Due to the growing risks associated with owning a computer, most individuals and businesses run one or more computer security programs. Such programs include anti-virus software, anti-spyware software, encryption, firewalls, and intrusion detection and prevention systems. Unfortunately, each tool has its inherent vulnerabilities which criminals are able to exploit. Often, when a machine is compromised, a malicious program is installed. A common characteristic of many malicious programs is the tendency to make outbound connections on a periodic basis. We aim to use this characteristic to identify compromised machines. In this approach we create a time series from outbound connection times. We then search the time series for patterns. For each pattern we can determine its frequency, its length, whether it is still active, the time of each connection, and the participating machines. Our tests have shown that we can efficiently find patterns in time series data sets. |