Rating network security posture and comparing network maliciousness

US 10,038,703 B2
Filed: 07/16/2015
Issued: 07/31/2018
Est. Priority Date: 07/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method for rating malicious network activity, the method comprising:

aggregating, by one or more hardware processors, sets of internet protocol (IP) addresses from monitored network traffic over a sampling period;

measuring, by the one or more hardware processors, a number of malicious IP addresses within each of the aggregated sets of IP addresses over a plurality of time intervals within the sampling period, the malicious IP addresses being known prior to the aggregation of the sets of IP addresses based upon their inclusion within a reference list;

generating, by the one or more hardware processors, a plurality of aggregate signals, each aggregate signal from among the plurality of aggregate signals being associated with a respective time interval from among the plurality of time intervals and having a magnitude based on the number of malicious IP addresses within each respective time interval,wherein a higher number of malicious IP addresses is associated with a higher magnitude, andwherein the malicious IP addresses are associated with one or more categories of malicious network behavior,categorizing, by the one or more hardware processors, each respective one of the plurality of aggregate signals that is associated with each respective time interval into one of a good, normal, or bad malicious region relative to an average magnitude of the plurality of aggregate signals over the duration of the sampling period, wherein categorizing each respective one of the plurality of aggregate signals comprises categorizing each respective one of the plurality of aggregate signals into one of a good, normal, or bad malicious region by determining the average magnitude of the plurality of aggregate signals by evaluating the equation;

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are disclosed for profiling network-level malicious activity. Profiling embodiments include observing malicious activity, representing such activity in accordance with a set of representative features, capturing temporal evolution of this malicious behavior and its dynamics, and using this temporal evolution to reveal key risk related properties of these networks. Embodiments are further disclosed addressing the connectedness of various networks and similarity in network-level maliciousness. Embodiments directed to similarity analyses include focusing on the notion of similarity—a quantitative measure of the extent to which the dynamic evolutions of malicious activities from two networks are alike, and mapping this behavioral similarity to their similarity in certain spatial features, which includes their relative proximity to each other and may be used to help predict the future maliciousness of a particular network. The embodiments described may be applicable to various network aggregation levels.

22 Citations

View as Search Results

21 Claims

1. A method for rating malicious network activity, the method comprising:
- aggregating, by one or more hardware processors, sets of internet protocol (IP) addresses from monitored network traffic over a sampling period;
  
  measuring, by the one or more hardware processors, a number of malicious IP addresses within each of the aggregated sets of IP addresses over a plurality of time intervals within the sampling period, the malicious IP addresses being known prior to the aggregation of the sets of IP addresses based upon their inclusion within a reference list;
  
  generating, by the one or more hardware processors, a plurality of aggregate signals, each aggregate signal from among the plurality of aggregate signals being associated with a respective time interval from among the plurality of time intervals and having a magnitude based on the number of malicious IP addresses within each respective time interval,wherein a higher number of malicious IP addresses is associated with a higher magnitude, andwherein the malicious IP addresses are associated with one or more categories of malicious network behavior,categorizing, by the one or more hardware processors, each respective one of the plurality of aggregate signals that is associated with each respective time interval into one of a good, normal, or bad malicious region relative to an average magnitude of the plurality of aggregate signals over the duration of the sampling period, wherein categorizing each respective one of the plurality of aggregate signals comprises categorizing each respective one of the plurality of aggregate signals into one of a good, normal, or bad malicious region by determining the average magnitude of the plurality of aggregate signals by evaluating the equation;
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein each of the plurality of maliciousness profiles includes a quantized value associated with the good, normal, and bad malicious regions, respectively, for each of the intensity, duration, and frequency feature, and further comprising:
    - selecting, by the one or more hardware processors, one of the intensity, duration, and frequency features to analyze each respective one of the plurality of aggregate signals for maliciousness;
      
      assigning, by the one or more hardware processors, weights to each of the intensity, duration, and frequency features, respectively, for each of the plurality of maliciousness profiles such that heaviest weight is associated with the selected one of the intensity, duration, and frequency features; and
      
