Identifying bulletproof autonomous systems
First Claim
1. A method, comprising:
- collecting information on data transmitted from multiple endpoints to multiple Internet sites having respective domains and respective Internet Protocol (IP) addresses;
identifying, in the collected information, transmissions to IP addresses of autonomous system numbers (ASNs) or ASN names included in a list of ASNs;
generating an ASN data traffic model by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the collected information, wherein the data traffic model comprises a data traffic sub-model;
for each given ASN, performing, using a specified set of indicative keywords, a set of web searches, each of the web searches comprising a given indicative keyword and an ASN name or a number for the given ASN;
generating, based on the web searches, a web search model of relationships between the indicative keywords and the ASNs, wherein the web search model comprises a web search sub-model;
predicting one or more of the ASNs to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the indicative keywords and the one or more ASNs; and
generating, using the sub-models, a suspicious ASN detection model, wherein predicting one or more of the ASNs to be suspicious comprises applying the ASN detection model to the data transmission and the web searches.
4 Assignments
0 Petitions
Accused Products
Abstract
A method, including collecting data transmitted from endpoints to Internet sites having respective domains and respective IP addresses, and transmissions to IP addresses of ASN numbers or ASN names included in a list of ASNs. An ASN data traffic model is generated by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the data, and for each given ASN and a set of keywords, multiple web searches are performed, each of the web searches including a given keyword and an ASN name or a number for the given ASN. Based on the web searches, a model of relationships between the keywords and the ASNs is generated, and one or more of the ASNs are predicted to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the keywords and the one or more ASNs.
34 Citations
25 Claims
-
1. A method, comprising:
-
collecting information on data transmitted from multiple endpoints to multiple Internet sites having respective domains and respective Internet Protocol (IP) addresses; identifying, in the collected information, transmissions to IP addresses of autonomous system numbers (ASNs) or ASN names included in a list of ASNs; generating an ASN data traffic model by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the collected information, wherein the data traffic model comprises a data traffic sub-model; for each given ASN, performing, using a specified set of indicative keywords, a set of web searches, each of the web searches comprising a given indicative keyword and an ASN name or a number for the given ASN; generating, based on the web searches, a web search model of relationships between the indicative keywords and the ASNs, wherein the web search model comprises a web search sub-model; predicting one or more of the ASNs to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the indicative keywords and the one or more ASNs; and generating, using the sub-models, a suspicious ASN detection model, wherein predicting one or more of the ASNs to be suspicious comprises applying the ASN detection model to the data transmission and the web searches. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
-
a memory; and a processor configured; to collect information on data transmitted from multiple endpoints to multiple Internet sites having respective domains and respective Internet Protocol (IP) addresses; to identify, in the collected information, transmissions to IP addresses of autonomous system numbers (ASNs) or ASN names included in a list of ASNs, to generate an ASN data traffic model by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the collected information, wherein the data traffic model comprises a data traffic sub-model, for each given ASN, to perform, using a specified set of indicative keywords, a set of web searches, each of the web searches comprising a given indicative keyword and an ASN name or a number for the given ASN, to generate, based on the web searches, a web search model of relationships between the indicative keywords and the ASNs, wherein the web search model comprises a web search sub-model, to predict one or more of the ASNs to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the indicative keywords and the one or more ASNs, and to generate, using the sub-models, a suspicious ASN detection model, wherein the processor is configured to predict one or more of the ASNs to be suspicious by applying the ASN detection model to the data transmission and the web searches. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
-
to collect information on data transmitted from multiple endpoints to multiple Internet sites having respective domains and respective Internet Protocol (IP) addresses; to identify, in the collected information, transmissions to IP addresses of autonomous system numbers (ASNs) or ASN names included in a list of ASNs; to generate an ASN data traffic model by modeling, for each given ASN, data transmitted to any of the IP address of the given ASN based on the collected information, wherein the data traffic model comprises a data traffic sub-model; for each given ASN, to perform, using a specified set of indicative keywords, a set of web searches, each of the web searches comprising a given indicative keyword and an ASN name or a number for the given ASN; to generate, based on the web searches, a web search model of relationships between the indicative keywords and the ASNs, wherein the web search model comprises a web search sub-model; to predict one or more of the ASNs to be suspicious based on their respective modeled data transmissions and their respective modeled relationships between the indicative keywords and the one or more ASNs; and to generate, using the sub-models, a suspicious ASN detection model, wherein the instructions cause the computer to predict one or more of the ASNs to be suspicious by applying the ASN detection model to the data transmission and the web searches.
-
Specification