| CPC H04L 63/145 (2013.01) [H04L 63/1416 (2013.01)] | 5 Claims |
|
1. A computer implemented malware protection method to mitigate malware spread within a set of communicating computer systems from an infected computer system, the method comprising:
accessing a model of the set of communicating computer systems, the model identifying interacting pairs of the computer systems in the set based on interactions corresponding to previous communication occurring between the computer systems in the pairs, wherein the model includes a graph representation of the computer systems as nodes and the interactions corresponding to the previous communication therebetween as edges;
iteratively processing the graph by:
identifying a connected component of the graph including a node corresponding to the infected computer system,
ranking nodes in the identified connected component by betweenness centrality and removing one or more highest ranked nodes from the connected component, wherein the betweenness centrality is a measure of the centrality in the graph based on shortest paths,
recording an identification of the connected component and adding the removed one or more highest ranked nodes to a list of nodes for protection, and
determining a set of nodes in the list of nodes for protection that connect the connected component to other connected components as the connecting nodes list for the connected component,
wherein the iterative processing terminates when the identified connected component satisfies a predetermined stopping condition;
receiving a predetermined maximum number of nodes for protection;
identifying the connected component having a smallest number of nodes and being associated with a largest connecting nodes list not exceeding the predetermined maximum number of nodes for protection; and
triggering deployment of malware protection measures in respect of computer systems represented by nodes in the connecting nodes list for the identified connected component.
|