Systems and methods for detecting obscure cyclic application-layer message sequences in transport-layer message sequences
First Claim
1. A computer-implemented method for detecting obscure cyclic application-layer message sequences in transport-layer message sequences, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- collecting a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein;
the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and
each message in the composite sequence comprises;
at least one source identifier that identifies the source of the message;
at least one destination identifier that identifies the destination of the message; and
a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination;
constructing a sequence graph from the composite sequence by;
generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of;
the source identifier of the message; and
the destination identifier of the message;
adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and
adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to;
represent the sequence transition; and
connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message;
traversing the sequence graph to discover the first obscure cyclic sequence; and
performing a security action using a representation of the first obscure cyclic sequence.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for detecting obscure cyclic application-layer message sequences in transport-layer message sequences may include (i) collecting a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, (ii) constructing a sequence graph from the composite sequence, (iii) traversing the sequence graph to discover a first obscure cyclic sequence of application-layer messages in the composite sequence, and (iv) performing a security action using a representation of the first obscure cyclic sequence. In some examples, the composite sequence may include the first obscure cyclic sequence and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device, and each message in the composite sequence may include a distinguishing feature. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for detecting obscure cyclic application-layer message sequences in transport-layer message sequences, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
collecting a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein; the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and each message in the composite sequence comprises; at least one source identifier that identifies the source of the message; at least one destination identifier that identifies the destination of the message; and a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination; constructing a sequence graph from the composite sequence by; generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of; the source identifier of the message; and the destination identifier of the message; adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to; represent the sequence transition; and connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message; traversing the sequence graph to discover the first obscure cyclic sequence; and performing a security action using a representation of the first obscure cyclic sequence. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for detecting obscure cyclic application-layer message sequences in transport-layer message sequences, the system comprising:
-
a collecting module, stored in memory, that collects a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein; the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and each message in the composite sequence comprises; at least one source identifier that identifies the source of the message; at least one destination identifier that identifies the destination of the message; and a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination; a constructing module, stored in memory, that constructs a sequence graph from the composite sequence by; generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of; the source identifier of the message; and the destination identifier of the message; adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to; represent the sequence transition; and connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message; a traversing module, stored in memory, that traverses the sequence graph to discover the first obscure cyclic sequence; a security module, stored in memory, that performs a security action using a representation of the first obscure cyclic sequence; and at least one physical processor that executes the collecting module, the constructing module, the traversing module, and the security module. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
collect a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein; the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and each message in the composite sequence comprises; at least one source identifier that identifies the source of the message; at least one destination identifier that identifies the destination of the message; and a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination; construct a sequence graph from the composite sequence by; generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of; the source identifier of the message; and the destination identifier of the message; adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to; represent the sequence transition; and connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message; traverse the sequence graph to discover the first obscure cyclic sequence; and perform a security action using a representation of the first obscure cyclic sequence.
-
Specification