| CPC G06N 20/00 (2019.01) [G06N 5/02 (2013.01)] | 20 Claims |
|
1. A system comprising:
a processor; and
a memory that stores computer-executable instructions that, when executed by the processor, cause the processor to perform operations comprising
obtaining, at a server computer that operates on a network and from a monitor operating on a carrier network, multiple instances of netflow data comprising a first instance of netflow data that is associated with a smartphone that is communicating with the carrier network, wherein the first instance of netflow data comprises mobility network data that represents communications between the carrier network and the smartphone, wherein the monitor generates the first instance of netflow data in response to detecting the smartphone communicating with the carrier network, wherein the communications comprise successive data transmissions, and wherein the carrier network identifies the smartphone using an international mobile equipment identity,
extracting, by the server computer and from the first instance of netflow data, data features associated with the communications, wherein the data features comprise statistical information associated with the communications, wherein the data features define netflow characteristics associated with the smartphone, and wherein the data features comprise a first feature defining a flow size feature of the communications, a second feature defining a flow feature of the communications, and a third feature defining a beacon feature of the communications, the flow size feature comprising a standard deviation of a bytes to packets ratio for the communications, the data features comprising a number of unique destination IP addresses associated with the communications, and the beacon feature comprising average inter-arrival times of flows associated with the communications, a standard deviation of inter-arrival times of the flows associated with the communications, and a standard deviation of packet counts associated with the flows associated with the communications,
generating, by the server computer and based on the data features, a statistical signature for the smartphone, the statistical signature representing the communications and connections of the smartphone during the communications,
training, by the server computer, a learning model based on data features extracted from multiple instances of netflow data comprising the first instance of netflow data,
providing, by the server computer and to the learning model, the statistical signature for the smartphone as input to the learning model,
obtaining, by the server computer and from the learning model, output provided by the learning model, wherein the learning model provides the output based on the input of the statistical signature to the learning model, and wherein the learning model generates a prediction based on the output, the prediction indicating if the smartphone is a botnet device or if the smartphone is not the botnet device, and
in response to the prediction indicating that the smartphone is the botnet device:
adding, by the server computer, the smartphone to a device list that identifies malicious devices, and
triggering, by the server computer, delivery of the device list to a controller operating on the carrier network, wherein the device list is used by the controller to perform deep packet inspection on future communications associated with the smartphone, and
in response to the prediction indicating that the smartphone is not the botnet device:
adding, by the server computer, the smartphone to a further device list that identifies legitimate devices, and
triggering, by the server computer, delivery of the device list to the controller to cause the controller to allow the future communications associated with the smartphone.
|