Patent attributes
Methods and apparatus are provided for detecting periodic behavior in a communication session using clustering. An exemplary method comprises obtaining a set of differences between timestamps of adjacent events for a given network session; assigning each difference in the set to a cluster using a clustering technique based on a distance between the difference and a mean time difference for each cluster; and providing clusters generated by the clustering technique, wherein each of the differences in each of the clusters correspond to events exhibiting periodic behavior with a period substantially equal to the mean time difference of the assigned cluster. The differences are optionally obtained and processed in real-time. The periodicity of a given cluster is measured, for example, based on a variance of the differences assigned to the given cluster. The clusters are optionally processed to identify suspicious communications associated with a computer security attack.
