Systems and methods for detecting an attack on an auto-generated website by a virtual machine

US 10,320,817 B2
Filed: 11/16/2016
Issued: 06/11/2019
Est. Priority Date: 11/16/2016
Status: Active Grant

First Claim

Patent Images

1. A system for detecting an attack by a first virtual or physical machine on one or more auto-generated websites, the system comprising:

a processor;

a memory; and

an application stored in the memory and including instructions, which are executable by the processor and that are configured toaccess an index of a search engine server computer and determine uniform resource locators (URLs) of a plurality of auto-generated websites, wherein the plurality of auto-generated websites include the one or more auto-generated websites;

access a plurality of Internet protocol (IP) address-URL entries stored in a domain name system server computer;

determine a first feature based on the URLs of the plurality of auto-generated websites and the IP address-URL entries, wherein the application, in determining the first feature, (i) determines which IP addresses in the IP address-URL entries are associated with hosting one of the plurality of auto-generated websites, and (ii) for each IP address in the IP address-URL entries, counts a number of corresponding URLs;

collect header data of packets transmitted to or received from the first virtual or physical machine;

determine a second feature based on the first feature and the header data;

based on the second feature, generate a value indicative of whether the first virtual or physical machine has attacked the one or more auto-generated websites; and

perform a countermeasure based on the value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting an attack by a virtual or physical machine on one or more auto-generated websites is provided. The system includes a processor, a memory, and an application. The application is stored in the memory and includes instructions, which are executable by the processor. The instructions are configured to: access an index of a search engine server computer and determine uniform resource locators (URLs) of auto-generated websites, where the auto-generated websites include the one or more auto-generated websites; and access Internet protocol (IP) address-URL entries stored in a domain name system server computer. The instructions are also configured to: determine a first feature based on the URLs of the auto-generated websites and the IP address-URL entries; collect header data of packets transmitted to or received from the virtual or physical machine; determine a second feature based on the first feature and the header data; based on the second feature, generate a value indicative of whether the first virtual or physical machine has attacked the one or more auto-generated websites; and perform a countermeasure based on the value.

Citations

14 Claims

1. A system for detecting an attack by a first virtual or physical machine on one or more auto-generated websites, the system comprising:
- a processor;
  
  a memory; and
  
  an application stored in the memory and including instructions, which are executable by the processor and that are configured toaccess an index of a search engine server computer and determine uniform resource locators (URLs) of a plurality of auto-generated websites, wherein the plurality of auto-generated websites include the one or more auto-generated websites;
  
  access a plurality of Internet protocol (IP) address-URL entries stored in a domain name system server computer;
  
  determine a first feature based on the URLs of the plurality of auto-generated websites and the IP address-URL entries, wherein the application, in determining the first feature, (i) determines which IP addresses in the IP address-URL entries are associated with hosting one of the plurality of auto-generated websites, and (ii) for each IP address in the IP address-URL entries, counts a number of corresponding URLs;
  
  collect header data of packets transmitted to or received from the first virtual or physical machine;
  
  determine a second feature based on the first feature and the header data;
  
  based on the second feature, generate a value indicative of whether the first virtual or physical machine has attacked the one or more auto-generated websites; and
  
  perform a countermeasure based on the value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein:
    - the header data includes Internet protocol flow information export (IPFIX) data; and
      
      the application causes the processor to determine the second feature based on the IPFIX data.
  - 3. The system of claim 1, wherein:
    - the application is configured to determine a first plurality of features;
      
      the first plurality of features include the first feature;
      
      the application is configured tocollect Internet protocol flow information export (IPFIX) data in headers of the packets transmitted to or received from the first virtual or physical machine;
      
      determine a second plurality of features based on (i) the first plurality of features, and (ii) the IPFIX data; and
      
      based on the second plurality of features, generate the value indicative of whether the first virtual or physical machine has attacked the one or more auto-generated websites.
  - 4. The system of claim 3, wherein the application, in determining the second plurality of features:
    - determines a total number of IP addresses to which the first virtual or physical machine is communicating;
      
      determines a number of IP addresses of auto-generated websites to which the first virtual or physical machine is communicating;
      
      determines a ratio between the total number of IP addresses and the number of IP addresses of auto-generated websites to which the first virtual or physical machine is communicating;
      
