FLOW-BASED SYSTEM AND METHOD FOR DETECTING CYBER-ATTACKS UTILIZING CONTEXTUAL INFORMATION

US 20150326600A1
Filed: 12/17/2014
Published: 11/12/2015
Est. Priority Date: 12/17/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method of monitoring a set of unidirectional network packets (“

IP Flow”

) to identify potential threats, comprising;

applying a set of classification rules to the IP Flow;

determining an initial threat prediction based on the application of the set of classification rules;

analyzing the initial threat prediction with a semantic link network, wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information; and

determining an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flow-based detection system and method for detection of cyber-attacks is provided that utilizes contextual information to provide improved detection accuracy over existing flow-based systems. Contextual information is utilized to semantically reveal cyber-attacks from IP flows. Time, location, and other contextual information mined from network flow data is utilized to create semantic links among alerts raised in response to suspicious IP flows. The semantic links are identified through an inference process on probabilistic semantic link networks. The resulting links are used at run-time to retrieve relevant suspicious activities that represent a possible attack or possible steps in multi-step attacks.

Citations

21 Claims

1. A method of monitoring a set of unidirectional network packets (“
- IP Flow”
  
  ) to identify potential threats, comprising;
  
  applying a set of classification rules to the IP Flow;
  
  determining an initial threat prediction based on the application of the set of classification rules;
  
  analyzing the initial threat prediction with a semantic link network, wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information; and
  
  determining an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the expanded threat prediction comprises a suspicious activity prediction and a benign activity prediction.
  - 3. The method of claim 2, further comprising analyzing the expanded threat prediction with a prediction filter, wherein the prediction filter comprises a set of rule-based profiles that characterize a plurality of predetermined suspicious and benign activities.
  - 4. The method of claim 3, further comprising:
    - determining if a benign activity is triggered as a result of the analysis with the prediction filter;
      
      if a benign activity is triggered, determining if the triggered benign activity corresponds to the benign activity prediction determined by the semantic link network analysis; and
      
      disregarding the suspicious activity prediction determined by the semantic link network analysis if the triggered benign activity corresponds to the benign activity prediction determined by the semantic link network analysis.
  - 5. The method of claim 3, further comprising:
    - determining if a benign activity is triggered as a result of the analysis with the prediction filter; and
      
      disregarding the benign activity prediction determined by the semantic link network analysis if no benign activity is triggered.
  - 6. The method of claim 1, wherein the contextual information comprises time-based features and location-based features.
  - 7. The method of claim 6, wherein the contextual information further comprises numerical features and/or descriptive features.

8. A method of improving the accuracy of a threat prediction made on a set of unidirectional network packets, comprising:
- analyzing the threat prediction with a semantic link network, wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information; and
  
  determining an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction.
- View Dependent Claims (9)
- - 9. The method of claim 8, wherein the contextual information comprises time-based features and location-based features.

10. A system for monitoring a set of unidirectional network packets (“
- IP Flows”
  
  ) to identify potential threats, comprising;
  
  a classification module that applies a set of classification rules to the IP Flow and determines an initial threat prediction based on the application of the set of classification rules; and
  
  a semantic link network module that analyzes the initial threat prediction with a semantic link network and that determines an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction;
  
  wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the expanded threat prediction comprises a suspicious activity prediction and a benign activity prediction.
  - 12. The system of claim 11, further comprising a prediction filter module that analyzes the expanded threat prediction with a prediction filter, wherein the prediction filter comprises a set of rule-based profiles that characterize a plurality of predetermined suspicious and benign activities.
  - 13. The system of claim 12, wherein the prediction filter module determines if a benign activity is triggered as a result of the analysis with the prediction filter, and disregards the suspicious activity prediction determined by the semantic link network module if the triggered benign activity corresponds to the benign activity prediction determined by the semantic link network module.
  - 14. The system of claim 12, wherein the prediction filter module determines if a benign activity is triggered as a result of the analysis with the prediction filter, and disregards the benign activity prediction determined by the semantic link network module if no benign activity is triggered.
  - 15. The system of claim 10, wherein the contextual information comprises time-based features and location-based features.

16. A system for monitoring a set of unidirectional network packets (“
- IP Flows”
  
  ) to identify potential threats, comprising a set of computer readable instructions stored in a tangible medium that are executable by a processor to;
  
  apply a set of classification rules to the IP Flow;
  
  determine an initial threat prediction based on the application of the set of classification rules;
  
  analyze the initial threat prediction with a semantic link network, wherein the semantic link network comprises suspicious and benign nodes, and further comprises semantic links among the suspicious and benign nodes that are at least partially weighted based on contextual information; and
  
  determine an expanded threat prediction based on the semantic link network analysis, wherein the expanded threat prediction comprises a suspicious activity prediction and/or a benign activity prediction.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, wherein the expanded threat prediction comprises a suspicious activity prediction and a benign activity prediction.
  - 18. The system of claim 16, wherein the set of computer readable instructions stored in a tangible medium are executable by a processor to analyze the expanded threat prediction with a prediction filter, wherein the prediction filter comprises a set of rule-based profiles that characterize a plurality of predetermined suspicious and benign activities.
  - 19. The system of claim 18, wherein the set of computer readable instructions stored in a tangible medium are executable by a processor to determine if a benign activity is triggered as a result of the analysis with the prediction filter, and to disregard the suspicious activity prediction determined by the semantic link network module if the triggered benign activity corresponds to the benign activity prediction determined by the semantic link network module.
  - 20. The system of claim 18, wherein the set of computer readable instructions stored in a tangible medium are executable by a processor to determine if a benign activity is triggered as a result of the analysis with the prediction filter, and to disregard the benign activity prediction determined by the semantic link network module if no benign activity is triggered.
  - 21. The system of claim 16, wherein the contextual information comprises time-based features and location-based features.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Maryland Baltimore County (University of Maryland)
Original Assignee
University of Maryland Baltimore County (University of Maryland)
Inventors
KARABATIS, George, ALEROUD, Ahmed

Application Number

US14/573,796
Publication Number

US 20150326600A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

FLOW-BASED SYSTEM AND METHOD FOR DETECTING CYBER-ATTACKS UTILIZING CONTEXTUAL INFORMATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

FLOW-BASED SYSTEM AND METHOD FOR DETECTING CYBER-ATTACKS UTILIZING CONTEXTUAL INFORMATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links