Network application security policy generation
First Claim
Patent Images
1. A method performed by at least one computer processor executing computer program instructions stored in at least one non-transitory computer-readable medium, the method comprising:
- (A) for each of a plurality of communications over a network between applications executing on a plurality of computer systems, collecting and storing data about the plurality of communications, including, for each of the plurality of communications;
(1) data representing a local Internet Protocol (IP) address, local port, and protocol of the communication;
(2) data representing a remote IP address and remote port of the communication;
(3) data, other than the local IP address, local port, and protocol of the communication, representing a source application of the communication; and
(4) data, other than the remote IP address and remote port of the communication, representing a destination application of the communication;
(B) generating flow data based on the data about the plurality of communications collected and stored in (A), wherein the flow data includes a plurality of flow objects, wherein each of the plurality of flow objects contains data representing communications involving a single corresponding application;
(C) producing match data containing a plurality of match objects, wherein each of the match objects represents a pair of flow objects, in the plurality of flow objects, representing a flow at a source end of a network communication and a flow at a destination end of the network communication wherein the plurality of match objects do not include labels labeling communications as healthy or unhealthy; and
(D) generating a network communication model based on the match data, the network communication model comprising a plurality of rules, each of which comprises at least one feature-value pair representing a network communication from the plurality of communications and a corresponding probability calculated as the occurrence of the network communication containing the at least one feature-value pair, wherein the at least one feature-value pair includes at least one feature from a set comprising a source host, a source application, a destination host, and a destination application.
3 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the present invention generate network communication policies by applying machine learning to existing network communications, and without using information that labels such communications as healthy or unhealthy. The resulting policies may be used to validate communication between applications (or services) over a network.
64 Citations
18 Claims
-
1. A method performed by at least one computer processor executing computer program instructions stored in at least one non-transitory computer-readable medium, the method comprising:
-
(A) for each of a plurality of communications over a network between applications executing on a plurality of computer systems, collecting and storing data about the plurality of communications, including, for each of the plurality of communications; (1) data representing a local Internet Protocol (IP) address, local port, and protocol of the communication; (2) data representing a remote IP address and remote port of the communication; (3) data, other than the local IP address, local port, and protocol of the communication, representing a source application of the communication; and (4) data, other than the remote IP address and remote port of the communication, representing a destination application of the communication; (B) generating flow data based on the data about the plurality of communications collected and stored in (A), wherein the flow data includes a plurality of flow objects, wherein each of the plurality of flow objects contains data representing communications involving a single corresponding application; (C) producing match data containing a plurality of match objects, wherein each of the match objects represents a pair of flow objects, in the plurality of flow objects, representing a flow at a source end of a network communication and a flow at a destination end of the network communication wherein the plurality of match objects do not include labels labeling communications as healthy or unhealthy; and (D) generating a network communication model based on the match data, the network communication model comprising a plurality of rules, each of which comprises at least one feature-value pair representing a network communication from the plurality of communications and a corresponding probability calculated as the occurrence of the network communication containing the at least one feature-value pair, wherein the at least one feature-value pair includes at least one feature from a set comprising a source host, a source application, a destination host, and a destination application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising at least one non-transitory computer-readable medium containing instructions executable by at least one computer processor to perform a method, the method comprising:
-
(A) for each of a plurality of communications over a network between applications executing on a plurality of computer systems, collecting and storing data about the plurality of communications, including, for each of the plurality of communications; (1) data representing a local Internet Protocol (IP) address, local port, and protocol of the communication; (2) data representing a remote IP address and remote port of the communication; (3) data, other than the local IP address, local port, and protocol of the communication, representing a source application of the communication; and (4) data, other than the remote IP address and remote port of the communication, representing a destination application of the communication; (B) generating flow data based on the data about the plurality of communications collected and stored in (A), wherein the flow data includes a plurality of flow objects, wherein each of the plurality of flow objects contains data representing communications involving a single corresponding application; (C) producing match data containing a plurality of match objects, wherein each of the match objects represents a pair of flow objects, in the plurality of flow objects, representing a flow at a source end of a network communication and a flow at a destination end of the network communication wherein the plurality of match objects do not include labels labeling communications as healthy or unhealthy; and (D) generating a network communication model based on the match data, the network communication model comprising a plurality of rules, each of which comprises at least one feature-value pair representing a network communication from the plurality of communications and a corresponding probability calculated as the occurrence of the network communication containing the at least one feature-value pair, wherein the at least one feature-value pair includes at least one feature from a set comprising a source host, a source application, a destination host, and a destination application. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification