Identifying bulletproof autonomous systems

US 10,425,436 B2
Filed: 09/04/2017
Issued: 09/24/2019
Est. Priority Date: 09/04/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

collecting information on data transmitted from multiple endpoints to multiple Internet sites having respective domains and respective Internet Protocol (IP) addresses;

identifying, in the collected information, transmissions to IP addresses of autonomous system numbers (ASNs) or ASN names included in a list of ASNs;

generating an ASN data traffic model by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the collected information, wherein the data traffic model comprises a data traffic sub-model;

for each given ASN, performing, using a specified set of indicative keywords, a set of web searches, each of the web searches comprising a given indicative keyword and an ASN name or a number for the given ASN;

generating, based on the web searches, a web search model of relationships between the indicative keywords and the ASNs, wherein the web search model comprises a web search sub-model;

predicting one or more of the ASNs to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the indicative keywords and the one or more ASNs; and

generating, using the sub-models, a suspicious ASN detection model, wherein predicting one or more of the ASNs to be suspicious comprises applying the ASN detection model to the data transmission and the web searches.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, including collecting data transmitted from endpoints to Internet sites having respective domains and respective IP addresses, and transmissions to IP addresses of ASN numbers or ASN names included in a list of ASNs. An ASN data traffic model is generated by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the data, and for each given ASN and a set of keywords, multiple web searches are performed, each of the web searches including a given keyword and an ASN name or a number for the given ASN. Based on the web searches, a model of relationships between the keywords and the ASNs is generated, and one or more of the ASNs are predicted to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the keywords and the one or more ASNs.

34 Citations

View as Search Results

25 Claims

1. A method, comprising:
- collecting information on data transmitted from multiple endpoints to multiple Internet sites having respective domains and respective Internet Protocol (IP) addresses;
  
  identifying, in the collected information, transmissions to IP addresses of autonomous system numbers (ASNs) or ASN names included in a list of ASNs;
  
  generating an ASN data traffic model by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the collected information, wherein the data traffic model comprises a data traffic sub-model;
  
  for each given ASN, performing, using a specified set of indicative keywords, a set of web searches, each of the web searches comprising a given indicative keyword and an ASN name or a number for the given ASN;
  
  generating, based on the web searches, a web search model of relationships between the indicative keywords and the ASNs, wherein the web search model comprises a web search sub-model;
  
  predicting one or more of the ASNs to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the indicative keywords and the one or more ASNs; and
  
  generating, using the sub-models, a suspicious ASN detection model, wherein predicting one or more of the ASNs to be suspicious comprises applying the ASN detection model to the data transmission and the web searches.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, and comprising generating an alert for the one or more predicted ASNs, or for transmissions to the IP addresses of the one or more predicted ASNs.
  - 3. The method according to claim 2 wherein generating the alert comprises restricting data transmissions between the endpoints and the IP addresses of the one or more predicted ASNs.
  - 4. The method according to claim 1, wherein each given predicted ASN comprises a rentable ASN or a bulletproof ASN.
  - 5. The method according to claim 1, wherein predicting a given ASN to be suspicious comprises calculating a score based on the modeled data traffic exchanged with the given ASN and the relationship between the indicative keywords and the given ASN, and detecting that the score is greater than a specified score threshold.
  - 6. The method according to claim 1, wherein predicting the one or more ASNs to be suspicious comprises identifying a plurality of the ASNs based on the modeled data transmitted to the ASNs, and predicting, from the identified plurality of the ASNs, the one or more ASNs based on their respective generated model of relationship.
  - 7. The method according to claim 1, wherein predicting the one or more ASNs to be suspicious comprises identifying a plurality of the ASNs based on their respective generated model of relationship, and predicting, from the identified plurality of the ASNs, the one or more ASNs based on the modeled data transmitted to the ASNs.
  - 8. The method according to claim 1, wherein generating the suspicious ASN detection model comprises co-training the sub-models.
  - 9. The method according to claim 1, and comprising generating one or more additional sub-models based on respective features, wherein the suspicious ASN detection model comprises the additional sub-models.
  - 10. The method according to claim 9, wherein generating the suspicious ASN detection model comprises co-training the sub-models.
  - 11. The method according to claim 9, wherein each of the one or more additional sub-models are selected from a group consisting of a first additional sub-model that analyzes respective reputations of the domains, a second additional sub-model that compares the domains to a blacklist, a third additional sub-model that uses threat intelligence data to analyze the domains, a fourth additional sub-model that analyzes a number of ASNs associated with each of the domains, a fifth additional sub-model that analyzes ASN names of the ASNs associated with the domains, a sixth additional sub-model for DCMA violation domains, a seventh additional sub-model for adult site domains, an eighth additional sub-model for advanced persistent threat (APT) domains, and a ninth additional sub-model for malware CnC sites.
  - 12. The method according to claim 1, wherein the ASN data traffic model comprises one or more features selected from a group consisting of a count of the domains for a given ASN accessed by the endpoints, a count of IP addresses for a given ASN accessed by the endpoints, and a number of the endpoints accessing a given ASN.

