RATING NETWORK SECURITY POSTURE AND COMPARING NETWORK MALICIOUSNESS

US 20160021141A1
Filed: 07/16/2015
Published: 01/21/2016
Est. Priority Date: 07/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method for rating malicious network activity, the method comprising:

aggregating, by one or more processors, sets of internet protocol (IP) addresses from monitored network traffic over a sampling period;

measuring, by one or more processors, a number of malicious IP addresses within each of the aggregated sets of IP addresses over a plurality of time intervals within the sampling period;

generating, by one or more processors, a plurality of aggregate signals having a magnitude at each of the plurality of time intervals based on the number of malicious IP addresses within each of the plurality of time intervals,wherein a higher number of malicious IP addresses is associated with a higher magnitude, andwherein the malicious IP addresses are associated with one or more categories of malicious network behavior,categorizing, by one or more processors, each of the plurality of aggregate signals into one of a good, normal, or bad malicious value relative to an average magnitude of each respective aggregate signal over the corresponding sampling period;

assigning, by one or more processors, for each of the good, normal, and bad malicious values, one or more of an intensity, duration, and frequency feature to provide a feature set for each of the plurality of aggregate signals;

performing spectral analysis, by one or more processors, on each of the intensity, duration, and frequency feature set, respectively, for each of the plurality of aggregate signals; and

generating, by one or more processors, a plurality of maliciousness profiles based on the spectral analysis such that each of the respective intensity, duration, and frequency feature sets share dominant eigenvalues.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are disclosed for profiling network-level malicious activity. Profiling embodiments include observing malicious activity, representing such activity in accordance with a set of representative features, capturing temporal evolution of this malicious behavior and its dynamics, and using this temporal evolution to reveal key risk related properties of these networks. Embodiments are further disclosed addressing the connectedness of various networks and similarity in network-level maliciousness. Embodiments directed to similarity analyses include focusing on the notion of similarity—a quantitative measure of the extent to which the dynamic evolutions of malicious activities from two networks are alike, and mapping this behavioral similarity to their similarity in certain spatial features, which includes their relative proximity to each other and may be used to help predict the future maliciousness of a particular network. The embodiments described may be applicable to various network aggregation levels.

139 Citations

23 Claims

1. A method for rating malicious network activity, the method comprising:
- aggregating, by one or more processors, sets of internet protocol (IP) addresses from monitored network traffic over a sampling period;
  
  measuring, by one or more processors, a number of malicious IP addresses within each of the aggregated sets of IP addresses over a plurality of time intervals within the sampling period;
  
  generating, by one or more processors, a plurality of aggregate signals having a magnitude at each of the plurality of time intervals based on the number of malicious IP addresses within each of the plurality of time intervals,wherein a higher number of malicious IP addresses is associated with a higher magnitude, andwherein the malicious IP addresses are associated with one or more categories of malicious network behavior,categorizing, by one or more processors, each of the plurality of aggregate signals into one of a good, normal, or bad malicious value relative to an average magnitude of each respective aggregate signal over the corresponding sampling period;
  
  assigning, by one or more processors, for each of the good, normal, and bad malicious values, one or more of an intensity, duration, and frequency feature to provide a feature set for each of the plurality of aggregate signals;
  
  performing spectral analysis, by one or more processors, on each of the intensity, duration, and frequency feature set, respectively, for each of the plurality of aggregate signals; and
  
  generating, by one or more processors, a plurality of maliciousness profiles based on the spectral analysis such that each of the respective intensity, duration, and frequency feature sets share dominant eigenvalues.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14)
- - 2. The method of claim 1, wherein each of the plurality of maliciousness profiles includes a quantized value associated with the good, normal, and bad malicious values, respectively, for each of the intensity, duration, and frequency feature, and further comprising:
    - selecting, by one or more processors, one of the intensity, duration, and frequency features to analyze each of the plurality of aggregate signals for maliciousness;
      
      assigning, by one or more processors, weights to each of the intensity, duration, and frequency features, respectively, for each of the plurality of maliciousness profiles such that heaviest weight is associated with the selected one of the intensity, duration, and frequency features; and
      
      determining, by one or more processors, a plurality of maliciousness scores for each of the plurality of maliciousness profiles, respectively, based on a weighted combination of each of the intensity, duration, and frequency features.
  - 3. The method of claim 2, wherein:
    - the plurality of maliciousness scores are linearly distributed between a minimum maliciousness score and a maximum maliciousness score;
      
