INTRUSION DETECTION USING MDL CLUSTERING
First Claim
Patent Images
1. A network intrusion detection system comprising:
- a processor coupled to a nontransitory computer readable medium bearing software instructions that, when executed by the processor, cause the processor to perform operations including;
clustering network traffic files into a plurality of clusters based on minimum description length (MDL) similarity;
building an MDL model for each cluster;
calculating distances from each traffic file to each MDL model to obtain a distance vector for each traffic file, each distance vector having a distance from a corresponding traffic file to each MDL model;
building a decision model based on the distance vectors;
analyzing network traffic using the decision model;
generating an output based on the analyzing, the output indicating potential matches between network traffic and an MDL model corresponding to malicious activity; and
displaying on a display, a visualization plot based on the output, the plot showing a graphical representation of network traffic distance from the clusters.
3 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection method, system and computer-readable media are disclosed. The system can include a processor programmed to perform computer network intrusion detection. The intrusion detection can include an identification module and a detection module. The identification module can be adapted to perform semi-supervised machine learning to identify key components of a network attack and develop MDL models representing those attack components. The detection module can cluster the MDL models and use the clustered MDL models to classify network activity and detect polymorphic or zero-day attacks.
37 Citations
24 Claims
-
1. A network intrusion detection system comprising:
a processor coupled to a nontransitory computer readable medium bearing software instructions that, when executed by the processor, cause the processor to perform operations including; clustering network traffic files into a plurality of clusters based on minimum description length (MDL) similarity; building an MDL model for each cluster; calculating distances from each traffic file to each MDL model to obtain a distance vector for each traffic file, each distance vector having a distance from a corresponding traffic file to each MDL model; building a decision model based on the distance vectors; analyzing network traffic using the decision model; generating an output based on the analyzing, the output indicating potential matches between network traffic and an MDL model corresponding to malicious activity; and displaying on a display, a visualization plot based on the output, the plot showing a graphical representation of network traffic distance from the clusters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A computerized method for computer network intrusion detection, the method comprising:
-
clustering, with a processor programmed to perform network intrusion detection, network traffic files into a plurality of clusters based on minimum description length (MDL) similarity; building, with the processor, an MDL model for each cluster; calculating, with the processor, distances from each traffic file to each MDL model to obtain a distance vector for each traffic file, each distance vector having a distance from a corresponding traffic file to each MDL model; and building, with the processor, a decision model based on the distance vectors. - View Dependent Claims (10, 11, 12, 13, 14, 22)
-
-
15. A nontransitory computer-readable medium having software instructions stored thereon that, when executed by a processor, cause the processor to perform operations comprising:
-
clustering network traffic files into a plurality of clusters based on minimum description length (MDL) similarity; building an MDL model for each cluster; calculating distances from each traffic file to each MDL model to obtain a distance vector for each traffic file, each distance vector having a distance from a corresponding traffic file to each MDL model; and building a decision model based on the distance vectors. - View Dependent Claims (16, 17, 18, 19, 20, 23)
-
-
21. A computerized method for computer network intrusion detection, the method comprising:
-
analyzing, with a processor programmed to perform network intrusion detection, network traffic using a decision model, the decision model having been built by; clustering network traffic files into a plurality of clusters based on minimum description length (MDL) similarity; building an MDL model for each cluster; calculating distances from each traffic file to each MDL model to obtain a distance vector for each traffic file, each distance vector having a distance from a corresponding traffic file to each MDL model; and building a decision model based on the distance vectors; and generating, with the processor, an output based on the analyzing, the output indicating potential matches between network traffic and an MDL model corresponding to malicious activity. - View Dependent Claims (24)
-
Specification