PREDICTIVE BLACKLISTING USING IMPLICIT RECOMMENDATION

US 20110179492A1
Filed: 01/21/2010
Published: 07/21/2011
Est. Priority Date: 01/21/2010
Status: Active Grant

First Claim

Patent Images

1. A method for determining a rating of a likelihood of a victim system receiving malicious traffic from an attacker system at a point in time, comprising:

generating a first forecast from a time series model based on past history of attacks by the attacker system;

generating a second forecast from a victim neighborhood model based on similarity between the victim system and peer victim systems;

generating a third forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; and

determining the rating of the likelihood of the victim system receiving malicious traffic from the attacker system at the point in time based on the first forecast, the second forecast, and the third forecast.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for determining a rating of a likelihood of a victim system receiving malicious traffic from an attacker system at a point in time. The method comprises: generating a first forecast from a time series model based on past history of attacks by the attacker system; generating a second forecast from a victim neighborhood model based on similarity between the victim system and peer victim systems; generating a third forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; and determining the rating of the likelihood of the victim system receiving malicious traffic from the attacker system at the point in time based on the first forecast, the second forecast, and the third forecast.

49 Citations

View as Search Results

20 Claims

1. A method for determining a rating of a likelihood of a victim system receiving malicious traffic from an attacker system at a point in time, comprising:
- generating a first forecast from a time series model based on past history of attacks by the attacker system;
  
  generating a second forecast from a victim neighborhood model based on similarity between the victim system and peer victim systems;
  
  generating a third forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; and
  
  determining the rating of the likelihood of the victim system receiving malicious traffic from the attacker system at the point in time based on the first forecast, the second forecast, and the third forecast.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - generating for the victim system a blacklist of potential attacker systems based on the determined rating.
  - 3. The method of claim 1 wherein the time series model is based on an Exponential Weighted Moving Average model.
  - 4. The method of claim 3 wherein the Exponential Weighted Moving Average model determines a rating of a likelihood of future attacks by the attacking system on the victim system based on past likelihoods of attacks of the victim system by the attacking system that are weighed with exponentially decreasing weights towards older values.
  - 5. The method of claim 1 wherein the past history of attacks the attacker system includes any level of aggregation of an attacker system internet protocol address of a past attack, any level of aggregation of a victim system internet protocol address of a past attack, and a time of a past attack.
  - 6. The method of claim 1, wherein the second forecast from the victim neighborhood model is generated based on the first forecast generated from the time series model.
  - 7. The method of claim 1 wherein:
    - the second forecast r_a,v^kNN(t) of the attacker system a attacking the victim system v at the point in time t is generated based on a formula;
  - 8. The method of claim 7, wherein:
    - the similarity between the victim system and peer victim systems is based on past history of attacks by the attacking system towards the victim system and the peer victim systems, including a closeness in time of the past history of attacks by the attacking system towards the victim system and the peer victim system.
  - 9. The method of claim 1 wherein:
    - the third forecast r_a,v^CA(t+1) of the attacker system a attacking the victim system v at the point in time t+1 is generated based on a formula;
  - 10. The method of claim 1 wherein:
    - the probability {circumflex over (b)}_a,v(t) of the victim system v receiving malicious traffic from the attacker system a at the point in time t based on the first forecast r_a,v^TS(t), the second forecast r_a,v^kNN(t), and the third forecast r_a,v^CA(t) is generated based on a formula;
      
      {circumflex over (b)}_a,v(t)=r_a,v^TS(t)+ω
      
      _a,v^kNNr_a,v^kNN(t)+ω
      
      _a,v^CAr_a,v^CA(t);
      
      where ω
      
      _a,v^kNNis a kNN weight for weighing the second forecast; and
      
      where ω
      
      _a,v^CAis a CA weight for weighing the third forecast.

11. A system comprising:
- a processor; and
  
  a computer program that executes on the processor to;
  
  generate a first forecast from a victim neighborhood model based on similarity between a victim system and peer victim systems;
  
  associate a first weight with the first forecast that correlates with the similarity between the victim system and peer victim systems;
  
  generate a second forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system;
  
  associate a second weight with the second forecast that correlates with a density of the group of attacker systems including the attacker system and the group of victim systems including the victim system; and
  
  determine a rating of a likelihood of the victim system receiving malicious traffic from the attacker system at a point in time based on the first forecast weighed with the first weight and the second forecast weighed with the second weight.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the similarity between the victim system and peer victim systems is based on past history of attacks by the attacking system towards the victim system and the peer victim systems including a closeness in time of the past history of attacks by the attacking system towards the victim system and the peer victim system.
  - 13. The system of claim 11, wherein the correlation between the group of attacker systems including the attacker system and the group of victim systems including the victim system is based on the density of the group of attacker systems including the attacker system and the group of victim systems including the victim system at a previous point in time.
  - 14. The system of claim 13, wherein the joint attacker-victim neighborhood model applies an Exponential Weighted Moving Average model on a time series of the density.
  - 15. The system of claim 14, wherein the Exponential Weighted Moving Average model determines a rating of a likelihood of attacks from the attacker system based on past density values of the group of attacker systems including the attacker system and the group of victim systems including the victim system weighed with exponentially decreasing weights towards older density values.

16. A computer readable storage medium having instructions stored thereon that when executed by a processor cause a system to:
- generate a first forecast from an Exponential Weighted Moving Average model that determines a likelihood of future attacks by an attacking system on a victim system based on past likelihoods of attacks of the victim system by the attacking system that are weighed with exponentially decreasing weights towards older values;
  
  generate a second forecast from a neighborhood model based on correlation between the victim system, attacker systems, and peer victim systems; and
  
  determine a rating of a likelihood of the victim system receiving malicious traffic from the attacker system at a point in time based on the first forecast and the second forecast.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer readable storage medium of claim 16 wherein:
    - the point in time is a testing window; and
      
      the rating of the likelihood is determined based on a training window previous in time to the testing window.
  - 18. The computer readable storage medium of claim 16, wherein:
    - the neighborhood model further comprises a victim neighborhood model and a joint attacker-victim neighborhood model.
  - 19. The computer readable storage medium of claim 18, wherein:
    - the joint attacker-victim neighborhood model generates a forecast based on a density of a group of attacker systems including the attacker system and a group of victim systems including the victim system at a previous point in time.
  - 20. The computer readable storage medium of claim 16, wherein:
    - the past likelihoods of attacks of the victim system by the attacking system indicates for each time slot in a period of time previous to the point in time whether the victim system was attacked by the attacking system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Regents of the University of California (University of California)
Original Assignee
Regents of the University of California (University of California)
Inventors
Le, Anh, MARKOPOULOU, ATHINA, Soldo, Fabio

Granted Patent

US 8,572,746 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0263   Rule management

H04L 63/1441   Countermeasures against mal...

PREDICTIVE BLACKLISTING USING IMPLICIT RECOMMENDATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PREDICTIVE BLACKLISTING USING IMPLICIT RECOMMENDATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links