Methods for detecting and mitigating malicious network behavior and devices thereof

US 10,432,652 B1
Filed: 09/20/2017
Issued: 10/01/2019
Est. Priority Date: 09/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method for network security implemented by a network traffic management system comprising one or more anomaly detection apparatuses, server devices, or client devices, the method comprising:

receiving a first set of network traffic;

applying a web application model and an anomaly detection model to the received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed;

determining when the flow score exceeds a threshold; and

initiating, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, non-transitory computer readable media, anomaly detection apparatuses, and network traffic management systems that generate, based on the application of one or more models and for a first flow associated with a received first set of network traffic, one or more likelihood scores and at least one flow score based on the likelihood scores. One or more of the one or more models are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed. A determination is made when the flow score exceeds a threshold. A mitigation action is initiated, based on a stored policy, with respect to the first set of network traffic, when the determining indicates that the flow score exceeds the established threshold.

92 Citations

View as Search Results

16 Claims

1. A method for network security implemented by a network traffic management system comprising one or more anomaly detection apparatuses, server devices, or client devices, the method comprising:
- receiving a first set of network traffic;
  
  applying a web application model and an anomaly detection model to the received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed;
  
  determining when the flow score exceeds a threshold; and
  
  initiating, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 further comprising:
    - obtaining one or more raw features associated with a received second set of network traffic, wherein the raw features comprise one or more of a web resource uniform resource identifier (URI), a timestamp, or a web resource type;
      
      updating one or more of the sub-models of the web application model based on the raw features and another one or more of the sub-models of the web application model based on the updated one or more of the sub-models of the web application model; and
      
      sending a client-side script to a client that originated the second set of network traffic, the client-side script configured to, when executed, return one or more of the raw features associated with the second set of network traffic.
  - 3. The method of claim 1, further comprising selecting one or more of the web application model or the anomaly detection model from a plurality of stored web application models or anomaly detection models based on a current time or a platform corresponding to a flow associated with the first set of network traffic.
  - 4. The method of claim 1, wherein the sub-models of the web application model comprise one or more of a start node model, an end node model, a page hit model, a web resource hit model, a forward transition model, a backward transition model, a visit period model, a resource inclusion model, or an Asynchronous JavaScript and eXtensible Markup Language (XML) (AJAX) inclusion model.

5. A non-transitory computer readable medium having stored thereon instructions for network security comprising executable code which when executed by one or more processors, causes the one or more processors to:
- apply a web application model and an anomaly detection model to a received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed;
  
  determine when the flow score exceeds a threshold; and
  
  initiate, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold.
- View Dependent Claims (6, 7, 8)
- - 6. The non-transitory computer readable medium of claim 5, wherein the executable code when executed by the processors further causes the processors to:
    - obtain one or more raw features associated with a received second set of network traffic, wherein the raw features comprise one or more of a web resource uniform resource identifier (URI), a timestamp, or a web resource type;
      
      update one or more of the sub-models of the web application model based on the raw features and another one or more of the sub-models of the web application model based on the updated one or more of the sub-models of the web application model; and
      
      send a client-side script to a client that originated the second set of network traffic, the client-side script configured to, when executed, return one or more of the raw features associated with the second set of network traffic.
  - 7. The non-transitory computer readable medium of claim 5, wherein the executable code when executed by the processors further causes the processors to select one or more of the web application model or the anomaly detection model from a plurality of stored web application models or anomaly detection models based on a current time or a platform corresponding to a flow associated with the first set of network traffic.
  - 8. The non-transitory computer readable medium of claim 5, wherein the sub-models of the web application model comprise one or more of a start node model, an end node model, a page hit model, a web resource hit model, a forward transition model, a backward transition model, a visit period model, a resource inclusion model, or an Asynchronous JavaScript and eXtensible Markup Language (XML) (AJAX) inclusion model.

9. An anomaly detection apparatus, comprising:
- memory comprising programmed instructions stored thereon; and
  
  one or more processors configured to be capable of executing the stored programmed instructions to;
  
  apply a web application model and an anomaly detection model to a received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed;
  
  determine when the flow score exceeds a threshold; and
  
  initiate, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold.
- View Dependent Claims (10, 11, 12)
- - 10. The anomaly detection apparatus of claim 9, wherein the processors are further configured to be capable of executing the stored programmed instructions to:
    - obtain one or more raw features associated with a received second set of network traffic, wherein the raw features comprise one or more of a web resource uniform resource identifier (URI), a timestamp, or a web resource type;
      
      update one or more of the sub-models of the web application model based on the raw features and another one or more of the sub-models of the web application model based on the updated one or more of the sub-models of the web application model; and
      
      send a client-side script to a client that originated the second set of network traffic, the client-side script configured to, when executed, return one or more of the raw features associated with the second set of network traffic.
  - 11. The anomaly detection apparatus of claim 9, wherein the processors are further configured to be capable of executing the stored programmed instructions to select one or more of the web application model or the anomaly detection model from a plurality of stored web application models or anomaly detection models based on a current time or a platform corresponding to a flow associated with the first set of network traffic.
  - 12. The anomaly detection apparatus of claim 9, wherein the sub-models of the web application model comprise one or more of a start node model, an end node model, a page hit model, a web resource hit model, a forward transition model, a backward transition model, a visit period model, a resource inclusion model, or an Asynchronous JavaScript and eXtensible Markup Language (XML) (AJAX) inclusion model.

13. A network traffic management system, comprising:
- one or more anomaly detection apparatuses, server devices, or client devices with memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to;
  
  apply a web application model and an anomaly detection model to a received first set of network traffic to generate, respectively, one or more likelihood scores and at least one flow score based on the likelihood scores, wherein sub-models of the web application model are associated with one or more browsing patterns for a web application to which the first set of network traffic is directed;
  
  determine when the flow score exceeds a threshold; and
  
  initiate, based on a stored policy, a mitigation action with respect to the first set of network traffic, when the determination indicates that the flow score exceeds the threshold.
- View Dependent Claims (14, 15, 16)
- - 14. The network traffic management system of claim 13, wherein the processors are further configured to be capable of executing the stored programmed instructions to:
    - obtain one or more raw features associated with a received second set of network traffic, wherein the raw features comprise one or more of a web resource uniform resource identifier (URI), a timestamp, or a web resource type;
      
      update one or more of the sub-models of the web application model based on the raw features and another one or more of the sub-models of the web application model based on the updated one or more of the sub-models of the web application model; and
      
      send a client-side script to a client that originated the second set of network traffic, the client-side script configured to, when executed, return one or more of the raw features associated with the second set of network traffic.
  - 15. The network traffic management system of claim 13, wherein the processors are further configured to be capable of executing the stored programmed instructions to select one or more of the web application model or the anomaly detection model from a plurality of stored web application models or anomaly detection models based on a current time or a platform corresponding to a flow associated with the first set of network traffic.
  - 16. The network traffic management system of claim 13, wherein the sub-models of the web application model comprise one or more of a start node model, an end node model, a page hit model, a web resource hit model, a forward transition model, a backward transition model, a visit period model, a resource inclusion model, or an Asynchronous JavaScript and eXtensible Markup Language (XML) (AJAX) inclusion model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Yona, Shlomo, Talmor, Ron, Mantin, Itsik, Shemesh, Yaniv
Primary Examiner(s)
Holder, Bradley W

Application Number

US15/710,552
Time in Patent Office

741 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

Methods for detecting and mitigating malicious network behavior and devices thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

92 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for detecting and mitigating malicious network behavior and devices thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links