Patent · US Active

Graph-based method to detect malware command-and-control infrastructure

US9195826B1 · kind B1 · utility

20Cited by

50References

20Claims

0Family size

Assignee

EMC Corporation · US

Inventors

Chunsheng Fang · San Jose, US
Derek Lin · San Mateo, US
Joseph Auguste Zadeh · Sunnyvale, US

Key dates

Filing date	May 30, 2013
Grant date	Nov 24, 2015
Priority date	—
Expiry date	Jul 5, 2033

Classification

Technology area (CPC H)Electricity
CPC primaryH04L2463/144
WIPO fieldDigital communication
WIPO sectorElectrical engineering

Abstract

Potentially infected internal device(s) and potential malware command and control device(s) are identified by generating a bipartite graph that includes internal device(s) inside a network and destination(s) outside the network which communicate over a period of time. The bipartite graph is reduced to obtain a reduced bipartite graph, including by eliminating those connections that include a whitelisted internal device and those connections that include a whitelisted destination. From the reduced graph, a cluster of potentially infected internal device(s) and potential malware command and control device(s) are identified based at least in part on (1) the cluster's degree of isolation from other clusters and (2) an isolation threshold.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.