Bind Shell Attack Detection
First Claim
1. A method, comprising:
- collecting data packets transmitted between multiple entities over a network;
grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong;
identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window;
generating sets of features for the identified pairs of the connections;
evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating malicious activity; and
generating an alert for the malicious activity.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.
-
Citations
43 Claims
-
1. A method, comprising:
-
collecting data packets transmitted between multiple entities over a network; grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong; identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window; generating sets of features for the identified pairs of the connections; evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating malicious activity; and generating an alert for the malicious activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An apparatus, comprising:
-
a probe configured to collect data packets transmitted between multiple entities over a network; and at least one processor configured; to group the collected packets at least according to their source and destination entities and their times, into connections to which the packets belong, to identify pairs of the connections having identical source and destination entities and times that are together within a specified time window, to generate sets of features for the identified pairs of the connections, to evaluate the features of the pairs in order to detect a given pair of connections indicating malicious activity, and to generate an alert for the malicious activity. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer:
-
to collect data packets transmitted between multiple entities over a network; to group the packets at least according to their source and destination entities and their times, into connections to which the packets belong; to identify pairs of the connections having identical source and destination entities and times that are together within a specified time window; to generate sets of features for the identified pairs of the connections; to evaluate, by a processor, the features in the pairs in order to detect a given pair of connections indicating malicious activity; and to generate an alert for the malicious activity.
-
Specification