IDENTIFYING THREATS BASED ON HIERARCHICAL CLASSIFICATION
First Claim
1. A computer system comprising:
- one or more network interfaces that are configured to couple to a data network and to receive a plurality of packet flows therefrom;
one or more processors coupled to the one or more network interfaces;
an aggregator that is configured to select, based on a criterion, one or more selected packet flows from the plurality of packet flows and placing the selected packet flows into a set;
a feature analyzer that is configured to determine, for each packet flow in the set, a flow feature associated with that packet flow based on data from that packet flow, and classifying each packet flow into a flow class based on the flow feature;
the feature analyzer that is further configured to determine a set feature for the set based on one or more of the flow features that are associated with the selected packet flows of the set;
a classifier that is configured to classify the set into a set class based on the set feature; and
a threat reporter that is configured to report, based on the set class, a threat incident on a computing device originating the selected one or more one or more packet flows.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows.
-
Citations
22 Claims
-
1. A computer system comprising:
-
one or more network interfaces that are configured to couple to a data network and to receive a plurality of packet flows therefrom; one or more processors coupled to the one or more network interfaces; an aggregator that is configured to select, based on a criterion, one or more selected packet flows from the plurality of packet flows and placing the selected packet flows into a set; a feature analyzer that is configured to determine, for each packet flow in the set, a flow feature associated with that packet flow based on data from that packet flow, and classifying each packet flow into a flow class based on the flow feature; the feature analyzer that is further configured to determine a set feature for the set based on one or more of the flow features that are associated with the selected packet flows of the set; a classifier that is configured to classify the set into a set class based on the set feature; and a threat reporter that is configured to report, based on the set class, a threat incident on a computing device originating the selected one or more one or more packet flows. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
receiving a plurality of packet flows from a data network; selecting, based on a criterion, one or more selected packet flows from the plurality of packet flows and placing the selected packet flows into a set; determining, for each packet flow in the set, a flow feature associated with that packet flow based on data from that packet flow, and classifying each packet flow into a flow class based on the flow feature; determining a set feature for the set based on one or more of the flow features that are associated with the selected packet flows of the set; classifying the set into a set class based on the set feature; based on the set class, reporting a threat incident on a computing device originating the selected one or more one or more packet flows; and wherein the method is executed by one or more computing devices. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification