摘要 |
A peer-to-peer (P2P) bot(s) in a network is identified using an already identified P2P bot. More specifically, such embodiments may facilitate determining a candidate set of computers, which may be potential P2P bots, by identifying computers in a network that have a private mutual contact with a seed bot, which is a computer identified as a P2P bot, and identifying additional computers that have private mutual contacts with the identified computers. Further, a confidence level indicative of a certainty of a membership of each of the candidate computers in the P2P botnet is determined and responsive to a determination that the confidence level of the candidate computer exceeds a determined threshold confidence level, the candidate computer is identified as a P2P bot. |
主权项 |
1. A computer-implemented method for identifying a peer-to-peer bot of a peer-to-peer botnet, the computer-implemented method comprising:
a) determining, with a computer system, a candidate set of peer-to-peer bots of the peer-to-peer botnet by:
(i) identifying a set of one or more computers in a network having a plurality of computers, each having a private mutual contact with a computer that has been identified as a seed bot, wherein the private mutual contact is defined as a mutual contact that communicates with less than a determined number of computers in the network in a given time interval, the determined number being a privacy threshold, and wherein the private mutual contact is external to the network;(ii) identifying an additional set of one or more computers, each having a private mutual contact with the identified set of one or more computers; and(iii) defining the candidate set to include both computers belonging to the identified set and computers belonging to the identified additional set; b) storing, on a processor-readable medium, information identifying computers of the candidate set; c) determining, with the computer system and for each candidate computer in the candidate set, a confidence level indicative of a certainty of a membership of the candidate computer in the peer-to-peer botnet; d) determining, with the computer system and for each candidate computer in the candidate set, whether the confidence level of the candidate computer exceeds a determined threshold confidence level; e) identifying, with the computer system, at least one of the candidate computers as a peer-to-peer bot of the peer-to-peer botnet, responsive to a determination that the confidence level of the at least one of the candidate computers exceeds the determined threshold confidence level; and f) taking an action on the identified candidate computers based on a policy, wherein the action comprises monitoring network traffic of the identified candidate computers or executing a diagnostic tool on the identified candidate computers to confirm whether the identified candidate computers are bots. |