Detecting malicious network activity using time series payload data

US 10,547,629 B2
Filed: 11/05/2017
Issued: 01/28/2020
Est. Priority Date: 11/05/2017
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious network activity, the method comprising:

receiving, using an interface, at least one payload relating to an attack on a virtual security appliance;

extracting, using an analysis module executing instructions stored on a memory, at least one feature related to the at least one payload;

sorting, using the analysis module, the at least one payload into at least one cluster based on the at least one extracted feature;

generating, using the analysis module, a time series dataset from the at least one cluster; and

identifying, using the analysis module, at least one payload from the generated time series dataset that is different from the at least one payload sorted into the at least one cluster such that the different at least one payload forms its own cluster and is therefore anomalous.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting malicious network activity. The method may include analyzing payload data relating to activity on one or more virtual security appliances, grouping related payloads, and analyzing a time series dataset describing the groupings to identify anomalous payloads.

9 Citations

18 Claims

1. A method for detecting malicious network activity, the method comprising:
- receiving, using an interface, at least one payload relating to an attack on a virtual security appliance;
  
  extracting, using an analysis module executing instructions stored on a memory, at least one feature related to the at least one payload;
  
  sorting, using the analysis module, the at least one payload into at least one cluster based on the at least one extracted feature;
  
  generating, using the analysis module, a time series dataset from the at least one cluster; and
  
  identifying, using the analysis module, at least one payload from the generated time series dataset that is different from the at least one payload sorted into the at least one cluster such that the different at least one payload forms its own cluster and is therefore anomalous.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the generated time series dataset comprises population sizes for each of the at least one cluster and identifying the at least one payload includes identifying at least one cluster with an outlier population size based on the dataset.
  - 3. The method of claim 1 wherein the generated time series dataset comprises a value of a distance function applied to each of the at least one cluster and identifying the at least one payload includes identifying at least one cluster with an outlier distance function value based on the dataset.
  - 4. The method of claim 1 wherein the generated time series dataset comprises a value of a function applied to each of the at least one cluster that determines the distance between at least one payload and the centroid of the at least one cluster and identifying the at least one payload includes identifying at least one payload with an outlier function value based on the dataset.
  - 5. The method of claim 1 wherein the generated time series dataset comprises a value of a diffuse function applied to each of the at least one cluster and identifying the at least one payload includes identifying at least one cluster with an outlier diffuse value based on the dataset.
  - 6. The method of claim 1 wherein sorting the at least one payload into at least one cluster includes applying a k-means function to the at least one payload and sorting the at least one payload into at least one cluster is based on the result of the application of the k-means function.
  - 7. The method of claim 1 wherein sorting the at least one payload into at least one cluster includes sorting the at least one payload into a predetermined number of clusters.
  - 8. The method of claim 1 wherein the at least one extracted feature indicates whether the payload is malicious.
  - 9. The method of claim 1 wherein the at least one extracted feature is related to the number or frequency of payload headers.

10. A system for detecting malicious network activity, the system including:
- an interface configured to receive at least one payload relating to an attack on a virtual security appliance;
  
  a memory; and
  
  an analysis module configured to execute instructions stored on the memory to;
  
  extract at least one feature related to the at least one payload;
  
  sort the at least one payload into at least one cluster based on the at least one extracted feature;
  
  generate a time series dataset from the at least one cluster; and
  
  identify at least one payload from the generated time series dataset that is different from the at least one payload sorted into the at least one cluster such that the different at least one payload forms its own cluster and is therefore anomalous.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10 wherein the generated time series dataset comprises population sizes for each of the at least one cluster and the analysis module identifies the at least one payload by identifying at least one cluster with an outlier population size based on the dataset.
  - 12. The system of claim 10 wherein the generated time series dataset comprises a value of a distance function applied to each of the at least one cluster, and the analysis module identifies the at least one payload by identifying at least one cluster with an outlier distance function value based on the dataset.
  - 13. The system of claim 10 wherein the generated time series dataset comprises a value of a function applied to each of the at least one cluster that determines the distance between the at least one cluster and the centroid of the at least one cluster and the analysis module identifies the at least one payload by identifying at least one cluster with an outlier function value based on the dataset.
  - 14. The system of claim 10 wherein the generated time series dataset comprises a value of a diffuse function applied to each of the at least one cluster and identifying the at least one payload includes identifying at least one cluster with an outlier diffuse value based on the dataset.
  - 15. The system of claim 10 wherein the analysis module is configured to sort the at least one payload into at least one cluster by applying a k-means function to the at least one payload, and sorting the at least one payload into at least one cluster is based on the result of the application of the k-means function.
  - 16. The system of claim 10 wherein the analysis module is configured to sort the at least one payload into a predetermined number of clusters.
  - 17. The system of claim 10 wherein the at least one extracted feature indicates whether the payload is malicious.
  - 18. The system of claim 10 wherein the at least one extracted feature is related to the number or frequency of payload headers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Rapid7, Inc.
Inventors
Shivamoggi, Vasudha, Keyes, Oliver
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Mejia, Feliciano S

Application Number

US15/803,805
Publication Number

US 20190141066A1
Time in Patent Office

814 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

Detecting malicious network activity using time series payload data

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious network activity using time series payload data

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links