Detecting anomalous network application behavior
First Claim
1. A non-transitory computer-accessible storage medium comprising program instructions for detecting anomalous network application behavior, wherein the program instructions are executable to:
- monitor a first plurality of communications between at least one client and a first one or more servers, wherein the at least one client and the first one or more servers communicate using one or more application protocols, wherein said monitoring the first plurality of communications is performed without participating in the communication between the at least one client and the first one or more servers;
determine a plurality of identifiers based on said monitoring the first plurality of communications, wherein at least a subset of the plurality of identifiers are comprised in content of the first plurality of communications, wherein said determining is performed without participating in the communication between the at least one client and the one or more servers, and wherein the plurality of identifiers comprise one or more of a contact, an IP address, a uniform resource identifier (URI), an extensible resource identifier (XRI), an email address, a service name, a device name, a telephone number, an SIP address, a domain name, an online screen name, an online handle, or a user name;
monitor a second plurality of communications between the at least one client and a second one or more servers, wherein the at least one client and the second one or more servers communicate using one or more application protocols, wherein said monitoring the second plurality of communications is performed without participating in the communication between the at least one client and the second one or more servers;
for one or more communications of the second plurality of communications, determine if the one or more communications are anomalous based at least in part on the at least a subset of the determined plurality of identifiers, wherein said determining is performed at the application-protocol level, wherein if the one or more communications do not correspond to one of the plurality of identifiers, the one or more communications of the at least one client are determined to be anomalous, wherein said determining comprises;
analyzing the second plurality of communications to determine non-anomalous network application behavior between the at least one client and the one or more servers using the at least a subset of the determined plurality of identifiers; and
determining the anomalous network application behavior by eliminating the determined non-anomalous network application behavior from the second plurality of communications; and
store information regarding the determined anomalous network application behavior.
6 Assignments
0 Petitions
Accused Products
Abstract
System and Method for detecting anomalous network application behavior. Network traffic between at least one client and one or more servers may be monitored. The client and the one or more servers may communicate using one or more application protocols. The network traffic may be analyzed at the application-protocol level to determine anomalous network application behavior. Analyzing the network traffic may include determining, for one or more communications involving the client, if the client has previously stored or received an identifier corresponding to the one or more communications. If no such identifier has been observed in a previous communication, then the one or more communications involving the client may be determined to be anomalous. A network monitoring device may perform one or more of the network monitoring, the information extraction, or the information analysis.
-
Citations
23 Claims
-
1. A non-transitory computer-accessible storage medium comprising program instructions for detecting anomalous network application behavior, wherein the program instructions are executable to:
-
monitor a first plurality of communications between at least one client and a first one or more servers, wherein the at least one client and the first one or more servers communicate using one or more application protocols, wherein said monitoring the first plurality of communications is performed without participating in the communication between the at least one client and the first one or more servers; determine a plurality of identifiers based on said monitoring the first plurality of communications, wherein at least a subset of the plurality of identifiers are comprised in content of the first plurality of communications, wherein said determining is performed without participating in the communication between the at least one client and the one or more servers, and wherein the plurality of identifiers comprise one or more of a contact, an IP address, a uniform resource identifier (URI), an extensible resource identifier (XRI), an email address, a service name, a device name, a telephone number, an SIP address, a domain name, an online screen name, an online handle, or a user name; monitor a second plurality of communications between the at least one client and a second one or more servers, wherein the at least one client and the second one or more servers communicate using one or more application protocols, wherein said monitoring the second plurality of communications is performed without participating in the communication between the at least one client and the second one or more servers; for one or more communications of the second plurality of communications, determine if the one or more communications are anomalous based at least in part on the at least a subset of the determined plurality of identifiers, wherein said determining is performed at the application-protocol level, wherein if the one or more communications do not correspond to one of the plurality of identifiers, the one or more communications of the at least one client are determined to be anomalous, wherein said determining comprises; analyzing the second plurality of communications to determine non-anomalous network application behavior between the at least one client and the one or more servers using the at least a subset of the determined plurality of identifiers; and determining the anomalous network application behavior by eliminating the determined non-anomalous network application behavior from the second plurality of communications; and store information regarding the determined anomalous network application behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for detecting anomalous network application behavior, comprising:
-
monitoring a first plurality of communications between at least one client and a first one or more servers, wherein the at least one client and the first one or more servers communicate using one or more application protocols, wherein said monitoring the first plurality of communications is performed without participating in the communication between the at least one client and the first one or more servers; determining a plurality of uniform resource identifiers (URIs) based on said monitoring, wherein at least a subset of the plurality of URIs are comprised in content of the first plurality of communications, wherein said determining is performed without participating in the communication between the at least one client and the one or more servers; monitoring a second plurality of communications between the at least one client and a second one or more servers, wherein the at least one client and the second one or more servers communicate using one or more application protocols, wherein said monitoring the second plurality of communications is performed without participating in the communication between the at least one client and the second one or more servers; for one or more communications of the second plurality of communications, determining if the one or more communications are anomalous based at least in part on the at least a subset of the determined plurality of URIs, wherein said determining is performed at the application-protocol level, wherein if the one or more communications do not correspond to the plurality of URIs, the one or more communications of the at least one client are determined to be anomalous, wherein said determining comprises; analyzing the second plurality of communications to determine non-anomalous network application behavior between the at least one client and the one or more servers using the at least a subset of the determined plurality of identifiers; and determining the anomalous network application behavior by eliminating the determined non-anomalous network application behavior from the second plurality of communications; and storing information regarding the determined anomalous network application behavior. - View Dependent Claims (22)
-
-
23. A system for detecting anomalous network application behavior, comprising:
-
a processor; and a memory medium coupled to the processor, comprising program instructions executable by the processor to; monitor network traffic between at least one client and one or more servers, wherein the at least one client and the one or more servers communicate using one or more application protocols, wherein said monitoring is performed without participating in the communication between the at least one client and the one or more servers, and wherein the network traffic comprises a first plurality of communications and a second plurality of communications; analyze the network traffic to determine anomalous network application behavior between the at least one client and the one or more servers, wherein said analyzing the network traffic to determine anomalous network application behavior comprises; determining a plurality of identifiers based on said monitoring, wherein at least a subset of the plurality of identifiers are comprised in content of the first plurality of communications, wherein said determining is performed without participating in the communication between the at least one client and the one or more servers, and wherein the plurality of identifiers comprise one or more of a contact, an IP address, a uniform resource identifier (URI), an extensible resource identifier (XRI), an email address, a service name, a device name, a telephone number, an SIP address, a domain name, an online screen name, an online handle, or a user name; for one or more communications of the second plurality of communications, determining if the one or more communications are anomalous based at least in part on the at least a subset of the determined plurality of identifiers, wherein said determining is performed at the application-protocol level, wherein if the one or more communications do not correspond to one of the plurality of identifiers, the one or more communications of the at least one client are determined to be anomalous, wherein said determining comprises; analyzing the second plurality of communications to determine non-anomalous network application behavior between the at least one client and the one or more servers using the at least a subset of the determined plurality of identifiers; and determining the anomalous network application behavior by eliminating the determined non-anomalous network application behavior from the second plurality of communications.
-
Specification