| 摘要 |
Disclosed is a method and system for detecting a zombie attack in a network having a plurality of computers. The method and system include a network analysis module for determining, for each computer, a working set of email addresses associated with emails sent by each computer. A zombie attack is detected by determining at least one of: 1) at least one computer in the plurality is transmitting more than a threshold rate of emails, 2) that at least one of the computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set, 3) that a first threshold number of computers in the plurality are transmitting email messages to email addresses outside of their associated working set, and 4) that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer. |
| 主权项 |
1. A method for detecting a zombie attack in a network comprising a plurality of computers, the method comprising:
determining, for each particular computer in the plurality of computers, a working set associated with the particular computer, the working set comprising: a first list of email addresses including email addresses associated with emails sent by the particular computer and including email addresses associated with emails received by the particular computer; determining whether at least a first threshold number of computers in the plurality of computers are transmitting email messages to email addresses not included in their working set; determining whether at least a second threshold number of computers in the plurality of computers are transmitting at least a first threshold number of emails to a recipient computer; determining, for each computer in the plurality of computers, whether at least a second threshold number of emails are being transmitted to email addresses not included in its working set; storing, for each particular computer in the plurality of computers, data comprising:
a second list comprising: an email address and a time associated with each sent email associated with the particular computer;a third list comprising an email address and a time associated with each received email associated with the particular computer; anda rate of emails sent by each particular computer in the plurality of computers; determining a change in the rate of emails sent based on the rate and the data; and detecting a zombie attack based on:
whether at least the first threshold number of computers in the plurality of computers are transmitting email messages to email addresses not included in their working set, andwhether at least the second threshold number of computers in the plurality of computers are transmitting at least the first threshold number of emails to a recipient computer; andwhether the change in the rate of emails sent, associated with a particular computer is greater than a first threshold rate; andwhether, for each computer in the plurality of computers, at least the second threshold number of emails are being transmitted to email addresses not included in its working set. |
