Classifying applications or activities based on network behavior

US 10,382,296 B2
Filed: 08/27/2018
Issued: 08/13/2019
Est. Priority Date: 08/29/2017
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:

employing a network monitoring engine to perform further actions, comprising;

providing one or more profile objects based on one or more metric profiles for one or more monitored network flows, wherein one or more metrics that correspond to a network entity in the monitored network are based on one or more characteristics of the one or more monitored network flows that are separate from other characteristics associated with the network entity; and

providing one or more device objects based on associating the one or more profile objects with one or more network entities on the network; and

employing a classifier engine to perform further actions, including;

providing one or more trained activity models; and

providing one or more classification results for the one or more device objects based on the one or more trained activity models; and

executing one or more policies based on the one or more classification results associated with the one or more device objects.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic in a network. A network monitoring engine may be employed to monitor the network to provide metric profiles based on a plurality of characteristics associated with one or more network flows. The network monitoring engine may provide profile objects based on the metric profiles. The network monitoring engine may provide the profile objects to a classifier engine. The classifier engine provide trained activity models selected from a plurality of trained activity models that may be based on a ranked ordering of characteristics of the trained activity models and the profile objects. The classifier engine may provide classification results for the profile objects based on the trained activity models. And, the network monitoring engine may execute policies based on the classification results associated with the profile objects.

217 Citations

15 Claims

1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
- employing a network monitoring engine to perform further actions, comprising;
  
  providing one or more profile objects based on one or more metric profiles for one or more monitored network flows, wherein one or more metrics that correspond to a network entity in the monitored network are based on one or more characteristics of the one or more monitored network flows that are separate from other characteristics associated with the network entity; and
  
  providing one or more device objects based on associating the one or more profile objects with one or more network entities on the network; and
  
  employing a classifier engine to perform further actions, including;
  
  providing one or more trained activity models; and
  
  providing one or more classification results for the one or more device objects based on the one or more trained activity models; and
  
  executing one or more policies based on the one or more classification results associated with the one or more device objects.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - employing a training engine to perform further actions, including;
      
      training one or more untrained activity models based on one or more labeled profile objects and one or more characteristics of the one or more untrained activity models; and
      
      employing one or more newly trained activity models to classify the one or more profile objects.
  - 3. The method of claim 1, wherein providing the one or more classification results, further comprises, employing one or more characteristics of the one or more monitored network flows to indicate one or more malicious processes or applications.
  - 4. The method of claim 1, wherein providing the trained activity models, further comprises selecting the provided trained activity models from a plurality of trained activity models based on a ranked ordering of one or more characteristics of the plurality of trained activity models and the one or more profile objects.
  - 5. The method of claim 1, wherein providing the one or more profile objects, further comprises:
    - selecting two or more metric profiles that are associated with a same activity; and
      
      providing at least one profile object based on the two or more metric profiles.

6. A system for monitoring network traffic in a network:
- one or more network monitoring computers (NMCs), comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  employing a network monitoring engine to perform further actions, comprising;
  
  providing one or more profile objects based on one or more metric profiles for one or more monitored network flows, wherein one or more metrics that correspond to a network entity in the monitored network are based on one or more characteristics of the one or more network flows that are separate from other characteristics associated with the network entity; and
  
  providing one or more device objects based on associating the one or more profile objects and one or more network entities on the network; and
  
  employing a classifier engine to perform further actions, including;
  
  providing one or more trained activity models; and
  
  providing one or more classification results for the one or more device objects based on the one or more trained activity models; and
  
  executing one or more policies based on the one or more classification results associated with the one or more device objects; and
  
  one or more client computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more portions of the one or more network flows.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, further comprising:
    - employing a training engine to perform further actions, including;
      
      training one or more untrained activity models based on one or more labeled profile objects and one or more characteristics of the one or more untrained activity models; and
      
      employing one or more newly trained activity models to classify the one or more profile objects.
  - 8. The system of claim 6, wherein providing the one or more classification results, further comprises, employing one or more characteristics of the one or more monitored network flows to indicate one or more malicious processes or applications.
  - 9. The system of claim 6, wherein providing the trained activity models, further comprises selecting the provided trained activity models from a plurality of trained activity models based on a ranked ordering of one or more characteristics of the plurality of trained activity models and the one or more profile objects.
  - 10. The system of claim 6, wherein providing the one or more profile objects, further comprises:
    - selecting two or more metric profiles that are associated with a same activity; and
      
      providing at least one profile object based on the two or more metric profiles.

11. A processor readable non-transitory storage media that includes instructions for monitoring network traffic over a network between one or more computers, wherein execution of the instructions by one or more processors on one or more network monitoring computers (NMCs) performs actions, comprising:
- employing a network monitoring engine to perform further actions, comprising;
  
  providing one or more profile objects based on one or more metric profiles for one or more monitored network flows, wherein one or more metrics that correspond to a network entity in the monitored network are based on one or more characteristics of the one or more network flows that are separate from other characteristics associated with the network entity; and
  
  providing one or more device objects based on associating the one or more profile objects with one or more network entities on the network; and
  
  employing a classifier engine to perform further actions, including;
  
  providing one or more trained activity models; and
  
  providing one or more classification results for the one or more device objects based on the one or more trained activity models; and
  
  executing one or more policies based on the one or more classification results associated with the one or more device objects.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The media of claim 11, further comprising:
    - employing a training engine to perform further actions, including;
      
      training one or more untrained activity models based on one or more labeled profile objects and one or more characteristics of the one or more untrained activity models; and
      
      employing one or more newly trained activity models to classify the one or more profile objects.
  - 13. The media of claim 11, wherein providing the one or more classification results, further comprises, employing one or more characteristics of the one or more monitored network flows to indicate one or more malicious processes or applications.
  - 14. The media of claim 11, wherein providing the trained activity models, further comprises selecting the provided trained activity models from a plurality of trained activity models based on a ranked ordering of one or more characteristics of the plurality of trained activity models and the one or more profile objects.
  - 15. The media of claim 11, wherein providing the one or more profile objects, further comprises:
    - selecting two or more metric profiles that are associated with a same activity; and
      
      providing at least one profile object based on the two or more metric profiles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Khanal, Bhushan Prasad, Wu, Xue Jun, Ball, Eric Jacob, Marks, Casey Alvin
Primary Examiner(s)
Siddiqui, Kashif

Application Number

US16/113,442
Publication Number

US 20190068465A1
Time in Patent Office

351 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/08   Monitoring or testing based...

H04L 43/12   Network monitoring probes

H04L 43/20   the monitoring system or th...

H04L 67/30   Profiles

Classifying applications or activities based on network behavior

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

217 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Classifying applications or activities based on network behavior

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others