×

Systems and methods for detecting obscure cyclic application-layer message sequences in transport-layer message sequences

  • US 10,200,259 B1
  • Filed: 09/21/2016
  • Issued: 02/05/2019
  • Est. Priority Date: 09/21/2016
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method for detecting obscure cyclic application-layer message sequences in transport-layer message sequences, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

  • collecting a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein;

    the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and

    each message in the composite sequence comprises;

    at least one source identifier that identifies the source of the message;

    at least one destination identifier that identifies the destination of the message; and

    a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination;

    constructing a sequence graph from the composite sequence by;

    generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of;

    the source identifier of the message; and

    the destination identifier of the message;

    adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and

    adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to;

    represent the sequence transition; and

    connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message;

    traversing the sequence graph to discover the first obscure cyclic sequence; and

    performing a security action using a representation of the first obscure cyclic sequence.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×