time method of identifying similar and coordinated communications between a plurality of computers connected by a network, the method comprising:
- monitoring communications between a plurality of pairs of computers over the network to obtain a first flow metric for a first pair of computers and a second flow metric for a second pair of computers, wherein the first flow metric represents at least one property of a first data flow between the first pair of computers and the second flow metric represents at least one property of a second data flow between the second pair of computers;
  
  updating a representation of the evolution of the first data flow between the first pair of computers using the first flow metric or updating a representation of the evolution of the second data flow between the second pair of computers using the second flow metric;
  
  comparing the representation of the evolution of the first data flow and the representation of the evolution of the second data flow to determine the similarity of the first data flow and the second data flow; and
  
  identifying the first pair of computers and the second pair of computers as exhibiting similar and coordinated communication if the first data flow and second data flow are determined to be similar.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lancaster University Business Enterprises Limited
Original Assignee
Lancaster University Business Enterprises Limited
Inventors
Angelov, Plamen, Bruncak, Radovan, Hutchison, David, Simpson, Steven, Smith, Paul
Primary Examiner(s)
Luu, Le H

Application Number

US14/677,283
Publication Number

US 20150304198A1
Time in Patent Office

992 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/12   Network monitoring probes

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/16   Implementing security featu...

System for identifying illegitimate communications between computers by comparing evolution of data flows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System for identifying illegitimate communications between computers by comparing evolution of data flows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others