FRAMEWORK FOR EXPLAINING ANOMALIES IN ACCESSING WEB APPLICATIONS

US 20170126718A1
Filed: 10/30/2015
Published: 05/04/2017
Est. Priority Date: 10/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for characterizing anomalous network traffic, comprising:

receiving, by a device intermediary to a plurality of clients and a plurality of servers, network traffic, the network traffic including an anomaly;

determining, by the device, whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature;

determining, by the device, responsive to determining that the network traffic does not satisfy at least one of the rules of the univariate policy, that the network traffic satisfies a multivariate policy including a plurality of anomaly explanation tests;

selecting, by the device, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation; and

generating, by the device, an anomaly explanation output including the selected anomaly explanation.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed towards systems and methods for characterizing anomalous network traffic. The system includes a device intermediary to clients and servers. The device includes a network traffic engine to receive network traffic including an anomaly. The device includes a univariate policy manager to determine whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature. The device includes a multivariate policy manager to determine, responsive to determining that the network traffic does not satisfy the rules of the univariate policy, that the network satisfies a multivariate policy including a plurality of anomaly explanation tests. The device includes an anomaly explanation selector to select, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation. The device includes a message generator to generate an anomaly explanation output including the selected anomaly explanation.

109 Citations

20 Claims

1. A method for characterizing anomalous network traffic, comprising:
- receiving, by a device intermediary to a plurality of clients and a plurality of servers, network traffic, the network traffic including an anomaly;
  
  determining, by the device, whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature;
  
  determining, by the device, responsive to determining that the network traffic does not satisfy at least one of the rules of the univariate policy, that the network traffic satisfies a multivariate policy including a plurality of anomaly explanation tests;
  
  selecting, by the device, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation; and
  
  generating, by the device, an anomaly explanation output including the selected anomaly explanation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein determining whether the network traffic satisfies at least one of the rules of the univariate policy comprises:
    - identifying, for at least one of the rules of the univariate policy, a network traffic feature and a predetermined threshold value of the respective network traffic feature;
      
      determining, via the network traffic, a feature value of the network traffic feature; and
      
      determining whether the network traffic satisfies the at least one rule of the univariate policy by determining that the feature value of the network traffic feature exceeds the threshold value of the network traffic feature.
  - 3. The method of claim 1, wherein determining whether the network traffic satisfies at least one of the rules of the univariate policy includes determining:
    - i) that the network traffic feature comprises a number of requests per session and that the predetermined threshold is three times a standard deviation of the number of requests per session for non-anomalous network traffic;
      
      orii) that the network traffic feature comprises a number of special characters in a request included in the network traffic and that the predetermined threshold is two times a maximum number of special characters of a request included in non-anomalous network traffic.
  - 4. The method of claim 1, wherein the plurality of anomaly explanation tests includes a plurality of multivariate rules and wherein determining that the network traffic satisfies the multivariate policy comprises:
    - identifying, for at least one of the plurality of multivariate rules, at least two network traffic features of the network traffic and a predetermined threshold value of each respective network traffic feature;
      
      determining, via the network traffic, a feature value of each respective network traffic feature; and
      
      determining that the network traffic satisfies the at least one multivariate rule by determining that the feature values of the network traffic features exceed the threshold values of the network traffic features,wherein selecting an anomaly explanation comprises selecting an anomaly explanation based on a determination that the network traffic satisfies the at least one multivariate rule.
  - 5. The method of claim 4, wherein the at least two network traffic features include:
    - at least two of a maximum inter-request arrival time, an average inter-request arrival time, and a minimum inter-request arrival time;
      
      ora number of unique uniform resource locator (URL) accesses and an inter-request arrival time.
  - 6. The method of claim 4, wherein the plurality of anomaly explanation tests includes a plurality of statistical model tests, and wherein determining that the network traffic satisfies the multivariate policy comprises:
    - responsive to determining that the network traffic does not satisfy the at least one multivariate rule, identifying at least two network traffic features;
      
      comparing, by the device, the network traffic to a threshold value derived from at least one statistical model representing non-anomalous network traffic; and
      
      determining, by the device, whether the network traffic deviates from the at least one statistical model based on the at least two network traffic features,wherein selecting an anomaly explanation comprises selecting an anomaly explanation based on a determination that the network traffic deviates from the at least one statistical model.
  - 7. The method of claim 6, wherein the at least two network traffic features include:
    - a user group and a number of accesses to sensitive files;
      
      ora number of sessions, a number of requests per session, and a number of errors received from the server.
  - 8. The method of claim 6, wherein the plurality of anomaly explanation tests includes a historical data test and the received network traffic further comprises a first set of network traffic and a second set of network traffic received prior to the first set of network traffic, and wherein determining that the network traffic satisfies the multivariate policy comprises:
    - responsive to determining that the network traffic does not deviate from the at least one statistical model, determining, by the device, that the second set of network traffic received prior to the first set of network traffic corresponds to an anomaly explanation; and
      
      determining whether a network traffic feature corresponding to the first set of network traffic matches a network traffic feature corresponding to the second set of network traffic,wherein selecting the anomaly explanation comprises selecting the anomaly explanation to match the anomaly explanation associated with the second set of network traffic, responsive to determining that the network traffic feature corresponding to the first set of network traffic matches the network traffic feature corresponding to the second set of network traffic.
  - 9. The method of claim 8, wherein the network traffic feature of the first set of network traffic and the network traffic feature of the second set of network traffic includes at least one of a source address and a destination address.
  - 10. The method of claim 8, further comprising:
    - responsive to determining that the network traffic feature corresponding to the first set of network traffic does not match the network traffic feature corresponding to the second set of network traffic, receiving, by the device, an input identifying an explanation for the anomaly;
      
      selecting the anomaly explanation for the network traffic based on the received input; and
      
      updating at least one of the rules of the univariate policy or at least one of the plurality of multivariate rules based on the received input.
  - 11. The method of claim 8, further comprising:
    - responsive to determining that the network traffic feature corresponding to the first set of network traffic does not match the network traffic feature corresponding to the second set of network traffic, receiving, by the device, an input indicating that an explanation for the anomaly is unknown; and
      
      selecting the anomaly explanation for the network traffic indicating that the anomaly explanation is unknown.

