Systems and methods for detecting obscure cyclic application-layer message sequences in transport-layer message sequences

US 10,200,259 B1
Filed: 09/21/2016
Issued: 02/05/2019
Est. Priority Date: 09/21/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting obscure cyclic application-layer message sequences in transport-layer message sequences, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

collecting a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein;

the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and

each message in the composite sequence comprises;

at least one source identifier that identifies the source of the message;

at least one destination identifier that identifies the destination of the message; and

a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination;

constructing a sequence graph from the composite sequence by;

generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of;

the source identifier of the message; and

the destination identifier of the message;

adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and

adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to;

represent the sequence transition; and

connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message;

traversing the sequence graph to discover the first obscure cyclic sequence; and

performing a security action using a representation of the first obscure cyclic sequence.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for detecting obscure cyclic application-layer message sequences in transport-layer message sequences may include (i) collecting a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, (ii) constructing a sequence graph from the composite sequence, (iii) traversing the sequence graph to discover a first obscure cyclic sequence of application-layer messages in the composite sequence, and (iv) performing a security action using a representation of the first obscure cyclic sequence. In some examples, the composite sequence may include the first obscure cyclic sequence and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device, and each message in the composite sequence may include a distinguishing feature. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for detecting obscure cyclic application-layer message sequences in transport-layer message sequences, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- collecting a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein;
  
  the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and
  
  each message in the composite sequence comprises;
  
  at least one source identifier that identifies the source of the message;
  
  at least one destination identifier that identifies the destination of the message; and
  
  a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination;
  
  constructing a sequence graph from the composite sequence by;
  
  generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of;
  
  the source identifier of the message; and
  
  the destination identifier of the message;
  
  adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and
  
  adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to;
  
  represent the sequence transition; and
  
  connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message;
  
  traversing the sequence graph to discover the first obscure cyclic sequence; and
  
  performing a security action using a representation of the first obscure cyclic sequence.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented method of claim 1, wherein:
    - the first computing device comprises a supervisory station of an industrial control system;
      
      the second computing device comprises an industrial device of the industrial control system;
      
      the source identifier and the destination identifier of each message in the composite sequence comprise a transport-layer identifier; and
      
      the distinguishing feature of each message in the composite sequence comprises a length of an application-layer payload of the message.
  - 3. The computer-implemented method of claim 1, wherein collecting the composite sequence comprises:
    - logging the distinguishing feature of each message in the composite sequence;
      
      logging an order in which each message in the composite sequence was observed; and
      
      logging a time at which each message in the composite sequence was observed.
  - 4. The computer-implemented method of claim 1, wherein:
    - constructing the sequence graph further comprises;
      
      analyzing times at which messages in the composite sequence were observed;
      
      discovering, based at least in part on analyzing the times, a tuple of the first message in the first obscure cyclic sequence; and
      
      discovering, based at least in part on analyzing the times, a tuple of the last message in the first obscure cyclic sequence; and
      
      traversing the sequence graph to discover the first obscure cyclic sequence comprises traversing the sequence graph from a representation of the first message to a representation of the last message to discover a tuple of at least one intermediate message of the first obscure cyclic sequence.
  - 5. The computer-implemented method of claim 4, wherein constructing the sequence graph further comprises:
    - creating, for each node in the sequence graph, a dictionary of sequence transitions; and
      
      adding, for each sequence transition in the composite sequence whose preceding message'"'"'s tuple is equal to the tuple that is represented by the node, an entry to the dictionary to represent the sequence transition, wherein;
      
      the entry comprises;
      
      a succeeding-message tuple that is equal to the tuple of the sequence transition'"'"'s succeeding message;
      
      a transition order that is equal to the order of the sequence transition in the composite sequence; and
      
      a time interval equal to the amount of time between observances of the sequence transition'"'"'s preceding message and the sequence transition'"'"'s succeeding message; and
      
      the edge that connects the nodes that represent the tuples of the sequence transition'"'"'s preceding and succeeding messages comprises a directed edge that is incident from the node that represents the tuple of the sequence transition'"'"'s preceding message and incident to the node that represents the tuple of the sequence transition'"'"'s succeeding message.
  - 6. The computer-implemented method of claim 5, wherein:
    - traversing the sequence graph from the representation of the first message to the representation of the last message comprises determining a tuple of the second message in the first obscure cyclic sequence by;
      
      visiting a node in the sequence graph;
      
      locating an entry in the node'"'"'s dictionary whose succeeding-message tuple is equal to the tuple of the first message;
      
      traversing the sequence graph along a directed edge incident from the node and incident to an adjacent node;
      