13. An apparatus, comprising:
- a memory; and
  
  a processor configured;
  
  to collect information on data transmitted from multiple endpoints to multiple Internet sites having respective domains and respective Internet Protocol (IP) addresses;
  
  to identify, in the collected information, transmissions to IP addresses of autonomous system numbers (ASNs) or ASN names included in a list of ASNs,to generate an ASN data traffic model by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the collected information, wherein the data traffic model comprises a data traffic sub-model,for each given ASN, to perform, using a specified set of indicative keywords, a set of web searches, each of the web searches comprising a given indicative keyword and an ASN name or a number for the given ASN,to generate, based on the web searches, a web search model of relationships between the indicative keywords and the ASNs, wherein the web search model comprises a web search sub-model,to predict one or more of the ASNs to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the indicative keywords and the one or more ASNs, andto generate, using the sub-models, a suspicious ASN detection model, wherein the processor is configured to predict one or more of the ASNs to be suspicious by applying the ASN detection model to the data transmission and the web searches.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The apparatus according to claim 13, wherein the processor is configured to generate an alert for the one or more predicted ASNs, or for transmissions to the IP addresses of the one or more predicted ASNs.
  - 15. The apparatus according to claim 14, wherein the processor is configured to generate the alert by restricting data transmissions between the endpoints and the IP addresses of the one or more predicted ASNs.
  - 16. The apparatus according to claim 13, wherein each given predicted ASN comprises a rentable ASN or a bulletproof ASN.
  - 17. The apparatus according to claim 13, wherein the processor is configured to predict a given ASN to be suspicious by calculating a score based on the modeled data traffic exchanged with the given ASN and the relationship between the indicative keywords and the given ASN, and detecting that the score is greater than a specified score threshold.
  - 18. The apparatus according to claim 13, wherein the processor is configured to predict the one or more ASNs to be suspicious by identifying a plurality of the ASNs based on the modeled data transmitted to the ASNs, and predicting, from the identified plurality of the ASNs, the one or more ASNs based on their respective generated model of relationship.
  - 19. The apparatus according to claim 13, wherein the processor is configured to predict the one or more ASNs to be suspicious by identifying a plurality of the ASNs based on their respective generated model of relationship, and predicting, from the identified plurality of the ASNs, the one or more ASNs based on the modeled data transmitted to the ASNs.
  - 20. The apparatus according to claim 13, wherein the processor is configured to generate the suspicious ASN detection model by co-training the sub-models.
  - 21. The apparatus according to claim 13, wherein the processor is configured to generate one or more additional sub-models based on respective features, wherein the suspicious ASN detection model comprises the additional sub-models.
  - 22. The apparatus according to claim 21, wherein the processor is configured to generate the suspicious ASN detection model by co-training the sub-models.
  - 23. The apparatus according to claim 13, wherein each of the one or more additional sub-models are selected from a group consisting of a first additional sub-model that analyzes respective reputations of the domains, a second additional sub-model that compares the domains to a blacklist, a third additional sub-model that uses threat intelligence data to analyze the domains, a fourth additional sub-model that analyzes a number of ASNs associated with each of the domains, a fifth additional sub-model that analyzes ASN names of the ASNs associated with the domains, a sixth additional sub-model for DCMA violation domains, a seventh additional sub-model for adult site domains, an eighth additional sub-model for advanced persistent threat (APT) domains, and a ninth additional sub-model for malware CnC sites.
  - 24. The apparatus according to claim 13, wherein the ASN data traffic model comprises one or more features selected from a group consisting of a count of the domains for a given ASN accessed by the endpoints, a count of IP addresses for a given ASN accessed by the endpoints, and a number of the endpoints accessing a given ASN.

25. A computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
- to collect information on data transmitted from multiple endpoints to multiple Internet sites having respective domains and respective Internet Protocol (IP) addresses;
  
  to identify, in the collected information, transmissions to IP addresses of autonomous system numbers (ASNs) or ASN names included in a list of ASNs;
  
  to generate an ASN data traffic model by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the collected information, wherein the data traffic model comprises a data traffic sub-model;
  
  for each given ASN, to perform, using a specified set of indicative keywords, a set of web searches, each of the web searches comprising a given indicative keyword and an ASN name or a number for the given ASN;
  
  to generate, based on the web searches, a web search model of relationships between the indicative keywords and the ASNs, wherein the web search model comprises a web search sub-model;
  
  to predict one or more of the ASNs to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the indicative keywords and the one or more ASNs; and
  
  to generate, using the sub-models, a suspicious ASN detection model,wherein the instructions cause the computer to predict one or more of the ASNs to be suspicious by applying the ASN detection model to the data transmission and the web searches.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Inventors
Firstenberg, Eyal, Meshi, Yinnon, Amit, Idan, Allon, Jonathan, Mizinski, Keren
Primary Examiner(s)
Hoffman, Brandon S
Assistant Examiner(s)
Corum, Jr., William A

Application Number

US15/694,892
Publication Number

US 20180069884A1
Time in Patent Office

750 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 3/045   Combinations of networks

G06N 5/02   Knowledge representation; S...

G06N 7/01   Probabilistic graphical mod...

H04L 43/04   Processing captured monitor...

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 63/1425   Traffic logging, e.g. anoma...

Identifying bulletproof autonomous systems

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying bulletproof autonomous systems

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links