12. A system for characterizing anomalous network traffic, comprising:
- a device intermediary to a plurality of clients and a plurality of servers, the device including;
  
  a network traffic engine configured to receive network traffic, the network traffic including an anomaly;
  
  a univariate policy manager configured to determine whether the network traffic satisfies at least one of the rules of a univariate policy based on a respective single independent network traffic feature;
  
  a multivariate policy manager configured to determine, responsive to determining that the network traffic does not satisfy at least one of the rules of the univariate policy, that the network satisfies a multivariate policy including a plurality of anomaly explanation tests;
  
  an anomaly explanation selector configured to select, responsive to determining that the network traffic satisfies the multivariate policy, an anomaly explanation; and
  
  a message generator configured to generate an anomaly explanation output including the selected anomaly explanation.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the univariate policy manager is further configured to:
    - identify, for at least one of the rules of the univariate policy, a network traffic feature and a predetermined threshold value of the respective network traffic feature;
      
      determine, via the network traffic, a feature value of the network traffic feature; and
      
      determine whether the network traffic satisfies the at least one rule of the univariate policy by determining whether the feature value of the network traffic feature exceeds the threshold value of the network traffic feature.
  - 14. The system of claim 12, wherein the univariate policy manager is further configured to determine:
    - i) that the network traffic feature comprises a number of requests per session and that the predetermined threshold is three times a standard deviation of the number of requests per session for non-anomalous network traffic;
      
      orii) that the network traffic feature comprises a number of special characters in a request included in the network traffic and that the predetermined threshold is two times a maximum number of special characters of a request included in non-anomalous network traffic.
  - 15. The system of claim 12, wherein the plurality of anomaly explanation tests includes a plurality of multivariate rules and wherein the multivariate policy manager is further configured to:
    - identify, for at least one of the plurality of multivariate rules, at least two network traffic features of the network traffic and a predetermined threshold value of each respective network traffic feature;
      
      determine, via the network traffic, a feature value of each respective network traffic feature; and
      
      determine whether the network traffic satisfies the at least one multivariate rule by determining whether the feature values of the network traffic features exceed the threshold values of the network traffic features,wherein the anomaly explanation selector is further configured to select an anomaly explanation based on a determination that the network traffic satisfies the at least one multivariate rule.
  - 16. The system of claim 15, wherein the at least two network traffic features include:
    - at least two of a maximum inter-request arrival time, an average inter-request arrival time, and a minimum inter-request arrival time;
      
      ora number of unique uniform resource locator (URL) accesses and an inter-request arrival time.
  - 17. The system of claim 15, wherein the plurality of anomaly explanation tests includes a plurality of statistical model tests, and wherein the multivariate policy manager is further configured to:
    - responsive to determining that the network traffic does not satisfy the at least one multivariate rule, identify at least two network traffic features;
      
      compare the network traffic to a threshold value derived from at least one statistical model representing non-anomalous network traffic; and
      
      determine whether the network traffic deviates from the at least one statistical model based on the at least two network traffic features,wherein the anomaly explanation selector is further configured to select an anomaly explanation based on a determination that the network traffic deviates from the at least one statistical model.
  - 18. The system of claim 17, wherein the at least two network traffic features include:
    - a user group and a number of accesses to sensitive files;
      
      ora number of sessions, a number of requests per session, and a number of errors received from the server.
  - 19. The system of claim 17, wherein the plurality of anomaly explanation tests includes a historical data test and the received network traffic further comprises a first set of network traffic and a second set of network traffic received prior to the first set of network traffic, and wherein the multivariate policy manager is further configured to:
    - responsive to determining that the network traffic does not deviate from the at least one statistical model, determine that the second set of network traffic received prior to the first set of network traffic corresponds to an anomaly explanation; and
      
      determine whether a network traffic feature corresponding to the first set of network traffic matches a network traffic feature corresponding to the second set of network traffic,wherein the anomaly explanation selector is further configured to select the anomaly explanation to match the anomaly explanation associated with the second set of network traffic, responsive to a determination by the multivariate policy manager that the network traffic feature corresponding to the first set of network traffic matches the network traffic feature corresponding to the second set of network traffic.
  - 20. The system of claim 19, wherein:
    - the multivariate policy manager is further configured to, responsive to determining that the network traffic feature corresponding to the first set of network traffic does not match the network traffic feature corresponding to the second set of network traffic, receive an input indicating that an explanation for the anomaly is known;
      
      the anomaly explanation selector is further configured to select the anomaly explanation for the network traffic based on the received input; and
      
      the univariate policy manager is further configured to update at least one of the plurality of univariate rules or the multivariate manager is configured to update at least one of the plurality of multivariate rules, based on the received input.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Baradaran, Nastaran, Reddy, Anoop, Thakur, Ratnesh Singh

Granted Patent

US 10,116,674 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

FRAMEWORK FOR EXPLAINING ANOMALIES IN ACCESSING WEB APPLICATIONS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FRAMEWORK FOR EXPLAINING ANOMALIES IN ACCESSING WEB APPLICATIONS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links