Detection of malicious network connections

What is claimed is: 1 . A method for detecting a malicious network connection, the method comprising: determining, for each connection over a network, if each connection is a persistent connection; if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection; creating a feature vector for the first connection based on the collected statistics; performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections; and reporting detected outliers. 2 . The method according to claim 1 wherein the persistent connection comprises a connection where the connection occurs repeatedly in time. 3 . The method according to claim 1 wherein the persistence, p, of a connection is defined as: p  ( c , W ) = 1 n  ∑ i = 1 n  1 c , b i where: c is the connection in question; W=[b 1 , . . . b n ] is the observation window composed of n measurement windows; and 1 c,b i is a function which is equal to 1 if the connection was active at least once during the measurement window b i , otherwise the function 1 c,b i is equal to 0. 4 . The method according to claim 3 wherein a persistent connection is characterized as having a value p≧0.2. 5 . The method according to claim 3 wherein a persistence threshold is where p in the range of 0.5-0.8. 6 . The method according to claim 1 wherein the steps of determining if each connection is a persistent connection and collecting connection information are performed repeatedly. 7 . The method according to claim 1 wherein the steps of creating the feature vector, performing outlier detection, and reporting detected outliers are performed repeatedly. 8 . The method according to claim 1 , wherein the feature vectors comprise more than one of the following features: average flow duration; flows inter-arrival times mean; flows inter-arrival times variance; target autonomous system overall surprisal; target autonomous system per-service surprisal; unique local ports count; bytes amount weighted by target autonomous system exclusivity; user overall daily activity match; remote service entropy; and remote service ratio. 9 . The method according to claim 1 wherein the feature vectors comprise more than one of the following features: logarithm of the total amount of bytes sent or received within the persistent connection; autocorrelation of time series generated by sent bytes of packets within the persistent connection; and ratio of bytes sent and received by the persistent connection. 10 . The method according to claim 1 wherein the outlier detection is based on detecting deviation from an anticipated value of a curve of at least one feature of the feature vectors showing feature values versus probability. 11 . The method according to claim 1 wherein the calculating statistics for the at least one identified connection of interest is performed using at least one Bloom filter. 12 . The method according to claim 11 , wherein, every time a connection is recorded in the Bloom filter, the persistence of the connection is checked right after recording the connection. 13 . The method according to claim 11 , wherein when a Bloom filter is to be created, its size is determined based on projected maximal network traffic in a period of time during which the to be created Bloom filter is to be active. 14 . The method according to claim 11 , wherein a safeguard is employed that monitors a number of connections which are input to the Bloom filter, if the number of connections input to the Bloom filter reaches a projected size value, then a new Bloom filter is created and new connection occurrences are stored in the newly created Bloom filter, and queries about connections are executed on both the original Bloom filter and the new Bloom filter. 15 . The method according to claim 11 and further comprising using at least one Bloom filter in order to conserve memory. 16 . The method according to claim 3 wherein the observation window is represented by a bit array. 17 . The method according to claim 16 wherein encountered connections are stored as keys and a corresponding observation window for that key is stored as values in a map. 18 . A system for detecting a malicious network connection, the method comprising: a first processor which determines, for each connection over a network, if each connection is a persistent connection; a statistics collector which collects connection statistics for the first connection if the processor determined that a first connection is a persistent connection; a second processor operative to create a feature vector for the first connection based on the collected statistics; an outlier detection processor which performs outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections; and a reporter which reports detected outliers. 19 . The system according to claim 18 wherein the persistent connection comprises a connection where the connection occurs repeatedly in time. 20 . The system according to claim 18 wherein the persistence, p, of a connection is defined as: p  ( c , W ) = 1 n  ∑ i = 1 n  1 c , b i where: c is the connection in question; W=[b 1 , . . . b n ] is the observation window composed of n measurement windows; and 1 c,b i is a function which is equal to 1 if the connec