Malicious network activity detection utilising a model of user contact lists built up from monitoring network communications

摘要

This invention relates to a method for detecting malicious communication activity between user devices 22, 24, 26, 28 in an electronic communications network. Source and destination data from electronic communications made across the network are used to derive contact data such as telephone numbers, email addresses and Internet Protocol (IP) addresses. These contact data are used to model 58 the contents of the actual contact lists 32, 34, 36, 38 stored on user devices, without the need to individually access each of the user devices themselves. Once the models have been created, source and destination data from further electronic communications are analysed for suspicious patterns of activity, with reference to the contact list models. Malware, which propagate by scanning infected user devices for contacts of other user devices to infect and sending copies of themselves on to infect other devices, can therefore be detected.