Systematic mining of associated server herds for uncovering malware and attack campaigns

摘要

A method for detecting malicious servers. The method includes analyzing network traffic data to generate a main similarity measure and a secondary similarity measure for each server pair found in the network traffic data, extracting a main subset and a secondary subset of servers based on the main similarity measure and the secondary similarity measure, identifying a server that belongs to the main subset and the secondary subset, and determining a suspicious score of the server based on at least a first similarity density measure of the main subset, a second similarity density measure of the secondary subset, and a commonality measure of the main subset and the secondary subset.