Detecting malicious endpoints using network connectivity and flow information
First Claim
Patent Images
1. A method for detecting a malicious endpoint in a network, comprising:
- obtaining, from the network, flows among a plurality of endpoints of the network, wherein the plurality of endpoints comprise servers and clients;
assigning, to each of the plurality of endpoints, a pre-identified endpoint threat level specific to each of the plurality of endpoints;
assigning, to each of the flows, a pre-identified flow threat level specific to each of the flows;
calculating, by a computer processor, for a server and a client in the plurality of endpoints, and based on the pre-identified flow threat level assigned to a flow between the server and the client, a server-to-client (SC) score propagation parameter and a client-to-server (CS) propagation parameter,performing, by the computer processor, iterative score propagation based on a sequence of iterations, comprising;
initializing, prior to the sequence of iterations, a client score of the client and a server score of the server according to the pre-identified endpoint threat levels assigned to the client and the server, respectively;
updating, in a first iteration in the sequence of iterations, the client score of the client by a SC adjustment amount determined at least based on the server score of the server and the SC score propagation parameter;
updating, in a second iteration adjacent to the first iteration in the sequence of iterations, the server score of the server by a CS adjustment amount determined at least based on the client score of the client and the CS score propagation parameter; and
generating, in response to at least updating the client score and the server score in the first iteration and the second iteration, respectively, the final scores of the plurality of endpoints based on at least the client score and the server score; and
detecting an endpoint of the plurality of endpoints as malicious in response to a corresponding one of the final scores exceeding a pre-determined threshold, wherein the endpoint is not identified as malicious based on the pre-identified endpoint threat level assigned to the endpoint.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting hidden malicious network nodes. Starting from a pool of seed nodes that have previously been identified as malicious, a two-phase score propagation algorithm is employed to propagate threat scores from the seeded nodes to other nodes in an IP-address connectivity graph. Nodes with high threat score after propagation are declared to be malicious.
-
Citations
20 Claims
-
1. A method for detecting a malicious endpoint in a network, comprising:
-
obtaining, from the network, flows among a plurality of endpoints of the network, wherein the plurality of endpoints comprise servers and clients; assigning, to each of the plurality of endpoints, a pre-identified endpoint threat level specific to each of the plurality of endpoints; assigning, to each of the flows, a pre-identified flow threat level specific to each of the flows; calculating, by a computer processor, for a server and a client in the plurality of endpoints, and based on the pre-identified flow threat level assigned to a flow between the server and the client, a server-to-client (SC) score propagation parameter and a client-to-server (CS) propagation parameter, performing, by the computer processor, iterative score propagation based on a sequence of iterations, comprising; initializing, prior to the sequence of iterations, a client score of the client and a server score of the server according to the pre-identified endpoint threat levels assigned to the client and the server, respectively; updating, in a first iteration in the sequence of iterations, the client score of the client by a SC adjustment amount determined at least based on the server score of the server and the SC score propagation parameter; updating, in a second iteration adjacent to the first iteration in the sequence of iterations, the server score of the server by a CS adjustment amount determined at least based on the client score of the client and the CS score propagation parameter; and generating, in response to at least updating the client score and the server score in the first iteration and the second iteration, respectively, the final scores of the plurality of endpoints based on at least the client score and the server score; and detecting an endpoint of the plurality of endpoints as malicious in response to a corresponding one of the final scores exceeding a pre-determined threshold, wherein the endpoint is not identified as malicious based on the pre-identified endpoint threat level assigned to the endpoint. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting a malicious endpoint in a network, comprising:
-
a computer processor; a flow parser configured to obtain, from the network, flows among a plurality of endpoints of the network, wherein each of the plurality of endpoints is assigned a pre-identified endpoint threat level specific to each of the plurality of endpoints, wherein each of the flows is assigned a pre-identified flow threat level specific to each of the flows, wherein the plurality of endpoints comprise servers and clients; a connectivity analyzer executing on the computer processor and configured to; calculate, for a server and a client in the plurality of endpoints, and based on the pre-identified flow threat level assigned to a flow between the server and the client, a server-to-client (SC) score propagation parameter and a client-to-server (CS) propagation parameter; an iterative score calculator executing on the computer processor and configured to perform iterative score propagation based on a sequence of iterations, comprising; initializing, prior to the sequence of iterations, a client score of the client and a server score of the server according to the pre-identified endpoint threat levels assigned to the client and the server, respectively; updating, in a first iteration in the sequence of iterations, the client score of the client by a SC adjustment amount determined at least based on the server score of the server and the SC score propagation parameter; updating, in a second iteration adjacent to the first iteration in the sequence of iterations, the server score of the server by a CS adjustment amount determined at least based on the client score of the client and the CS score propagation parameter; and generating, in response to at least updating the client score and the server score in the first iteration and the second iteration, respectively, the final scores of the plurality of endpoints based on at least the client score and the server score; and a malicious endpoint detector executing on the computer processor and configured to detect an endpoint of the plurality of endpoints as malicious in response to a corresponding one of the final scores exceeding a pre-determined threshold, wherein the endpoint is not identified as malicious based on the pre-identified endpoint threat level assigned to the endpoint; and a repository configured to store the pre-identified endpoint threat level, the pre-identified flow threat level, the SC score propagation parameter, the CS score propagation parameter, the server score, the client score, and the final scores. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium embodying instructions for profiling network traffic of a network, the instructions when executed by a processor comprising functionality for:
-
obtaining, from the network, flows among a plurality of endpoints of the network, wherein the plurality of endpoints comprise servers and clients; assigning, to each of the plurality of endpoints, a pre-identified endpoint threat level specific to each of the plurality of endpoints; assigning, to each of the flows, a pre-identified flow threat level specific to each of the flows; calculating, by a computer processor, for a server and a client in the plurality of endpoints, and based on the pre-identified flow threat level assigned to a flow between the server and the client, a server-to-client (SC) score propagation parameter and a client-to-server (CS) propagation parameter, performing, by the computer processor, iterative score propagation based on a sequence of iterations to generate final scores of the plurality of endpoints, wherein the iterative score propagation comprises; initializing, prior to the sequence of iterations, a client score of the client and a server score of the server according to the pre-identified endpoint threat levels assigned to the client and the server, respectively; updating, in a first iteration in the sequence of iterations, the client score of the client by a SC adjustment amount determined at least based on the server score of the server and the SC score propagation parameter; updating, in a second iteration adjacent to the first iteration in the sequence of iterations, the server score of the server by a CS adjustment amount determined at least based on the client score of the client and the CS score propagation parameter; and generating, in response to at least updating the client score and the server score in the first iteration and the second iteration, respectively, the final scores of the plurality of endpoints based on at least the client score and the server score; and detecting an endpoint of the plurality of endpoints as malicious in response to a corresponding one of the final scores exceeding a pre-determined threshold, wherein the endpoint is not identified as malicious based on the pre-identified endpoint threat level assigned to the endpoint. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification