APPARATUS AND METHOD FOR DETECTING ABNORMAL CONNECTION BEHAVIOR BASED ON ANALYSIS OF NETWORK DATA

US 20170034195A1
Filed: 01/22/2016
Published: 02/02/2017
Est. Priority Date: 07/27/2015
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus for detecting abnormal connection behavior, comprising:

a data extraction unit configured to collect network data transmitted and received over a network including a plurality of hosts, and to extract data required for detection of abnormal connection behavior from the network data;

a data storage unit configured to store the extracted data required for detection of abnormal connection behavior; and

a detection unit configured to detect abnormal connection behavior based on characteristic factors corresponding to the stored data required for detection of abnormal connection behavior and characteristic factors corresponding to malicious behavior.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for detecting abnormal connection behavior are disclosed. The apparatus for detecting abnormal connection behavior includes a data extraction unit, a data storage unit, and a detection unit. The data extraction unit collects network data transmitted and received over a network including a plurality of hosts, and extracts data required for the detection of abnormal connection behavior from the network data. The data storage unit stores the extracted data required for the detection of abnormal connection behavior. The detection unit detects abnormal connection behavior based on characteristic factors corresponding to the stored data required for the detection of abnormal connection behavior and characteristic factors corresponding to malicious behavior.

19 Citations

View as Search Results

18 Claims

1. An apparatus for detecting abnormal connection behavior, comprising:
- a data extraction unit configured to collect network data transmitted and received over a network including a plurality of hosts, and to extract data required for detection of abnormal connection behavior from the network data;
  
  a data storage unit configured to store the extracted data required for detection of abnormal connection behavior; and
  
  a detection unit configured to detect abnormal connection behavior based on characteristic factors corresponding to the stored data required for detection of abnormal connection behavior and characteristic factors corresponding to malicious behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the characteristic factors comprise any one or more of a used service count, an inbound flow, an outbound flow, connection duration, an In packet count, an Out packet count, and a connection count.
  - 3. The apparatus of claim 2, wherein the data extraction unit comprises:
    - a raw data extraction unit configured to extract network data, for which a specific or longer period of time has elapsed, from the collected network data;
      
      a connection information data extraction unit configured to extract data corresponding to connection information from the collected network data;
      
      a service information data extraction unit configured to extract data corresponding to service information from the collected network data; and
      
      a malicious behavior data extraction unit configured to extract network data that occurs due to malicious behavior.
  - 4. The apparatus of claim 3, wherein the detection unit comprises:
    - an external IP address extraction unit configured to extract an external IP address based on information about an IP address included in the data corresponding to the connection information;
      
      a suspicious abnormal data extraction unit configured to check whether the external IP address has been previously connected by comparing an external IP address stored in the data storage unit with the former external IP address, and to extract network data, related to an external IP address that has not been previously connected, as suspicious abnormal behavior data; and
      
      an abnormal connection detection unit configured to detect abnormal behavior based on characteristic factors corresponding to the suspicious abnormal behavior data and characteristic factors corresponding to the malicious behavior.
  - 5. The apparatus of claim 3, wherein the suspicious abnormal behavior extraction unit compares the inbound flow, the outbound flow, the In packet count and the Out packet count included inside the connection data with connection data stored in the data storage unit, and determines that behavior in question is normal behavior if a result value is equal to or lower than a threshold value.
  - 6. The apparatus of claim 3, wherein the detection unit comprises:
    - a service name extraction unit configured to extract a service name from the service information;
      
      a destination IP extraction unit configured to extract network data having a service name identical to the service name from network data stored in the data storage unit, and to extract a destination IP address corresponding to the network data;
      
      a suspicious abnormal behavior extraction unit configured to compare a destination IP address corresponding to the network data stored in the data storage unit with the destination IP address, and to extract the network data as suspicious abnormal connection data if the destination IP addresses do not match each other; and
      
      an abnormal connection detection unit configured to detect abnormal connection based on characteristic factors corresponding to the suspicious abnormal connection data and characteristic factors corresponding to the malicious behavior.
  - 7. The apparatus of claim 5, wherein the suspicious abnormal behavior extraction unit, in the case of network data from which the service name cannot be extracted, maps the destination IP address against an IP address stored in the data storage unit, determines whether the destination IP address is an IP address stored in the data storage unit, and extracts the network data as suspicious abnormal connection data if the destination IP address is not an IP address stored in the data storage unit.
  - 8. The apparatus of claim 4, wherein the abnormal connection detection unit detects abnormal connection based on similarity between values of the characteristic factors.
  - 9. The apparatus of claim 1, further comprising a graph output unit configured to output the network data represented by the characteristic factors and data corresponding to the malicious behavior in a graph form.