      the minimum maliciousness score is representative of a minimum amount of maliciousness based on the selected one of the intensity, duration, and frequency feature; and
      
      the maximum maliciousness score is representative of a maximum amount of maliciousness based on the selected one of the intensity, duration, and frequency feature.
  - 4. The method of claim 1, wherein the act of aggregating sets of IP addresses comprises one or more of:
    - aggregating sets of IP addresses according to network prefixes; and
      
      aggregating sets of IP addresses according to autonomous systems (ASes).
  - 5. The method of claim 1, wherein the categories of malicious network behavior are selected from the group consisting of:
    - spam attacks;
      
      phishing attacks;
      
      malware attacks; and
      
      active attacks.
  - 6. The method of claim 1, wherein the act of categorizing each of the plurality of aggregate signals comprises:
    - categorizing each of the plurality of aggregate signals into one of a good, normal, or bad malicious value by determining the average magnitude of each respective aggregate signal by evaluating the equation
  - 7. The method of claim 1, wherein:
    - the intensity feature is based on an average magnitude of each respective aggregate signal from among the plurality of aggregate signals over the sampling period;
      
      the duration feature is based on an average amount of time each respective aggregate signal remained at the good, bad, or normal malicious region value over the sampling period; and
      
      the frequency feature is based on a number of times each respective aggregate signal enter the good, bad, or normal malicious region value over the sampling period.
  - 8. The method of claim 1, wherein the act of measuring the number of malicious IP addresses comprises:
    - measuring the number of malicious IP addresses by determining IP addresses, within each of the aggregated sets of IP addresses over the sampling period, that are identified on an IP-address reputation blacklist or on a malicious activity incident report list.
  - 9. The method of claim 1, further comprising:
    - routing, by one or more processors, IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles to a first router; and
      
      routing, by one or more processors, IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles to a second router,wherein the first malicious profile is indicative of a higher maliciousness than the second malicious profile, andwherein the first router provides a lower quality of service (QoS) than the second router.
  - 10. The method of claim 1, further comprising:
    - routing, by one or more processors, IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles to a first network; and
      
      routing, by one or more processors, IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles to a second network,wherein the first malicious profile is indicative of a higher maliciousness than the second malicious profile, andwherein the first network operates at a lower cost than the second network.
  - 11. The method of claim 1, further comprising:
    - routing, by one or more processors, IP addresses in accordance with a best path selection (BGP) procedure such that the IP addresses are preferentially routed to sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles while avoiding routing of the IP addresses to sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles, andwherein the second malicious profile is indicative of a higher maliciousness than the first malicious profile.
  - 12. The method of claim 1, further comprising:
    - performing, by one or more processors, deep packet inspection (DPI) on IP addresses associated with sets of aggregated IP addresses having a first malicious profile from among the plurality of maliciousness profiles; and
      
      not performing DPI on IP addresses associated with sets of aggregated IP addresses having a second malicious profile from among the plurality of maliciousness profiles,wherein the first malicious network profile is indicative of a higher maliciousness than the second malicious network profile.
  - 14. The network analyzer of claim 1, wherein the processor is further configured to:
    - assess a risk level of a network handling the network traffic based on the plurality of maliciousness profiles; and
      
      calculate an insurance premium quote for insuring the network based on the assessed risk level.

13. A network analyzer for rating malicious network activity, the network analyzer comprising:
- a network interface configured to monitor network traffic; and
  
  a processor configured to;
  
  aggregate sets of internet protocol (IP) addresses within the monitored network traffic over a sampling period;
  
  measure a number of malicious IP addresses within each of the aggregated sets of IP addresses at a plurality of time intervals within the sampling period;
  
  generate a plurality of aggregate signals having a magnitude at each of the plurality of time intervals based on the number of malicious IP addresses within each of the plurality of time intervals,wherein a higher number of malicious IP addresses is associated with a higher magnitude, andwherein the malicious IP addresses are associated with one or more categories of malicious network behavior,categorize each of the plurality of aggregate signals into one of a good, normal, or bad malicious value relative to an average magnitude of each respective aggregate signal over the corresponding sampling period;
  
  generate a feature set for each of the plurality of aggregate signals by assigning, for each of the good, normal, and bad malicious values, one or more of an intensity, duration, and frequency feature;
  
  perform a spectral analysis on each of the respective intensity, duration, and frequency feature set from each of the plurality of aggregate signals; and
  
  generate a plurality of maliciousness profiles based on the spectral analysis such that each of the respective intensity, duration, and frequency feature set shares dominant eigenvalues.

