US Patent 9060018 Finding command and control center computers by communication link tracking

Methods, systems, and apparatus, including computer programs encoded on computer storage media for identifying malware attacks collects data traffic information. A system receives data traffic information indicative of communications between computers within a network and computers external to the network. The system parses the data traffic information to identify communication links between the computers within the network and computers external to the network. The system can generate communication link profiles for each of the computers within the network. The system can then group computers within the network into computer clusters based on similarities between the communication link profiles for each computer. The system can identify computer clusters having anomalous communication patterns as being indicative of a malware attack.