FLOW-BASED SYSTEM AND METHOD FOR DETECTING CYBER-ATTACKS UTILIZING CONTEXTUAL INFORMATION
First Claim
1. A method of monitoring a set of unidirectional network packets (“
- IP Flow”
) to identify potential threats, comprising;
applying a set of classification rules to the IP Flow;
determining an initial threat prediction based on the application of the set of classification rules;
analyzing the initial threat prediction with a semantic link network, wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information; and
determining an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction.
1 Assignment
0 Petitions
Accused Products
Abstract
A flow-based detection system and method for detection of cyber-attacks is provided that utilizes contextual information to provide improved detection accuracy over existing flow-based systems. Contextual information is utilized to semantically reveal cyber-attacks from IP flows. Time, location, and other contextual information mined from network flow data is utilized to create semantic links among alerts raised in response to suspicious IP flows. The semantic links are identified through an inference process on probabilistic semantic link networks. The resulting links are used at run-time to retrieve relevant suspicious activities that represent a possible attack or possible steps in multi-step attacks.
-
Citations
21 Claims
-
1. A method of monitoring a set of unidirectional network packets (“
- IP Flow”
) to identify potential threats, comprising;applying a set of classification rules to the IP Flow; determining an initial threat prediction based on the application of the set of classification rules; analyzing the initial threat prediction with a semantic link network, wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information; and determining an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- IP Flow”
-
8. A method of improving the accuracy of a threat prediction made on a set of unidirectional network packets, comprising:
-
analyzing the threat prediction with a semantic link network, wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information; and determining an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction. - View Dependent Claims (9)
-
-
10. A system for monitoring a set of unidirectional network packets (“
- IP Flows”
) to identify potential threats, comprising;a classification module that applies a set of classification rules to the IP Flow and determines an initial threat prediction based on the application of the set of classification rules; and a semantic link network module that analyzes the initial threat prediction with a semantic link network and that determines an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction; wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information. - View Dependent Claims (11, 12, 13, 14, 15)
- IP Flows”
-
16. A system for monitoring a set of unidirectional network packets (“
- IP Flows”
) to identify potential threats, comprising a set of computer readable instructions stored in a tangible medium that are executable by a processor to;apply a set of classification rules to the IP Flow; determine an initial threat prediction based on the application of the set of classification rules; analyze the initial threat prediction with a semantic link network, wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information; and determine an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction. - View Dependent Claims (17, 18, 19, 20, 21)
- IP Flows”
Specification