      locating an adjacent entry in the adjacent node'"'"'s dictionary whose transition order is one more than the transition order of the entry; and
      
      determining, based at least in part on locating the adjacent entry in the adjacent node'"'"'s dictionary, that the tuple of the second message is the same as the succeeding-message tuple of the adjacent entry; and
      
      the representation of the first message comprises the entry.
  - 7. The computer-implemented method of claim 6, wherein:
    - traversing the sequence graph from the representation of the first message to the representation of the last message further comprises determining a tuple of the second-to-last message in the first obscure cyclic sequence by;
      
      visiting, after traversing the sequence graph along the directed edge incident from the node and incident to the adjacent node, an additional node in the sequence graph;
      
      locating an additional entry in the additional node'"'"'s dictionary whose succeeding-message tuple is equal to the tuple of the last message; and
      
      determining, based at least in part on locating the additional entry, that the tuple of the second-to-last message is equal to the tuple represented by the additional node; and
      
      the representation of the last message comprises the additional entry.
  - 8. The computer-implemented method of claim 4, wherein:
    - analyzing the times comprises;
      
      identifying a plurality of messages in the composite sequence whose tuples match; and
      
      identifying, for each message in the plurality of messages, a time interval that is equal to the amount of time between observances of the message and an immediately preceding message in the composite sequence; and
      
      discovering the tuple of the first message comprises;
      
      determining that a variation in the time intervals of the plurality of messages is greater than a predetermined threshold; and
      
      determining, based at least in part on the variation being greater than the predetermined threshold, that the tuple of the first message is the same as the tuples of the plurality of messages.
  - 9. The computer-implemented method of claim 4, wherein:
    - analyzing the times comprises;
      
      identifying a plurality of messages in the composite sequence whose tuples match; and
      
      identifying, for each message in the plurality of messages, a time interval that is equal to the amount of time between observances of the message and an immediately preceding message in the composite sequence; and
      
      discovering the tuple of the first message comprises;
      
      determining that an average of the time intervals of the plurality of messages is greater than a predetermined threshold; and
      
      determining, based at least in part on the average being greater than the predetermined threshold, that the tuple of the first message is the same as the tuples of the plurality of messages.
  - 10. The computer-implemented method of claim 4, wherein:
    - analyzing the times comprises;
      
      identifying a plurality of messages in the composite sequence whose tuples match; and
      
      identifying, for each message in the plurality of messages, a time interval that is equal to the amount of time between observances of the message and an immediately succeeding message in the composite sequence; and
      
      discovering the tuple of the last message comprises;
      
      determining that a variation in the time intervals of the plurality of messages is greater than a predetermined threshold; and
      
      determining, based at least in part on the variation being greater than the predetermined threshold, that the tuple of the last message is the same as the tuples of the plurality of messages.
  - 11. The computer-implemented method of claim 4, wherein:
    - analyzing the times comprises;
      
      identifying a plurality of messages in the composite sequence whose tuples match; and
      
      identifying, for each message in the plurality of messages, a time interval that is equal to the amount of time between observances of the message and an immediately succeeding message in the composite sequence; and
      
      discovering the tuple of the last message comprises;
      
      determining that an average of the time intervals of the plurality of messages is greater than a predetermined threshold; and
      
      determining, based at least in part on the average being greater than the predetermined threshold, that the tuple of the last message is the same as the tuples of the plurality of messages.
  - 12. The computer-implemented method of claim 1, wherein traversing the sequence graph to discover the first obscure cyclic sequence comprises traversing the sequence graph to discover each instance of the first obscure cyclic sequence in the composite sequence.
  - 13. The computer-implemented method of claim 1, wherein performing the security action comprises:
    - monitoring an additional composite sequence of transport-layer messages that are exchanged between the first computing device and the second computing device; and
      
      using the representation of the first obscure cyclic sequence to detect an anomaly in the additional composite sequence.
  - 14. The computer-implemented method of claim 1, wherein performing the security action comprises:
    - compiling a dataset that comprises at least each instance of the first obscure cyclic sequence in the composite sequence; and
      
      performing deep packet inspection on the dataset to discover at least one of a common field, a random field, and a discrete field of an application-layer message in the first obscure cyclic sequence.

