DETECTING MALICIOUS NETWORK SOFTWARE AGENTS

US 20150106935A1
Filed: 12/15/2014
Published: 04/16/2015
Est. Priority Date: 04/29/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a network device, packets of a network session;

assembling network session data for the network session from the packets, the network session data comprising application-layer data and packet flow data for the network session;

calculating a plurality of scores for the network session based on a plurality of metrics applied to the network session data, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, and wherein each of the scores represents a likelihood that the network session is originated by an automated software agent;

aggregating the plurality of scores to produce an aggregate score;

determining that the network session is originated by an automated software agent when the aggregate score exceeds a threshold; and

executing a programmed response when the network session is determined to be originated by an automated software agent.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.

11 Citations

View as Search Results

19 Claims

1. A method comprising:
- receiving, with a network device, packets of a network session;
  
  assembling network session data for the network session from the packets, the network session data comprising application-layer data and packet flow data for the network session;
  
  calculating a plurality of scores for the network session based on a plurality of metrics applied to the network session data, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, and wherein each of the scores represents a likelihood that the network session is originated by an automated software agent;
  
  aggregating the plurality of scores to produce an aggregate score;
  
  determining that the network session is originated by an automated software agent when the aggregate score exceeds a threshold; and
  
  executing a programmed response when the network session is determined to be originated by an automated software agent.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising applying each of a plurality of weighting values to a respective one of the plurality of scores, wherein aggregating the plurality of scores comprises aggregating the plurality of scores having the respective weighting values applied.
  - 3. The method of claim 2, further comprising receiving the plurality of weighting values via a user interface.
  - 4. The method of claim 1, further comprising receiving a definition of at least one of the metrics via a user interface.
  - 5. The method of claim 1, wherein a first one of the metrics corresponds to a number of open connections for the network session, a second one of the metrics corresponds to an average number of transactions per open connection, a third one of the metrics corresponds to a time distribution between requests during the network session, a fourth one of the metrics corresponds to an average server response time to the requests, a fifth one of the metrics corresponds to a percent of data objects of a web page that are requested for the network session, a sixth one of the metrics corresponds to link-following behavior during the network session, a seventh one of the metrics corresponds to changes to a user agent during the network session, an eighth one of the metrics corresponds to web page cookie handling behavior, and a ninth one of the metrics corresponds to an operating system used by a client device of the network session.
  - 6. The method of claim 1, wherein executing a programmed response comprises at least one of sending an alert, dropping the packets of the network session, sending a close-session message to a client of the network session, blocking connection requests from a network device of the network session, sending a close-session message to a server of the network session, rate-limiting the network session, sending an identifier of the client to a network device with instructions to block other network sessions of the client, and sending an identifier of the server to the network device with instructions to block network sessions of the server.

7. A network device comprising:
- a network interface to receive packets of a network session;
  
  a control unit having one or more processors;
  
  a reassembly module executing within the control unit to re-assemble application-layer data for the network session;
  
  a flow table to store packet flow information for the network session;
  
  a bot detection module executing within the control unit to calculate a plurality of scores for the network session based on a plurality of metrics each applied to at least one of the reassembled application-layer data and the packet flow information, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, wherein the bot detection module is configured to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, wherein each of the scores represents a likelihood that the network session is originated by an automated software agent; and
  
  an attack detection module executing within the control unit to perform a programmed response when the network session is determined to be originated by an automated software agent.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The device of claim 7, wherein the bot detection module applies each of a plurality of weighting values to a respective one of the plurality of scores and produces the aggregate score after having applied the weighting values to the plurality of scores for the aggregate of the plurality of scores.
  - 9. The device of claim 8, further comprising a user interface to receive the plurality of weighting values.
  - 10. The device of claim 7, further comprising a user interface to receive a definition of at least one of the metrics.
  - 11. The device of claim 7, wherein a first one of the metrics corresponds to a number of open connections for the network session, a second one of the metrics corresponds to an average number of transactions per open connection, a third one of the metrics corresponds to a time distribution between requests during the network session, a fourth one of the metrics corresponds to an average server response time to the requests, a fifth one of the metrics corresponds to a percent of data objects of a web page that are requested for the network session, a sixth one of the metrics corresponds to link-following behavior during the network session, a seventh one of the metrics corresponds to changes to a user agent during the network session, an eighth one of the metrics corresponds to web page cookie handling behavior, and a ninth one of the metrics corresponds to an operating system used by a client device of the network session.
  - 12. The device of claim 7, wherein the a programmed response executed by the attack detection module comprises at least one of sending an alert, dropping the packets of the network session, sending a close-session message to a client of the network session, sending a close-session message to a server of the network session, blocking connection requests from a network device of the network session, rate-limiting the network session, sending an identifier of the client to a network device with instructions to block other network sessions of the client, and sending an identifier of the server to the network device with instructions to block network sessions of the server.
  - 13. The device of claim 7, further comprising a router, wherein a service plane of the router comprises an intrusion detection and prevention card that comprises the reassembly module, the bot detection module, and the attack detection module.

14. A computer-readable medium comprising instructions for causing a programmable processor of a network device to:
- receive packets of a network session;
  
  assemble network session data for the network session from the packets, the network session data comprising application-layer data and packet flow data for the network session;
  
  calculate a plurality of scores for the network session based on a plurality of metrics applied to the network session data, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, and wherein each of the scores represents a likelihood that the network session is originated by an automated software agent;
  
  aggregate the plurality of scores to produce an aggregate score;
  
  determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold; and
  
  execute a programmed response when the network session is determined to be originated by an automated software agent.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-readable medium of claim 14, further comprising instructions to apply each of a plurality of weighting values to a respective one of the plurality of scores, wherein the instructions to aggregate the plurality of scores comprise instructions to aggregate the plurality of scores having the respective weighting values applied.
  - 16. The computer-readable medium of claim 15, further comprising instructions to present a user interface and to receive the plurality of weighting values via the user interface.
  - 17. The computer-readable medium of claim 14, further comprising instructions to present a user interface and to receive a definition of at least one of the metrics via the user interface.
  - 18. The computer-readable medium of claim 14, wherein a first one of the metrics corresponds to a number of open connections for the network session, a second one of the metrics corresponds to an average number of transactions per open connection, a third one of the metrics corresponds to a time distribution between requests during the network session, a fourth one of the metrics corresponds to an average server response time to the requests, a fifth one of the metrics corresponds to a percent of data objects of a web page that are requested for the network session, a sixth one of the metrics corresponds to link-following behavior during the network session, a seventh one of the metrics corresponds to changes to a user agent during the network session, an eighth one of the metrics corresponds to web page cookie handling behavior, and a ninth one of the metrics corresponds to an operating system used by a client device of the network session.
  - 19. The computer-readable medium of claim 14, wherein the instructions to execute a programmed response comprise at least one of instructions to send an alert, instructions to drop the packets of the network session, instructions to send a close-session message to a client of the network session, instructions to block connection requests from a network device of the network session, instructions to send a close-session message to a server of the network session, rate-limiting the network session, instructions to send an identifier of the client to a network device with instructions to block other network sessions of the client, and instructions to send an identifier of the server to the network device with instructions to block network sessions of the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Burns, Bryan, Narayanaswamy, Krishna

Granted Patent

US 9,344,445 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

DETECTING MALICIOUS NETWORK SOFTWARE AGENTS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING MALICIOUS NETWORK SOFTWARE AGENTS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links