15. A method for comparing malicious network activity among networks, the method comprising:
- monitoring, by one or more processors, malicious activity associated with malicious IP addresses from network traffic over a sampling period, the malicious internet protocol (IP) addresses being associated with one or more categories of malicious network behavior;
  
  aggregating, by one or more processors, sets of IP addresses to provide a first and a second set of IP addresses;
  
  generating, by one or more processors, a first and second aggregate signal from the first and the second set of IP addresses, respectively, the first and second aggregate signal each having a magnitude at each of a plurality of respective time intervals based on the number of malicious IP addresses within each of the plurality of time intervals,wherein a higher number of malicious IP addresses is associated with a higher magnitude,calculating, by one or more processors, a first and a second aggregate signal vector from the first and second aggregate signal, respectively;
  
  calculating, by one or more processors, a temporal similarity matrix including temporal similarity matrix values, the temporal similarity matrix being based upon vector multiplication between a transpose of the first aggregate signal vector and the second aggregate signal vector such that the temporal similarity matrix values are indicative of a correlation between shapes of the first and second aggregate signals; and
  
  determining, by one or more processors, a mathematical similarity of malicious network behavior between networks including IP addresses within the first and second aggregate group, respectively, based on the temporal similarity matrix values.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The method of claim 15, further comprising:
    - determining, by one or more processors, the number of malicious IP addresses within the first and second set of IP addresses by identifying the malicious IP addresses on an IP-address reputation blacklist or on a malicious activity incident report list.
  - 17. The method of claim 15, wherein the act of calculating the temporal similarity matrix comprises:
    - evaluating the equation;
  - 18. The method of claim 15, further comprising:
    - categorizing, by one or more processors, each of the first and second aggregate signals into one of a good, normal, or bad malicious value based on an average magnitude of the first and second aggregate signal, respectively, over the sampling period, andwherein the act of determining mathematical similarity of malicious network behavior comprises;
      
      evaluating the equation;
  - 19. The method of claim 15, further comprising:
    - generating, by one or more processors, a plurality of reference signals from sets of IP addresses having common spatial features, the plurality of reference signals having respective magnitudes at each of a plurality of respective time intervals based on a number of malicious IP addresses measured at each of the plurality of time intervals within the sampling period; and
      
      calculating, by one or more processors, a plurality of reference similarity matrices based on a multiplication between vector forms of the plurality of reference signals having common spatial features,wherein each of the plurality of reference similarity matrices has a respective set of similarity matrix values.
  - 20. The method of claim 19, further comprising:
    - identifying, by one or more processors, which reference similarity matrix from among the plurality of reference similarity matrices has similarity matrix values that correlate closest with those of the temporal similarity matrix.
  - 21. The method of claim 20, wherein the act of aggregating further comprises:
    - aggregating, by one or more processors, sets of IP addresses to provide a third and a fourth set of IP addresses;
      
      generating, by one or more processors, a third and fourth aggregate signal from the third and fourth set of IP addresses, respectively, the third and fourth aggregate signal having a magnitude at each of a plurality of respective time intervals based on a number of malicious IP addresses measured at each of the plurality of time intervals;
      
      generating, by one or more processors, a second temporal similarity matrix based on a multiplication between vector forms of the third and fourth aggregate signals; and
      
      determining, by one or more processors, a similarity of malicious behavior between the first and second set of IP addresses and the third and fourth set of IP addresses by correlating similarity matrix values in the second similarity matrix with the reference similarity matrix.
  - 22. The method of claim 15, wherein the common spatial network features are selected from the group consisting of:
    - common autonomous systems (ASes);
      
      common AS types;
      
      common AS distance;
      
      common hop count; and
      
      common country designation.
  - 23. The method of claim 17, further comprising:
    - estimating, by one or more processors, an aggregate signal value of the first aggregate signal during a discrete time interval within the sampling period using an aggregate signal value of the second aggregate signal at an identical discrete time interval in conjunction with the plurality of similarity matrix values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Board of Regents of the University of Michigan (University of Michigan)
Original Assignee
Board of Regents of the University of Michigan (University of Michigan)
Inventors
Karir, Manish, Liu, Yang, Liu, Mingyan, Bailey, Michael, Zhang, Jing

Granted Patent

US 10,038,703 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

RATING NETWORK SECURITY POSTURE AND COMPARING NETWORK MALICIOUSNESS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

139 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

RATING NETWORK SECURITY POSTURE AND COMPARING NETWORK MALICIOUSNESS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others