| CPC H04L 63/1458 (2013.01) [G06F 18/22 (2023.01); G06F 18/23 (2023.01); H04L 63/0236 (2013.01); H04L 63/14 (2013.01); H04L 63/1466 (2013.01); H04L 63/1475 (2013.01); H04L 2463/144 (2013.01)] | 17 Claims |
|
1. A method comprising:
identifying, from online clustering data comprising a plurality of event clusters, an internet protocol (IP) pair, wherein the IP pair comprises two source IP addresses;
determining, during an offline process of clustering the plurality of event clusters, a distance metric corresponding to a distance between a feature of each of the two source IP addresses;
determining, by a processing device during the offline process, that the IP pair is part of a botnet when the distance metric is less than a predefined threshold;
in response to the determining, appending data associated with the botnet to the online clustering data to generate enhanced clustering data; and
analyzing, using an online clustering algorithm, a new set of incidents based on the enhanced clustering data to detect events occurring over a time frame or events occurring over multiple sites, wherein the new set of incidents are analyzed to classify the new set of incidents based on at least one selected from a group comprising a number of customers involved, a type of attack, and a histogram/distribution of industries, and wherein the new set of incidents are classified as being a targeted attack or a community attack as being an industry-based attack or a spray-and-pray attack.
|