VMware, Inc.
Systems and methods for identifying infected network nodes based on anomalous behavior model

Abstract:

The present disclosure is directed to a method of identifying an infected network node. The method includes identifying a first network node as infected. The method includes collecting a first set of network data from the first network node including anomalous activities performed by the first network node. The method includes generating an anomalous behavior model using the first set of network data. The method includes collecting a second set of network data from a second network node including anomalous activities performed by the second network node. The method includes comparing the second set of data to the generated anomalous behavior model. The method includes determining, from the comparison, that a similarity between first characteristics and second characteristics exceeds a predefined threshold. The method includes ascertaining, based on the determination, the second network node as an infected network node.