IDENTIFYING THREATS BASED ON HIERARCHICAL CLASSIFICATION

US 20150334125A1
Filed: 10/21/2014
Published: 11/19/2015
Est. Priority Date: 05/16/2014
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more network interfaces that are configured to couple to a data network and to receive a plurality of packet flows therefrom;

one or more processors coupled to the one or more network interfaces;

an aggregator that is configured to select, based on a criterion, one or more selected packet flows from the plurality of packet flows and placing the selected packet flows into a set;

a feature analyzer that is configured to determine, for each packet flow in the set, a flow feature associated with that packet flow based on data from that packet flow, and classifying each packet flow into a flow class based on the flow feature;

the feature analyzer that is further configured to determine a set feature for the set based on one or more of the flow features that are associated with the selected packet flows of the set;

a classifier that is configured to classify the set into a set class based on the set feature; and

a threat reporter that is configured to report, based on the set class, a threat incident on a computing device originating the selected one or more one or more packet flows.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows.

Citations

22 Claims

1. A computer system comprising:
- one or more network interfaces that are configured to couple to a data network and to receive a plurality of packet flows therefrom;
  
  one or more processors coupled to the one or more network interfaces;
  
  an aggregator that is configured to select, based on a criterion, one or more selected packet flows from the plurality of packet flows and placing the selected packet flows into a set;
  
  a feature analyzer that is configured to determine, for each packet flow in the set, a flow feature associated with that packet flow based on data from that packet flow, and classifying each packet flow into a flow class based on the flow feature;
  
  the feature analyzer that is further configured to determine a set feature for the set based on one or more of the flow features that are associated with the selected packet flows of the set;
  
  a classifier that is configured to classify the set into a set class based on the set feature; and
  
  a threat reporter that is configured to report, based on the set class, a threat incident on a computing device originating the selected one or more one or more packet flows.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the feature analyzer is further configured to determine the flow feature based on any combination of one or more of:
    - URL data from said each packet flow, flow duration of said each packet flow, number of bytes transferred in said each packet flow, type of said each packet flow, status of said each packet flow, referrer of said each packet flow, timestamps associated with said each packet flow, internet address of the computing device originating said each packet flow, type of the computing device originating said each packet flow, or status of the computing device originating said each packet flow.
  - 3. The system of claim 1, wherein the feature analyzer is further configured to determine the set feature by calculating an aggregate function of the one or more of the flow features.
  - 4. The system of claim 1, wherein the classifier is further configured to determine the set class based on the one or more of the flow features or flow classes that the selected packet flows of the set are classified into.
  - 5. The system of claim 1, wherein the criterion is based on the selected packet flows that are associated with a particular event on the computing device.
  - 6. The system of claim 5, wherein the particular event is an action performed on the computing device.
  - 7. The system of claim 1, wherein:
    - the aggregator is further configured to select, into a group, one or more sets of packet flows that include the set, based on temporal attributes or native features of particular packet flows of the one or more sets of packet flows that originated at the computing device;
      
      the feature analyzer is further configured to determine a group feature for the group based on one or more set features corresponding to the one or more sets; and
      
      the classifier is further configured to classify the group into a group class based on the group feature.
  - 8. The system of claim 7, wherein the feature analyzer is further configured to determine the group feature by calculating an aggregate function of the one or more set features.
  - 9. The system of claim 7, wherein the classifier is further configured to determine the group class based on any combination of one or more of:
    - the one or more set features,particular one or more flow features corresponding to the particular packet flows of the one or more sets,set classes that the one or more sets are classified into, orparticular flow classes that the particular packet flows are classified into.
  - 10. The system of claim 7, wherein the temporal attributes are timestamps of the particular packet flows.
  - 11. The system of claim 10, wherein the timestamps of the particular packet flows are within a particular time duration.

12. A method comprising:
- receiving a plurality of packet flows from a data network;
  
  selecting, based on a criterion, one or more selected packet flows from the plurality of packet flows and placing the selected packet flows into a set;
  
  determining, for each packet flow in the set, a flow feature associated with that packet flow based on data from that packet flow, and classifying each packet flow into a flow class based on the flow feature;
  
  determining a set feature for the set based on one or more of the flow features that are associated with the selected packet flows of the set;
  
  classifying the set into a set class based on the set feature;
  
  based on the set class, reporting a threat incident on a computing device originating the selected one or more one or more packet flows; and
  
  wherein the method is executed by one or more computing devices.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, further comprising determining the flow feature based on any combination of one or more of:
    - URL data from said each packet flow, flow duration of said each packet flow, number of bytes transferred in said each packet flow, type of said each packet flow, status of said each packet flow, referrer of said each packet flow, timestamps associated with said each packet flow, internet address of the computing device originating said each packet flow, type of the computing device originating said each packet flow, or status of the computing device originating said each packet flow.
  - 14. The method of claim 12, further comprising determining the set feature by calculating an aggregate function of the one or more of the flow features.
  - 15. The method of claim 12, further comprising determining the set class based on the one or more of the flow features or flow classes that the selected packet flows of the set are classified into.
  - 16. The method of claim 12, wherein the criterion is based on the selected packet flows that are associated with a particular event on the computing device.
  - 17. The method of claim 16, wherein the particular event is an action performed on the computing device.
  - 18. The method of claim 12, further comprising:
    - selecting, into a group, one or more sets of packet flows that include the set, based on temporal attributes or native features of particular packet flows of the one or more sets of packet flows that originated at the computing device;
      
      determining a group feature for the group based on one or more set features corresponding to the one or more sets; and
      
      classifying the group into a group class based on the group feature.
  - 19. The method of claim 18, further comprising determining the group feature by calculating an aggregate function of the one or more set features.
  - 20. The method of claim 18, further comprising determining the group class based on any combination of one or more of:
    - the one or more set features,particular one or more flow features corresponding to the particular packet flows of the one or more sets,set classes that the one or more sets are classified into, orparticular flow classes that the particular packet flows are classified into.
  - 21. The method of claim 18, wherein the temporal attributes are timestamps of the particular packet flows.
  - 22. The method of claim 21, wherein the timestamps of the particular packet flows are within a particular time duration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
BARTOS, KAREL, SOFKA, MICHAL

Granted Patent

US 9,462,008 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/95   Retrieval from the web

G06F 21/552   involving long-term monitor...

H04L 2463/121   Timestamp

H04L 2463/142   Denial of service attacks a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

IDENTIFYING THREATS BASED ON HIERARCHICAL CLASSIFICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING THREATS BASED ON HIERARCHICAL CLASSIFICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links