Rating network security posture and comparing network maliciousness
First Claim
1. A method for rating malicious network activity, the method comprising:
- aggregating, by one or more hardware processors, sets of internet protocol (IP) addresses from monitored network traffic over a sampling period;
measuring, by the one or more hardware processors, a number of malicious IP addresses within each of the aggregated sets of IP addresses over a plurality of time intervals within the sampling period, the malicious IP addresses being known prior to the aggregation of the sets of IP addresses based upon their inclusion within a reference list;
generating, by the one or more hardware processors, a plurality of aggregate signals, each aggregate signal from among the plurality of aggregate signals being associated with a respective time interval from among the plurality of time intervals and having a magnitude based on the number of malicious IP addresses within each respective time interval,wherein a higher number of malicious IP addresses is associated with a higher magnitude, andwherein the malicious IP addresses are associated with one or more categories of malicious network behavior,categorizing, by the one or more hardware processors, each respective one of the plurality of aggregate signals that is associated with each respective time interval into one of a good, normal, or bad malicious region relative to an average magnitude of the plurality of aggregate signals over the duration of the sampling period, wherein categorizing each respective one of the plurality of aggregate signals comprises categorizing each respective one of the plurality of aggregate signals into one of a good, normal, or bad malicious region by determining the average magnitude of the plurality of aggregate signals by evaluating the equation;
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are disclosed for profiling network-level malicious activity. Profiling embodiments include observing malicious activity, representing such activity in accordance with a set of representative features, capturing temporal evolution of this malicious behavior and its dynamics, and using this temporal evolution to reveal key risk related properties of these networks. Embodiments are further disclosed addressing the connectedness of various networks and similarity in network-level maliciousness. Embodiments directed to similarity analyses include focusing on the notion of similarity—a quantitative measure of the extent to which the dynamic evolutions of malicious activities from two networks are alike, and mapping this behavioral similarity to their similarity in certain spatial features, which includes their relative proximity to each other and may be used to help predict the future maliciousness of a particular network. The embodiments described may be applicable to various network aggregation levels.
22 Citations
21 Claims
-
1. A method for rating malicious network activity, the method comprising:
-
aggregating, by one or more hardware processors, sets of internet protocol (IP) addresses from monitored network traffic over a sampling period; measuring, by the one or more hardware processors, a number of malicious IP addresses within each of the aggregated sets of IP addresses over a plurality of time intervals within the sampling period, the malicious IP addresses being known prior to the aggregation of the sets of IP addresses based upon their inclusion within a reference list; generating, by the one or more hardware processors, a plurality of aggregate signals, each aggregate signal from among the plurality of aggregate signals being associated with a respective time interval from among the plurality of time intervals and having a magnitude based on the number of malicious IP addresses within each respective time interval, wherein a higher number of malicious IP addresses is associated with a higher magnitude, and wherein the malicious IP addresses are associated with one or more categories of malicious network behavior, categorizing, by the one or more hardware processors, each respective one of the plurality of aggregate signals that is associated with each respective time interval into one of a good, normal, or bad malicious region relative to an average magnitude of the plurality of aggregate signals over the duration of the sampling period, wherein categorizing each respective one of the plurality of aggregate signals comprises categorizing each respective one of the plurality of aggregate signals into one of a good, normal, or bad malicious region by determining the average magnitude of the plurality of aggregate signals by evaluating the equation; - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A network analyzer for rating malicious network activity, the network analyzer comprising:
-
a network interface configured to monitor network traffic; and a hardware processor configured to; aggregate sets of internet protocol (IP) addresses within the monitored network traffic over a sampling period; measure a number of malicious IP addresses within each of the aggregated sets of IP addresses at a plurality of time intervals within the sampling period, the malicious IP addresses being known prior to the aggregation of the sets of IP addresses based upon their inclusion within a reference list; generate a plurality of aggregate signals, each aggregate signal from among the plurality of aggregate signals being associated with a respective time interval from among the plurality of time intervals and having a magnitude based on the number of malicious IP addresses within each respective time interval, wherein a higher number of malicious IP addresses is associated with a higher magnitude, and wherein the malicious IP addresses are associated with one or more categories of malicious network behavior, categorize each respective one of the plurality of aggregate signals that is associated with each respective time interval into one of a good, normal, or bad malicious region relative to an average magnitude of the plurality of aggregate signals over the duration of the sampling period, wherein the hardware processor is further configured to categorize each of the plurality of aggregate signals by categorizing each respective one of the plurality of aggregate signals into one of a good, normal, or bad malicious region by determining the average magnitude of the plurality of aggregate signals by evaluating the equation; - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
Specification