Finding command and control center computers by communication link tracking

摘要

Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.

主权项

1. A computer-implemented method, comprising:
receiving data traffic information on communications between a set of internal computers with a set of external computers, wherein the set of internal computers are located within a network, and the set of external computers are outside the network; parsing the received data traffic information to identify communication links between the internal computers and the external computers, each communication link comprising an act by an internal computer to communicate with an external computer or an act by an external computer to communicate with an internal computer; determining a communication link profile for each of the internal computers using the identified communication links; grouping the internal computers into a plurality of computer clusters based on similarities in communication link profiles for each internal computer, wherein computers having communication link profiles that reach a threshold level of similarity are grouped into a same cluster; identifying a particular internal computer that is located within the network but is not a part of the set of internal computers; identifying communication links between the particular internal computer and one or more of the external computers; determining a communication link profile for the particular internal computer using the identified communication links between the particular internal computer and the one or more of the external computers; and assigning the particular internal computer to a first computer cluster of the plurality of computer clusters based on the communication link profile for the particular internal computer having a threshold level of similarity to communication link profiles of internal computers in the first computer cluster.