10. A method of detecting abnormal connection behavior, comprising:
- collecting network data transmitted and received over a network including a plurality of hosts, and extracting data required for detection of abnormal connection behavior from the network data;
  
  storing the extracted data required for detection of abnormal connection behavior; and
  
  detecting abnormal connection behavior based on characteristic factors corresponding to the stored data required for detection of abnormal connection behavior and characteristic factors corresponding to malicious behavior.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the characteristic factors comprise any one or more of a used service count, an inbound flow, an outbound flow, connection duration, an In packet count, an Out packet count, and a connection count.
  - 12. The method of claim 11, wherein detecting the data comprises:
    - extracting network data, for which a specific or longer period of time has elapsed, from the collected network data;
      
      extracting data corresponding to connection information from the collected network data;
      
      extracting data corresponding to service information from the collected network data; and
      
      extracting network data that occurs due to malicious behavior.
  - 13. The method of claim 12, wherein detecting the abnormal connection behavior comprises:
    - extracting an external IP address based on information about an IP address included in the data corresponding to the connection information;
      
      checking whether the external IP address has been previously connected by comparing an external IP address stored in the data storage unit with the former external IP address, determining network data, related to an external IP address that has not been previously connected, to be suspicious abnormal behavior data, and extracting the suspicious abnormal behavior data; and
      
      detecting abnormal behavior based on characteristic factors corresponding to the suspicious abnormal behavior data and characteristic factors corresponding to the malicious behavior.
  - 14. The method of claim 12, wherein determining network data to be suspicious abnormal behavior data and extracting the suspicious abnormal behavior data comprises comparing the inbound flow, the outbound flow, the In packet count and the Out packet count included inside the connection data with connection data stored in the data storage unit, and determining that behavior in question is normal behavior if a result value is equal to or lower than a threshold value.
  - 15. The method of claim 12, wherein detecting the abnormal connection behavior comprises:
    - extracting a service name from the service information;
      
      extracting network data having a service name identical to the service name from network data stored in a data storage unit, and extracting a destination IP address corresponding to the network data;
      
      comparing a destination IP address corresponding to the network data stored in the data storage unit with the destination IP address, and extracting the network data as suspicious abnormal connection data if the destination IP addresses do not match each other; and
      
      detecting abnormal connection based on characteristic factors corresponding to the suspicious abnormal connection data and characteristic factors corresponding to the malicious behavior.
  - 16. The method of claim 14, wherein determining network data to be suspicious abnormal behavior data and extracting the suspicious abnormal behavior data comprises, in the case of network data from which the service name cannot be extracted, mapping the destination IP address against an IP address stored in the data storage unit, determining whether the destination IP address is an IP address stored in the data storage unit, and extracting the network data as suspicious abnormal connection data if the destination IP address is not an IP address stored in the data storage unit.
  - 17. The method of claim 13, wherein detecting the abnormal connection behavior comprises detecting abnormal connection based on similarity between values of the characteristic factors.
  - 18. The method of claim 10, further comprising outputting the network data represented by the characteristic factors and data corresponding to the malicious behavior in a graph form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
LEE, Jong-Hoon, KIM, Ik-Kyun

Application Number

US15/004,412
Publication Number

US 20170034195A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

APPARATUS AND METHOD FOR DETECTING ABNORMAL CONNECTION BEHAVIOR BASED ON ANALYSIS OF NETWORK DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR DETECTING ABNORMAL CONNECTION BEHAVIOR BASED ON ANALYSIS OF NETWORK DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links