Systems and methods for detecting transactional message sequences that are obscured in multicast communications
First Claim
1. A computer-implemented method for detecting transactional message sequences that are obscured in multicast communications, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- collecting a sequence of messages that were distributed on a communication channel, wherein;
the sequence of messages comprises at least one obscured cyclic sequence of request-response messages that;
were exchanged by at least two components; and
are interleaved in the sequence of messages; and
each message in the sequence of messages comprises an identifier that indicates a meaning of the message;
constructing a sequence graph from the sequence of messages by;
adding, for each unique message identifier in the sequence of messages, a node to the sequence graph to represent the unique message identifier; and
adding, for each unique sequence transition in the sequence of messages from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to;
represent the unique sequence transition; and
connect the node that represents the identifier of the unique sequence transition'"'"'s immediately-preceding message to the node that represents the identifier of the unique sequence transition'"'"'s immediately-succeeding message;
traversing the sequence graph to discover the obscured cyclic sequence of request-response messages; and
performing a security action using a representation of the obscured cyclic sequence of request-response messages.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for detecting transactional message sequences that are obscured in multicast communications may include (i) collecting a sequence of messages that were distributed on a communication channel and that include an obscured cyclic sequence of request-response messages that are interleaved in the sequence of messages, (ii) constructing a sequence graph from the sequence of messages by (a) adding, for each unique message identifier in the sequence of messages, a node to represent the unique message identifier and (b) adding, for each unique sequence transition in the sequence of messages from an immediately-preceding message to an immediately-succeeding message, an edge to connect the nodes that represent the identifiers of the unique sequence transition'"'"'s immediately-preceding and immediately-succeeding messages, (iii) traversing the sequence graph to discover the obscured cyclic sequence of request-response messages, and (iv) performing a security action. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for detecting transactional message sequences that are obscured in multicast communications, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
collecting a sequence of messages that were distributed on a communication channel, wherein; the sequence of messages comprises at least one obscured cyclic sequence of request-response messages that; were exchanged by at least two components; and are interleaved in the sequence of messages; and each message in the sequence of messages comprises an identifier that indicates a meaning of the message; constructing a sequence graph from the sequence of messages by; adding, for each unique message identifier in the sequence of messages, a node to the sequence graph to represent the unique message identifier; and adding, for each unique sequence transition in the sequence of messages from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to; represent the unique sequence transition; and connect the node that represents the identifier of the unique sequence transition'"'"'s immediately-preceding message to the node that represents the identifier of the unique sequence transition'"'"'s immediately-succeeding message; traversing the sequence graph to discover the obscured cyclic sequence of request-response messages; and performing a security action using a representation of the obscured cyclic sequence of request-response messages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for detecting transactional message sequences that are obscured in multicast communications, the system comprising:
-
a collecting module, stored in memory, that collects a sequence of messages that were distributed on a communication channel, wherein; the sequence of messages comprises at least one obscured cyclic sequence of request-response messages that; were exchanged by at least two components; and are interleaved in the sequence of messages; and each message in the sequence of messages comprises an identifier that indicates a meaning of the message; a constructing module, stored in memory, that constructs a sequence graph from the sequence of messages by; adding, for each unique message identifier in the sequence of messages, a node to the sequence graph to represent the unique message identifier; and adding, for each unique sequence transition in the sequence of messages from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to; represent the unique sequence transition; and connect the node that represents the identifier of the unique sequence transition'"'"'s immediately-preceding message to the node that represents the identifier of the unique sequence transition'"'"'s immediately-succeeding message; a traversing module, stored in memory, that traverses the sequence graph to discover the obscured cyclic sequence of request-response messages; a security module, stored in memory, that performs a security action using a representation of the obscured cyclic sequence of request-response messages; and at least one processor that executes the collecting module, the constructing module, the traversing module, and the security module. - View Dependent Claims (17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
collect a sequence of messages that were distributed on a communication channel, wherein; the sequence of messages comprises at least one obscured cyclic sequence of request-response messages that; were exchanged by at least two components; and are interleaved in the sequence of messages; and each message in the sequence of messages comprises an identifier that indicates a meaning of the message; construct a sequence graph from the sequence of messages by; adding, for each unique message identifier in the sequence of messages, a node to the sequence graph to represent the unique message identifier; and adding, for each unique sequence transition in the sequence of messages from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to; represent the unique sequence transition; and connect the node that represents the identifier of the unique sequence transition'"'"'s immediately-preceding message to the node that represents the identifier of the unique sequence transition'"'"'s immediately-succeeding message; traverse the sequence graph to discover the obscured cyclic sequence of request-response messages; and perform a security action using a representation of the obscured cyclic sequence of request-response messages.
-
Specification