Clustering botnet behavior using parameterized models
US8745731B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Apr 3, 2008 |
| Grant date | Jun 3, 2014 |
| Priority date | — |
| Expiry date | Nov 21, 2031 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L2463/144
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
Identification and prevention of email spam that originates from botnets may be performed by finding similarity in their host property and behavior patterns using a set of labeled data. Clustering models of host properties pertaining to previously identified and appropriately tagged botnet hosts may be learned. Given labeled data, each botnet may be examined individually and a clustering model learned to reflect upon a set of selected host properties. Once a model has been learned for every botnet, clustering behavior may be used to look for host properties that fit into a profile. Such traffic can be either discarded or tagged for subsequent analysis and can also be used to profile botnets preventing them from launching other attacks. In addition, models of individual botnets can be further clustered to form superclusters, which can help understand botnet behavior and detect future attacks.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.