      determining, by the one or more hardware processors, a plurality of maliciousness scores for each of the plurality of maliciousness profiles, respectively, based on a weighted combination of each of the intensity, duration, and frequency features.
  - 3. The method of claim 2, wherein:
    - the plurality of maliciousness scores are distributed between a minimum maliciousness score and a maximum maliciousness score;
      
      the minimum maliciousness score is representative of a minimum amount of maliciousness based on the selected one of the intensity, duration, and frequency feature; and
      
      the maximum maliciousness score is representative of a maximum amount of maliciousness based on the selected one of the intensity, duration, and frequency feature.
  - 4. The method of claim 1, wherein the act of aggregating sets of IP addresses comprises one or more of:
    - aggregating sets of IP addresses according to network prefixes;
      
      aggregating sets of IP addresses according to autonomous systems (ASes); and
      
      aggregating sets of IP addresses according to organizational boundaries.
  - 5. The method of claim 1, wherein the categories of malicious network behavior include one or more of:
    - spam attacks;
      
      phishing attacks;
      
      malware attacks; and
      
      active attacks.
  - 6. The method of claim 1, wherein:
    - the intensity feature is based on an average magnitude of each respective one of the plurality of aggregate signals over the sampling period;
      
      the duration feature is based on an average amount of time each respective one of the plurality of aggregate signals remained at the good, bad, or normal malicious region over the sampling period; and
      
      the frequency feature is based on a number of times each respective one of the plurality of aggregate signals enter the good, bad, or normal malicious region over the sampling period.
  - 7. The method of claim 1, wherein the reference list includes an IP-address reputation blacklist or on a malicious activity incident report list, andwherein the act of measuring the number of malicious IP addresses comprises:
    - measuring the number of malicious IP addresses by determining IP addresses, within each of the aggregated sets of IP addresses over the sampling period, that are identified on the IP-address reputation blacklist or on the malicious activity incident report list.
  - 8. The method of claim 1, further comprising:
    - routing, by the one or more hardware processors, IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles to a first router; and
      
      routing, by the one or more hardware processors, IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles to a second router,wherein the first malicious profile is indicative of a higher maliciousness than the second malicious profile, andwherein the first router provides a lower quality of service (QoS) than the second router.
  - 9. The method of claim 1, further comprising:
    - routing, by the one or more hardware processors, IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles to a first network; and
      
      routing, by the one or more hardware processors, IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles to a second network,wherein the first malicious profile is indicative of a higher maliciousness than the second malicious profile, andwherein the first network operates at a lower cost than the second network.
  - 10. The method of claim 1, further comprising:
    - routing, by one or more hardware processors, IP addresses in accordance with a best path selection (BGP) procedure such that the IP addresses are preferentially routed to sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles while avoiding routing of the IP addresses to sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles, andwherein the second malicious profile is indicative of a higher maliciousness than the first malicious profile.
  - 11. The method of claim 1, further comprising:
    - performing, by the one or more hardware processors, deep packet inspection (DPI) on IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles; and
      
      not performing DPI on IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles,wherein the first malicious network profile is indicative of a higher maliciousness than the second malicious network profile.

12. A network analyzer for rating malicious network activity, the network analyzer comprising:
- a network interface configured to monitor network traffic; and
  
  a hardware processor configured to;
  
  aggregate sets of internet protocol (IP) addresses within the monitored network traffic over a sampling period;
  
  measure a number of malicious IP addresses within each of the aggregated sets of IP addresses at a plurality of time intervals within the sampling period, the malicious IP addresses being known prior to the aggregation of the sets of IP addresses based upon their inclusion within a reference list;
  
  generate a plurality of aggregate signals, each aggregate signal from among the plurality of aggregate signals being associated with a respective time interval from among the plurality of time intervals and having a magnitude based on the number of malicious IP addresses within each respective time interval,wherein a higher number of malicious IP addresses is associated with a higher magnitude, andwherein the malicious IP addresses are associated with one or more categories of malicious network behavior,categorize each respective one of the plurality of aggregate signals that is associated with each respective time interval into one of a good, normal, or bad malicious region relative to an average magnitude of the plurality of aggregate signals over the duration of the sampling period, wherein the hardware processor is further configured to categorize each of the plurality of aggregate signals by categorizing each respective one of the plurality of aggregate signals into one of a good, normal, or bad malicious region by determining the average magnitude of the plurality of aggregate signals by evaluating the equation;
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The network analyzer of claim 12, wherein the hardware processor is further configured to:
    - train a classifier by combining the feature set for each respective one of the plurality of aggregate signals with information regarding whether a network associated with the network traffic has suffered from a data breach as identified by the plurality of maliciousness profiles; and
      
