Methods and systems for network flow analysis
First Claim
Patent Images
1. A method comprising:
- performing processing associated with receiving, with a flow creation module in communication with a computer comprising a database, network flow data;
performing processing associated with identifying, with a peer to peer flow detection module in communication with the computer, and from the network flow data, a first plurality of network flows that together constitute a first peer to peer network communication within the network flow data and a second plurality of network flows that together constitute a second peer to peer network communication within the network flow data;
performing processing associated with detecting, with a peer to peer classification module in communication with the computer, that the first plurality of network flows matches one or more known peer to peer application communications;
responsive to detecting a match for the first plurality of network flows, performing processing associated with labeling, with the peer to peer classification module, the first plurality of network flows with a first label comprising a category identical to the matching one or more known peer to peer application communications;
performing processing associated with detecting, with the peer to peer classification module in communication with the computer, that the second plurality of network flows does not match any of the one or more known peer to peer application communications;
responsive to failing to detect a match for the second plurality of network flows;
performing processing associated with determining, with the peer to peer classification module, that one or more connection features for the second plurality of network flows resemble one or more connection features for a stored unclassified peer to peer application communication;
responsive to determining that the one or more connection features for the second plurality of network flows resemble the one or more connection features for the stored unclassified peer to peer application communication, performing processing associated with clustering, with an unclassified peer to peer clustering module, the second plurality of network flows with the stored unclassified peer to peer application communication; and
performing processing associated with labeling, with the peer to peer classification module, the second plurality of network flows with a second label based on its cluster;
performing processing associated with determining, with the peer to peer classification module, whether the first plurality of network flows are malicious based on the category;
performing processing associated with determining, with the peer to peer classification module, whether the second plurality of network flows are malicious based on one or more characteristics of the stored unclassified peer to peer application communication; and
in response to determining that one or more of the first plurality of network flows and the second plurality of network flows are malicious, performing processing associated with generating, with an alert module in communication with the computer, an alert and blocking at least one of the first plurality of network flows or at least one of the second plurality of network flows.
12 Assignments
0 Petitions
Accused Products
Abstract
A system and method comprising: receiving network flow data; identifying a peer to peer network flow within the network flow data comparing the peer to peer network flow to a known peer to peer application flow; labeling the peer to peer network flow as the known peer to peer application flow when the peer to peer network flow matches the known peer to peer application flow; and creating a data set to be associated with the labeled peer to flow.
-
Citations
22 Claims
-
1. A method comprising:
-
performing processing associated with receiving, with a flow creation module in communication with a computer comprising a database, network flow data; performing processing associated with identifying, with a peer to peer flow detection module in communication with the computer, and from the network flow data, a first plurality of network flows that together constitute a first peer to peer network communication within the network flow data and a second plurality of network flows that together constitute a second peer to peer network communication within the network flow data; performing processing associated with detecting, with a peer to peer classification module in communication with the computer, that the first plurality of network flows matches one or more known peer to peer application communications; responsive to detecting a match for the first plurality of network flows, performing processing associated with labeling, with the peer to peer classification module, the first plurality of network flows with a first label comprising a category identical to the matching one or more known peer to peer application communications; performing processing associated with detecting, with the peer to peer classification module in communication with the computer, that the second plurality of network flows does not match any of the one or more known peer to peer application communications; responsive to failing to detect a match for the second plurality of network flows; performing processing associated with determining, with the peer to peer classification module, that one or more connection features for the second plurality of network flows resemble one or more connection features for a stored unclassified peer to peer application communication; responsive to determining that the one or more connection features for the second plurality of network flows resemble the one or more connection features for the stored unclassified peer to peer application communication, performing processing associated with clustering, with an unclassified peer to peer clustering module, the second plurality of network flows with the stored unclassified peer to peer application communication; and performing processing associated with labeling, with the peer to peer classification module, the second plurality of network flows with a second label based on its cluster; performing processing associated with determining, with the peer to peer classification module, whether the first plurality of network flows are malicious based on the category; performing processing associated with determining, with the peer to peer classification module, whether the second plurality of network flows are malicious based on one or more characteristics of the stored unclassified peer to peer application communication; and in response to determining that one or more of the first plurality of network flows and the second plurality of network flows are malicious, performing processing associated with generating, with an alert module in communication with the computer, an alert and blocking at least one of the first plurality of network flows or at least one of the second plurality of network flows. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification