Visibility of Non-Benign Network Traffic

US 20180131705A1
Filed: 02/09/2017
Published: 05/10/2018
Est. Priority Date: 11/10/2016
Status: Abandoned Application

First Claim

Patent Images

1. A method of protecting computing devices from non-benign activity, comprising:

receiving, in a processor of a network device, a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a non-benign behavior of the first network traffic flow;

determining, in the processor of the network device, one or more characteristics of the first network traffic flow associated with the non-benign behavior;

receiving, in the processor of the network device, a second network traffic flow from a non-monitoring computing device; and

determining, by the processor of the network device, whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity to the second network traffic flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments provide methods of protecting computing devices from malicious activity. A processor of a network device may receive a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a malicious behavior of the first network traffic flow. The processor may determine a characteristic of the first network traffic flow based at least in part on information in the first network traffic flow and the malicious activity tag. The processor may receive a second network traffic flow from a non-monitoring computing device, and may associate the malicious activity tag and the second network traffic flow based on a characteristic of the second network traffic flow based at least in part on information in the second network traffic flow and the characteristic of the first network traffic flow.

15 Citations

View as Search Results

25 Claims

1. A method of protecting computing devices from non-benign activity, comprising:
- receiving, in a processor of a network device, a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a non-benign behavior of the first network traffic flow;
  
  determining, in the processor of the network device, one or more characteristics of the first network traffic flow associated with the non-benign behavior;
  
  receiving, in the processor of the network device, a second network traffic flow from a non-monitoring computing device; and
  
  determining, by the processor of the network device, whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity to the second network traffic flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - clustering, by the processor of the network device, the first network traffic flow and the second network traffic flow based on characteristic of the second network traffic flow and the one or more characteristics of the first network traffic flow associated with the non-benign activity.
  - 3. The method of claim 1, wherein the one or more characteristics of the first network traffic flow associated with the non-benign activity include information in packet headers of the first network traffic flow.
  - 4. The method of claim 1, wherein the one or more characteristics of the first network traffic flow associated with the non-benign activity include one or more traffic features of the first network traffic flow.
  - 5. The method of claim 1, wherein determining one or more characteristics of the first network traffic flow associated with the non-benign activity comprises:
    - learning, by a semi-supervised application of the network device, associations of the malicious activity tag with one or more characteristics of the first network traffic flow.
  - 6. The method of claim 1, wherein determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity comprises:
    - comparing, by the processor of the network device, packet header information of the second network traffic flow with packet header information associated with the non-benign activity;
      
      determining, by the processor of the network device, whether the packet header information of the second network traffic flow matches the associated with the non-benign activity; and
      
      associating, by the processor of the network device, the malicious activity tag and the second network traffic flow in response to determining that the packet header information of the second network traffic flow matches packet header information associated with the non-benign activity.
  - 7. The method of claim 1, wherein determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity comprises:
    - comparing, by the processor of the network device, a traffic feature of the second network traffic flow with a traffic feature associated with the non-benign activity;
      
      determining, by the processor of the network device, whether the traffic feature of the second network traffic flow matches the traffic feature associated with the non-benign activity; and
      
      associating, by the processor of the network device, the malicious activity tag and the second network traffic flow in response to determining that the traffic feature of the second network traffic flow matches the traffic feature associated with the non-benign activity.
  - 8. The method of claim 1, wherein determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity comprises:
    - comparing, by the processor of the network device, packet header information of the second network traffic flow with packet header information associated with the non-benign activity;
      
      comparing, by the processor of the network device, one or more traffic features of the second network traffic flow with one or more traffic features associated with the non-benign activity;
      
      determining, by the processor of the network device, whether the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation; and
      
      associating, by the processor of the network device, the malicious activity tag and the second network traffic flow in response to determining that the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation.

9. A network device, comprising:
- a processor configured with processor-executable instructions to;
  
  receive a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a non-benign behavior of the first network traffic flow;
  
  determine one or more characteristics of the first network traffic flow associated with the non-benign behavior;
  
  receive a second network traffic flow from a non-monitoring computing device; and
  
  determine whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity to the second network traffic flow.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The network device of claim 9, wherein the processor is further configured to cluster the first network traffic flow and the second network traffic flow based on characteristic of the second network traffic flow and the one or more characteristics of the first network traffic flow associated with the non-benign activity.
  - 11. The network device of claim 9, wherein the processor is further configured such that the one or more characteristics of the first network traffic flow associated with the non-benign activity include information in packet headers of the first network traffic flow.
  - 12. The network device of claim 9, wherein the processor is further configured such that the one or more characteristics of the first network traffic flow associated with the non-benign activity include one or more traffic features of the first network traffic flow.
  - 13. The network device of claim 9, wherein the processor is further configured to learn associations of the malicious activity tag with one or more characteristics of the first network traffic flow.
  - 14. The network device of claim 9, wherein the processor is further configured to:
    - compare packet header information of the second network traffic flow with packet header information associated with the non-benign activity;
      
      determine whether the packet header information of the second network traffic flow matches the associated with the non-benign activity; and
      
      associate the malicious activity tag and the second network traffic flow in response to determining that the packet header information of the second network traffic flow matches packet header information associated with the non-benign activity.
  - 15. The network device of claim 9, wherein the processor is further configured to:
    - compare a traffic feature of the second network traffic flow with a traffic feature associated with the non-benign activity;
      
      determine whether the traffic feature of the second network traffic flow matches the traffic feature associated with the non-benign activity; and
      
      associate the malicious activity tag and the second network traffic flow in response to determining that the traffic feature of the second network traffic flow matches the traffic feature associated with the non-benign activity.
  - 16. The network device of claim 9, wherein the processor is further configured to:
    - compare packet header information of the second network traffic flow with packet header information associated with the non-benign activity;
      
      compare one or more traffic features of the second network traffic flow with one or more traffic features associated with the non-benign activity;
      
      determine whether the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation; and
      
      associate the malicious activity tag and the second network traffic flow in response to determining that the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation.

17. A network device, comprising:
- means for receiving a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a non-benign behavior of the first network traffic flow;
  
  means for determining one or more characteristics of the first network traffic flow associated with the non-benign behavior;
  
  means for receiving a second network traffic flow from a non-monitoring computing device; and
  
  means for determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity to the second network traffic flow.

18. A non-transitory processor readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a network device to perform operations comprising:
- receiving a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a non-benign behavior of the first network traffic flow;
  
  determining one or more characteristics of the first network traffic flow associated with the non-benign behavior;
  
  receiving a second network traffic flow from a non-monitoring computing device; and
  
  determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity to the second network traffic flow.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The non-transitory processor readable storage medium of claim 18, wherein the stored processor-executable instructions are configured to cause the processor of the network device to perform operations further comprising:
    - clustering the first network traffic flow and the second network traffic flow based on characteristic of the second network traffic flow and the one or more characteristics of the first network traffic flow associated with the non-benign activity.
  - 20. The non-transitory processor readable storage medium of claim 18, wherein the stored processor-executable instructions are configured to cause the processor of the network device to perform operations such that the one or more characteristics of the first network traffic flow associated with the non-benign activity include information in packet headers of the first network traffic flow.
  - 21. The non-transitory processor readable storage medium of claim 18, wherein the stored processor-executable instructions are configured to cause the processor of the network device to perform operations such that the one or more characteristics of the first network traffic flow associated with the non-benign activity include one or more traffic features of the first network traffic flow.
  - 22. The non-transitory processor readable storage medium of claim 18, wherein the stored processor-executable instructions are configured to cause the processor of the network device to perform operations such that determining one or more characteristics of the first network traffic flow associated with the non-benign activity comprises:
    - learning, by a semi-supervised application of the network device, associations of the malicious activity tag with one or more characteristics of the first network traffic flow.
  - 23. The non-transitory processor readable storage medium of claim 18, wherein the stored processor-executable instructions are configured to cause the processor of the network device to perform operations such that determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity comprises:
    - comparing, by the processor of the network device, packet header information of the second network traffic flow with packet header information associated with the non-benign activity;
      
      determining, by the processor of the network device, whether the packet header information of the second network traffic flow matches the associated with the non-benign activity; and
      
      associating, by the processor of the network device, the malicious activity tag and the second network traffic flow in response to determining that the packet header information of the second network traffic flow matches packet header information associated with the non-benign activity.
  - 24. The non-transitory processor readable storage medium of claim 18, wherein the stored processor-executable instructions are configured to cause the processor of the network device to perform operations such that determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity comprises:
    - comparing, by the processor of the network device, a traffic feature of the second network traffic flow with a traffic feature associated with the non-benign activity;
      
      determining, by the processor of the network device, whether the traffic feature of the second network traffic flow matches the traffic feature associated with the non-benign activity; and
      
      associating, by the processor of the network device, the malicious activity tag and the second network traffic flow in response to determining that the traffic feature of the second network traffic flow matches the traffic feature associated with the non-benign activity.
  - 25. The non-transitory processor readable storage medium of claim 18, wherein the stored processor-executable instructions are configured to cause the processor of the network device to perform operations such that determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity comprises:
    - comparing, by the processor of the network device, packet header information of the second network traffic flow with packet header information associated with the non-benign activity;
      
      comparing, by the processor of the network device, one or more traffic features of the second network traffic flow with one or more traffic features associated with the non-benign activity;
      
      determining, by the processor of the network device, whether the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation; and
      
      associating, by the processor of the network device, the malicious activity tag and the second network traffic flow in response to determining that the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Samadani, Ramin, Chen, Yin, Sung, Keen Yuun, Islam, Nayeem

Application Number

US15/428,944
Publication Number

US 20180131705A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 43/026   using flow identification

H04L 43/0876   Network utilisation, e.g. v...

H04L 47/2475   for supporting traffic char...

H04L 47/35   by embedding flow control i...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Visibility of Non-Benign Network Traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Visibility of Non-Benign Network Traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others