      utilize the classifier to predict a likelihood that the network will suffer from a future data breach.
  - 14. The network analyzer of claim 12, wherein each of the plurality of maliciousness profiles includes a quantized value associated with the good, normal, and bad malicious regions, respectively, for each of the intensity, duration, and frequency feature, and wherein the hardware processor is further configured to:
    - select one of the intensity, duration, and frequency features to analyze each respective one of the plurality of aggregate signals for maliciousness;
      
      assign weights to each of the intensity, duration, and frequency features, respectively, for each of the plurality of maliciousness profiles such that heaviest weight is associated with the selected one of the intensity, duration, and frequency features; and
      
      determine a plurality of maliciousness scores for each of the plurality of maliciousness profiles, respectively, based on a weighted combination of each of the intensity, duration, and frequency features.
  - 15. The network analyzer of claim 14, wherein:
    - the plurality of maliciousness scores are distributed between a minimum maliciousness score and a maximum maliciousness score;
      
      the minimum maliciousness score is representative of a minimum amount of maliciousness based on the selected one of the intensity, duration, and frequency feature; and
      
      the maximum maliciousness score is representative of a maximum amount of maliciousness based on the selected one of the intensity, duration, and frequency feature.
  - 16. The network analyzer of claim 12, wherein:
    - the intensity feature is based on an average magnitude of each respective one of the plurality of aggregate signals over the sampling period;
      
      the duration feature is based on an average amount of time each respective one of the plurality of aggregate signals remained at the good, bad, or normal malicious region over the sampling period; and
      
      the frequency feature is based on a number of times each respective one of the plurality of aggregate signals enter the good, bad, or normal malicious region over the sampling period.
  - 17. The network analyzer of claim 12, wherein the reference list includes an IP-address reputation blacklist or on a malicious activity incident report list, andwherein the hardware processor is further configured to measure the number of malicious IP addresses by determining IP addresses, within each of the aggregated sets of IP addresses over the sampling period, that are identified on the IP-address reputation blacklist or on the malicious activity incident report list.
  - 18. The network analyzer of claim 12, wherein the hardware processor is further configured to route IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles to a first router, and to route IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles to a second router,wherein the first malicious profile is indicative of a higher maliciousness than the second malicious profile, andwherein the first router provides a lower quality of service (QoS) than the second router.
  - 19. The network analyzer of claim 12, wherein the hardware processor is further configured to route IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles to a first network, and to route IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles to a second network,wherein the first malicious profile is indicative of a higher maliciousness than the second malicious profile, andwherein the first network operates at a lower cost than the second network.
  - 20. The network analyzer of claim 12, wherein the hardware processor is further configured to route IP addresses in accordance with a best path selection (BGP) procedure such that the IP addresses are preferentially routed to sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles while avoiding routing of the IP addresses to sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles, andwherein the second malicious profile is indicative of a higher maliciousness than the first malicious profile.
  - 21. The network analyzer of claim 12, wherein the hardware processor is further configured to perform deep packet inspection (DPI) on IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles, and to not perform DPI on IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles,wherein the first malicious network profile is indicative of a higher maliciousness than the second malicious network profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Board of Regents of the University of Michigan (University of Michigan)
Original Assignee
Board of Regents of the University of Michigan (University of Michigan)
Inventors
Liu, Mingyan, Bailey, Michael, Karir, Manish, Liu, Yang, Zhang, Jing
Primary Examiner(s)
Lemma, Samson
Assistant Examiner(s)
Golriz, Arya

Application Number

US14/801,016
Publication Number

US 20160021141A1
Time in Patent Office

1,111 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

Rating network security posture and comparing network maliciousness

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Rating network security posture and comparing network maliciousness

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links