15. A system for detecting obscure cyclic application-layer message sequences in transport-layer message sequences, the system comprising:
- a collecting module, stored in memory, that collects a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein;
  
  the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and
  
  each message in the composite sequence comprises;
  
  at least one source identifier that identifies the source of the message;
  
  at least one destination identifier that identifies the destination of the message; and
  
  a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination;
  
  a constructing module, stored in memory, that constructs a sequence graph from the composite sequence by;
  
  generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of;
  
  the source identifier of the message; and
  
  the destination identifier of the message;
  
  adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and
  
  adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to;
  
  represent the sequence transition; and
  
  connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message;
  
  a traversing module, stored in memory, that traverses the sequence graph to discover the first obscure cyclic sequence;
  
  a security module, stored in memory, that performs a security action using a representation of the first obscure cyclic sequence; and
  
  at least one physical processor that executes the collecting module, the constructing module, the traversing module, and the security module.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein:
    - the first computing device comprises a supervisory station of an industrial control system;
      
      the second computing device comprises an industrial device of the industrial control system;
      
      the source identifier and the destination identifier of each message in the composite sequence comprise a transport-layer identifier; and
      
      the distinguishing feature of each message in the composite sequence comprises a length of an application-layer payload of the message.
  - 17. The system of claim 15, wherein the collecting module collects the composite sequence by:
    - logging the distinguishing feature of each message in the composite sequence;
      
      logging an order in which each message in the composite sequence was observed; and
      
      logging a time at which each message in the composite sequence was observed.
  - 18. The system of claim 15, wherein:
    - the constructing module constructs the sequence graph by further;
      
      analyzing times at which messages in the composite sequence were observed;
      
      discovering, based at least in part on analyzing the times, a tuple of the first message in the first obscure cyclic sequence; and
      
      discovering, based at least in part on analyzing the times, a tuple of the last message in the first obscure cyclic sequence; and
      
      the traversing module traverses the sequence graph to discover the first obscure cyclic sequence by traversing the sequence graph from a representation of the first message to a representation of the last message to discover a tuple of at least one intermediate message of the first obscure cyclic sequence.
  - 19. The system of claim 18, wherein the constructing module constructs the sequence graph by further:
    - creating, for each node in the sequence graph, a dictionary of sequence transitions; and
      
      adding, for each sequence transition in the composite sequence whose preceding message'"'"'s tuple is equal to the tuple that is represented by the node, an entry to the dictionary to represent the sequence transition, wherein;
      
      the entry comprises;
      
      a succeeding-message tuple that is equal to the tuple of the sequence transition'"'"'s succeeding message;
      
      a transition order that is equal to the order of the sequence transition in the composite sequence; and
      
      a time interval equal to the amount of time between observances of the sequence transition'"'"'s preceding message and the sequence transition'"'"'s succeeding message; and
      
      the edge that connects the nodes that represent the tuples of the sequence transition'"'"'s preceding and succeeding messages comprises a directed edge that is incident from the node that represents the tuple of the sequence transition'"'"'s preceding message and incident to the node that represents the tuple of the sequence transition'"'"'s succeeding message.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- collect a composite sequence of transport-layer messages that are exchanged between a first computing device and a second computing device over a single long-standing transport-layer connection, wherein;
  
  the composite sequence comprises at least a first obscure cyclic sequence of application-layer messages and a second obscure cyclic sequence of application-layer messages that were exchanged by the first computing device and the second computing device; and
  
  each message in the composite sequence comprises;
  
  at least one source identifier that identifies the source of the message;
  
  at least one destination identifier that identifies the destination of the message; and
  
  a distinguishing feature that distinguishes the message from at least one other message in the composite sequence that is from the same source to the same destination;
  
  construct a sequence graph from the composite sequence by;
  
  generating, for each message in the composite sequence, a tuple from the distinguishing feature of the message and at least one of;
  
  the source identifier of the message; and
  
  the destination identifier of the message;
  
  adding, for each unique tuple that is generated, a node to the sequence graph to represent messages in the composite sequence whose tuple equals the unique tuple; and
  
  adding, for each sequence transition in the composite sequence from an immediately-preceding message to an immediately-succeeding message, an edge to the sequence graph to;
  
  represent the sequence transition; and
  
  connect the node that represents the tuple of the sequence transition'"'"'s immediately-preceding message to the node that represents the tuple of the sequence transition'"'"'s immediately-succeeding message;
  
  traverse the sequence graph to discover the first obscure cyclic sequence; and
  
  perform a security action using a representation of the first obscure cyclic sequence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pukish, Michael Sylvester, Zhao, Zhipeng, Mugambi, Ernest
Primary Examiner(s)
Donabed, Ninos

Application Number

US15/271,494
Time in Patent Office

867 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/50   Testing arrangements

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/166   at the transport layer

H04L 69/16   Implementation or adaptatio...

H04L 69/22   Parsing or analysis of headers

H04L 69/326   in the transport layer [OSI...

H04L 69/329   in the application layer [O...

Systems and methods for detecting obscure cyclic application-layer message sequences in transport-layer message sequences

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting obscure cyclic application-layer message sequences in transport-layer message sequences

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links