Risk information output device, information output system, risk information output method, and recording medium
US-2024414180-A1 · Dec 12, 2024 · US
Finding command and control center computers by communication link tracking
US9344442B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9344442-B1 |
| Application number | US-201514704709-A |
| Country | US |
| Kind code | B1 |
| Filing date | May 5, 2015 |
| Priority date | Feb 5, 2014 |
| Publication date | May 17, 2016 |
| Grant date | May 17, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: determining a communication link profile for each of a plurality of internal computers located within a network, the communication link profile for each internal computer comprising a representation of a set of computers that have communicated with the internal computer; grouping the internal computers into computer clusters based on similarities in communication link profiles for each internal computer, wherein computers having communication link profiles that reach a threshold level of similarity are grouped into a same cluster; determining that communication link profiles associated with internal computers in a first computer cluster deviate from communication link profiles associated with internal computers that are not included in the first computer cluster by more than a specified threshold deviation value; and identifying the first computer cluster as including internal computers having communication link profiles indicative of a malware attack based on the determination that communication link profiles associated with internal computers in the first computer cluster deviate from communication link profiles associated with internal computers that are not included in the first computer cluster by more than the specified threshold deviation value. 2. The method of claim 1 , further comprising: in response to identifying the first computer cluster as including internal computers having communication link profiles indicative of a malware attack, identifying one or more computers from the sets of computers that have communicated with the internal computers from the first computer cluster as command and control center computers supporting the malware attack; storing identifiers of the identified command and control center computers on a list of identified command and control center computers; and restricting communications between the plurality of internal computers and the identified command and control center computers. 3. The method of claim 1 , wherein determining that communication link profiles associated with internal computers in the first computer cluster deviate from communication link profiles associated with internal computers that are not included in the first computer cluster by more than a specified threshold deviation value includes: mapping the communication link profiles for the internal computers onto a coordinate space; identifying the computer clusters within the coordinate space; determining distances between each of the computer clusters within the coordinate space; calculating, for each computer cluster, an average coordinate space distance between the computer cluster and other computer clusters; and determining that the average coordinate space distance between the first computer cluster and the other computer clusters is greater than a threshold coordinate space distance value. 4. The method of claim 1 , wherein identifying the first computer cluster as including internal computers having communication link profiles indicative of the malware attack includes: accessing a list of known command and control center identifiers; identifying, using the list of known command and control center identifiers, a first computer that is in communication with one or more internal computers of the first computer cluster as being a command and control center computer; and in response to identifying the first computer as the command and control center computer, identifying the first computer cluster as including internal computers having communication link profiles indicative of a malware attack. 5. A non-transitory storage device storing instructions operable to cause one or more computers to perform operations comprising: determining a communication link profile for each of a plurality of internal computers located within a network, the communication link profile for each internal computer comprising a representation of a set of computers that have communicated with the internal computer; grouping the internal computers into computer clusters based on similarities in communication link profiles for each internal computer, wherein computers having communication link profiles that reach a threshold level of similarity are grouped into a same cluster; determining that communication link profiles associated with internal computers in a first computer cluster deviate from communication link profiles associated with internal computers that are not included in the first computer cluster by more than a specified threshold deviation value; and identifying the first computer cluster as including internal computers having communication link profiles indicative of a malware attack based on the determination that communication link profiles associated with internal computers in the first computer cluster deviate from communication link profiles associated with internal computers that are not included in the first computer cluster by more than the specified threshold deviation value. 6. The non-transitory storage device of claim 5 , the operations further comprising: in response to identifying the first computer cluster as including internal computers having communication link profiles indicative of a malware attack, identifying one or more computers from the sets of computers that have communicated with the internal computers from the first computer cluster as command and control center computers supporting the malware attack; storing identifiers of the identified command and control center computers on a list of identified command and control center computers; and restricting communications between the plurality of internal computers and the identified command and control center computers. 7. The non-transitory storage device of claim 5 , wherein the communication link profile for each internal computer further comprises a representation of a set of computers that have communicated with the internal computer over a specified period of time. 8. The non-transitory storage device of claim 5 , wherein the communication link profile for each internal computer further comprises a representation of a frequency of communication between the internal computer and the set of computers that have communicated with the internal computer. 9. The non-transitory storage device of claim 5 , wherein identifying the first computer cluster as including internal computers having communication link profiles indicative of a malware attack includes determining that the frequencies of communication identified for internal computers in the first computer cluster varies from an average frequency of communication for each of the plurality of internal computers by more than a threshold value. 10. A system comprising: one or more computers; and a non-transitory storage device storing instructions operable to cause the one or more computers to perform operations comprising: determining a communication link profile for each of a plurality of internal computers located within a network, the communication link profile for each internal computer comprising a representation of a set of computers that have communicated with the internal computer; grouping the internal computers into computer clusters based on similarities in communication link profiles for each internal computer, wherein computers having communication link profiles that reach a threshold level of similarity are grouped into a same cluster; determining that communication link profiles associated with internal computers in a first computer cluster deviate from communication link profiles associated with internal computers that are not included in the first computer cluster by more than a specified thre
Assignees
Inventors
Classifications
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Terminal profiles · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9344442B1 cover?
- Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between th…
- Who is the assignee on this patent?
- Pivotal Software Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 17 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).