      determines a number of synchronization transmission control protocol flags in outgoing communication of the first virtual or physical machine; and
      
      determines percentages of URLs corresponding to each IP address to which the first virtual or physical machine is communicating.
  - 5. The system of claim 1, wherein the application is configured to generate the value indicative of whether the first virtual or physical machine has attacked the one or more auto-generated websites based on a classification learning algorithm.
  - 6. The system of claim 5, wherein the classification learning algorithm is a gradient boosted tree learning algorithm.
  - 7. The system of claim 1, wherein the application is configured to:
    - collect header data of packets transmitted to or received from a second virtual or physical machine;
      
      determine a third feature based on the first feature and the header data;
      
      based on the third feature, generate a second value indicative of whether the second virtual or physical machine has attacked one of the plurality of auto-generated websites; and
      
      perform the countermeasure based on the second value.

8. A tangible computer readable device storing instructions executable by a processor for detecting an attack by a first virtual or physical machine on one or more auto-generated websites, the instructions comprising:
- determining uniform resource locators (URLs) of a plurality of auto-generated websites based on an index of a search engine server computer, wherein the plurality of auto-generated websites include the one or more auto-generated websites;
  
  accessing a plurality of Internet protocol (IP) address-URL entries in a domain name system server computer;
  
  determining a first feature based on the URLs of the plurality of auto-generated websites and the IP address-URL entries, wherein determining the first feature includes (i) determining which IP addresses in the IP address-URL entries are associated with hosting one of the plurality of auto-generated websites, and (ii) for each IP address in the IP address-URL entries, counting a number of corresponding URLs;
  
  collecting header data of packets transmitted to or received from the first virtual or physical machine;
  
  determining a second feature based on the first feature and the header data;
  
  based on the second feature, generating a value indicative of whether the first virtual or physical machine has attacked the one or more auto-generated websites; and
  
  performing a countermeasure based on the value.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The tangible computer readable device of claim 8, further comprising instructions for determining the second feature based on Internet protocol flow information export (IPFIX) data, wherein the header data includes the IPFIX data.
  - 10. The tangible computer readable device of claim 8, further comprising instructions for:
    - determining a first plurality of features, wherein the first plurality of features include the first feature;
      
      collecting Internet protocol flow information export (IPFIX) data in headers of the packets transmitted to or received from the first virtual or physical machine;
      
      determining a second plurality of features based on (i) the first plurality of features, and (ii) the IPFIX data; and
      
      based on the second plurality of features, generating the value indicative of whether the first virtual or physical machine has attacked the one or more auto-generated websites.
  - 11. The tangible computer readable device of claim 10, wherein determining the second plurality of features includes:
    - determining a total number of IP addresses to which the first virtual or physical machine is communicating;
      
      determining a number of IP addresses of auto-generated websites to which the first virtual or physical machine is communicating;
      
      determining a ratio between the total number of IP addresses and the number of IP addresses of auto-generated websites to which the first virtual or physical machine is communicating;
      
      determining a number of synchronization transmission control protocol flags in outgoing communication of the first virtual or physical machine; and
      
      determining percentages of URLs corresponding to each IP address to which the first virtual or physical machine is communicating.
  - 12. The tangible computer readable device of claim 8, further comprising instructions for generating the value indicative of whether the first virtual or physical machine has attacked the one or more auto-generated websites based on a classification learning algorithm.
  - 13. The tangible computer readable device of claim 12, wherein the classification learning algorithm is a gradient boosted tree learning algorithm.
  - 14. The tangible computer readable device of claim 8, further comprising instructions for:
    - collecting header data of packets transmitted to or received from a second virtual or physical machine;
      
      determining a third feature based on the first feature and the header data;
      
      based on the third feature, generating a second value indicative of whether the second virtual or physical machine has attacked one of the plurality of auto-generated websites; and
      
      performing the countermeasure based on the second value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Neuvirth-Telem, Hani, Yom-Tov, Elad, Ronen, Royi, Hilevich, Daniel Alon
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US15/352,714
Publication Number

US 20180139215A1
Time in Patent Office

937 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

H04L 67/146   Markers for unambiguous ide...

Systems and methods for detecting an attack on an auto-generated website by a virtual machine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting an attack on an auto-generated website by a virtual machine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links