DETECTING MALICIOUS NETWORK SOFTWARE AGENTS
First Claim
1. A method comprising:
- receiving, with a network device, packets of a network session;
assembling network session data for the network session from the packets, the network session data comprising application-layer data and packet flow data for the network session;
calculating a plurality of scores for the network session based on a plurality of metrics applied to the network session data, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, and wherein each of the scores represents a likelihood that the network session is originated by an automated software agent;
aggregating the plurality of scores to produce an aggregate score;
determining that the network session is originated by an automated software agent when the aggregate score exceeds a threshold; and
executing a programmed response when the network session is determined to be originated by an automated software agent.
0 Assignments
0 Petitions
Accused Products
Abstract
This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.
11 Citations
19 Claims
-
1. A method comprising:
-
receiving, with a network device, packets of a network session; assembling network session data for the network session from the packets, the network session data comprising application-layer data and packet flow data for the network session; calculating a plurality of scores for the network session based on a plurality of metrics applied to the network session data, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, and wherein each of the scores represents a likelihood that the network session is originated by an automated software agent; aggregating the plurality of scores to produce an aggregate score; determining that the network session is originated by an automated software agent when the aggregate score exceeds a threshold; and executing a programmed response when the network session is determined to be originated by an automated software agent. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A network device comprising:
-
a network interface to receive packets of a network session; a control unit having one or more processors; a reassembly module executing within the control unit to re-assemble application-layer data for the network session; a flow table to store packet flow information for the network session; a bot detection module executing within the control unit to calculate a plurality of scores for the network session based on a plurality of metrics each applied to at least one of the reassembled application-layer data and the packet flow information, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, wherein the bot detection module is configured to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, wherein each of the scores represents a likelihood that the network session is originated by an automated software agent; and an attack detection module executing within the control unit to perform a programmed response when the network session is determined to be originated by an automated software agent. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A computer-readable medium comprising instructions for causing a programmable processor of a network device to:
-
receive packets of a network session; assemble network session data for the network session from the packets, the network session data comprising application-layer data and packet flow data for the network session; calculate a plurality of scores for the network session based on a plurality of metrics applied to the network session data, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, and wherein each of the scores represents a likelihood that the network session is originated by an automated software agent; aggregate the plurality of scores to produce an aggregate score; determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold; and execute a programmed response when the network session is determined to be originated by an automated software agent. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification