Detecting malicious network activity using time series payload data
First Claim
Patent Images
1. A method for detecting malicious network activity, the method comprising:
- receiving, using an interface, at least one payload relating to an attack on a virtual security appliance;
extracting, using an analysis module executing instructions stored on a memory, at least one feature related to the at least one payload;
sorting, using the analysis module, the at least one payload into at least one cluster based on the at least one extracted feature;
generating, using the analysis module, a time series dataset from the at least one cluster; and
identifying, using the analysis module, at least one payload from the generated time series dataset that is different from the at least one payload sorted into the at least one cluster such that the different at least one payload forms its own cluster and is therefore anomalous.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for detecting malicious network activity. The method may include analyzing payload data relating to activity on one or more virtual security appliances, grouping related payloads, and analyzing a time series dataset describing the groupings to identify anomalous payloads.
9 Citations
18 Claims
-
1. A method for detecting malicious network activity, the method comprising:
-
receiving, using an interface, at least one payload relating to an attack on a virtual security appliance; extracting, using an analysis module executing instructions stored on a memory, at least one feature related to the at least one payload; sorting, using the analysis module, the at least one payload into at least one cluster based on the at least one extracted feature; generating, using the analysis module, a time series dataset from the at least one cluster; and identifying, using the analysis module, at least one payload from the generated time series dataset that is different from the at least one payload sorted into the at least one cluster such that the different at least one payload forms its own cluster and is therefore anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for detecting malicious network activity, the system including:
-
an interface configured to receive at least one payload relating to an attack on a virtual security appliance; a memory; and an analysis module configured to execute instructions stored on the memory to; extract at least one feature related to the at least one payload; sort the at least one payload into at least one cluster based on the at least one extracted feature; generate a time series dataset from the at least one cluster; and identify at least one payload from the generated time series dataset that is different from the at least one payload sorted into the at least one cluster such that the different at least one payload forms its own cluster and is therefore anomalous. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification