Methods for identifying self-replicating threats using historical data

摘要

A computer-implemented method of ascertaining an infected node in a network of nodes. The computer-implemented method includes providing a repository for storing network flow data among at least a plurality of the nodes. The repository is operatively coupled to the network to permit the repository to acquire the network flow data. The computer-implemented method also includes storing at the repository first network flow data among the at least a plurality of nodes. The first network flow data includes a plurality of source addresses and corresponding destination addresses for a plurality of data flows. The computer-implemented method further includes analyzing the first network flow data at the repository to ascertain communication abnormalities that indicate whether any of the plurality of nodes is infected.