Automated discovery, attribution, analysis, and risk assessment of security threats

US 9,094,288 B1
Filed: 10/26/2011
Issued: 07/28/2015
Est. Priority Date: 10/26/2011
Status: Active Grant

First Claim

Patent Images

1. A method for profiling network traffic of a network, comprising:

obtaining a signature library comprising a plurality of first network data layer signatures each representing first data characteristics associated with a corresponding application executing in the network, wherein the plurality of first network data layer signatures are generated by analyzing a first network data layer using a payload based signature generation algorithm;

generating, by a processor of a computer system using a statistical feature based signature generation algorithm, a second network data layer group behavioral model associated with the signature library, wherein the second network data layer group behavioral model represents a common behavior in a second network data layer of a plurality of historical flows identified from the network traffic, wherein the first network data layer and the second network data layer are identified by a hierarchical network data model of the network traffic, wherein each of the plurality of first network data layer signatures correlates to a subset of the plurality of historical flows;

generating a target flow set based on the second network data layer group behavioral model applied to the second network data layer, comprising;

selecting, by the processor, a flow in the network traffic for including in a target flow set, wherein the second network data layer of the flow matches the second network data layer group behavioral model, wherein the first network data layer of the flow is not correlated to any of the plurality of first network data layer signatures; and

expanding, in response to generating the target flow set based on the second network data layer group behavioral model applied to the second network data layer, the signature library based on the payload based signature generation algorithm applied to the first network data layer, comprising;

analyzing, by the processor using the payload based signature generation algorithm, the target flow set to generate a new first network data layer signature; and

adding the new first network data layer signature to the signature library.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for profiling network traffic of a network. The method includes obtaining a signature library comprising a plurality of signatures each representing first data characteristics associated with a corresponding application executing in the network, generating, based on a first pre-determined criterion, a group behavioral model associated with the signature library, wherein the group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of signatures correlates to a subset of the plurality of historical flows, selecting a flow in the network traffic for including in a target flow set, wherein the flow matches the group behavioral model without being correlated to any corresponding application of the plurality of signatures, analyzing the target flow set to generate a new signature, and adding the new signature to the signature library.

Citations

30 Claims

1. A method for profiling network traffic of a network, comprising:
- obtaining a signature library comprising a plurality of first network data layer signatures each representing first data characteristics associated with a corresponding application executing in the network, wherein the plurality of first network data layer signatures are generated by analyzing a first network data layer using a payload based signature generation algorithm;
  
  generating, by a processor of a computer system using a statistical feature based signature generation algorithm, a second network data layer group behavioral model associated with the signature library, wherein the second network data layer group behavioral model represents a common behavior in a second network data layer of a plurality of historical flows identified from the network traffic, wherein the first network data layer and the second network data layer are identified by a hierarchical network data model of the network traffic, wherein each of the plurality of first network data layer signatures correlates to a subset of the plurality of historical flows;
  
  generating a target flow set based on the second network data layer group behavioral model applied to the second network data layer, comprising;
  
  selecting, by the processor, a flow in the network traffic for including in a target flow set, wherein the second network data layer of the flow matches the second network data layer group behavioral model, wherein the first network data layer of the flow is not correlated to any of the plurality of first network data layer signatures; and
  
  expanding, in response to generating the target flow set based on the second network data layer group behavioral model applied to the second network data layer, the signature library based on the payload based signature generation algorithm applied to the first network data layer, comprising;
  
  analyzing, by the processor using the payload based signature generation algorithm, the target flow set to generate a new first network data layer signature; and
  
  adding the new first network data layer signature to the signature library.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 28, 29)
- - 2. The method of claim 1,wherein selecting the flow in the network traffic for including in the target flow set comprises:
    - analyzing the flow based on a second pre-determined criterion to identify the flow as matching the second network data layer group behavioral model;
      
      determining a correlation between the flow and any corresponding application of the plurality of first network data layer signatures as not meeting a pre-determined threshold; and
      
      including, in response to identifying the flow as matching the second network data layer group behavioral model and the correlation not meeting the pre-determined threshold, the flow in the target flow set;
      
      wherein analyzing the target flow set to generate the new first network data layer signature comprises;
      
      analyzing, in response to a size of the target flow set exceeding a pre-determined size, the target flow set to identify a plurality of clusters in the target flow set; and
      
      analyzing at least one cluster of the plurality of clusters to generate the new first network data layer signature representing second data characteristics associated with the at least one cluster,the method further comprising updating the second network data layer group behavioral model and the target flow set in response to adding the new first network data layer signature to the signature library.
  - 3. The method of claim 1, further comprising:
    - identifying each subset of the plurality of historical flows from the network traffic based on a matched first network data layer signature in the plurality of first network data layer signatures; and
      
      analyzing the flow based on the plurality of first network data layer signatures to determine the correlation between the flow and any corresponding application of the plurality of first network data layer signatures.
  - 4. The method of claim 1, further comprising:
    - analyzing, for each of the plurality of first network data layer signatures, a matched subset of the plurality of historical flows to generate a corresponding behavioral model; and
      
      analyzing, based on the corresponding behavioral model for each of the plurality of first network data layer signatures and without using the plurality of first network data layer signatures, the flow to determine the correlation between the flow and any corresponding application of the plurality of first network data layer signatures.
  - 5. The method of claim 1,wherein each first data characteristics of the plurality of first network data layer signatures is associated with a malicious activity generated by the corresponding application, andwherein the second network data layer group behavioral model comprises a threat model.
  - 6. The method of claim 5, further comprising:
    - identifying a plurality of suspicious hosts in the network based on the malicious activity,wherein analyzing the target flow set to generate the new first network data layer signature further comprises analyzing the flow based on association with the plurality of suspicious hosts.
  - 7. The method of claim 1,wherein each of the plurality of first network data layer signatures comprises a layer 7 signature.
  - 8. The method of claim 1,wherein analyzing the at least one cluster of the plurality of clusters to generate the new first network data layer signature comprises analyzing layer 7 contents of the at least one cluster of the plurality of clusters.
  - 9. The method of claim 1,wherein generating the second network data layer group behavioral model comprises analyzing layer 3 and layer 4 contents of the plurality of historical flows based on a supervised machine learning algorithm, andwherein generating the corresponding behavioral model comprises analyzing layer 3 and layer 4 contents of the matched subset of the plurality of historical flows based on the supervised machine learning algorithm.
  - 10. The method of claim 1,wherein analyzing the target flow set to identify the plurality of clusters is based on an unsupervised machine learning algorithm.
  - 28. The method of claim 1,wherein the target flow set is analyzed, to generate the new first network data layer signature, separate from any flow correlating to any corresponding application of the plurality of first network data layer signatures, andwherein the method further comprises updating the second network data layer group behavioral model in response to adding the new first network data layer signature to the signature library.
  - 29. The system of claim 1,wherein the target flow set is analyzed, to generate the new first network data layer signature, separate from any flow correlating to any corresponding application of the plurality of first network data layer signatures, andwherein the statistical model generator is further configured to update the second network data layer group behavioral model in response to adding the new first network data layer signature to the signature library.

11. A system for profiling network traffic of a network, comprising:
- a signature library comprising a plurality of first network data layer signatures each representing first data characteristics associated with a corresponding application executing in the network, wherein the plurality of first network data layer signatures are generated using a payload based signature generation algorithm;
  
  a processor of a computer system; and
  
  memory storing instructions executable by the processor, the instructions comprising;
  
  a statistical model generator configured to generate, using a statistical feature based signature generation algorithm, a second network data layer group behavioral model associated with the signature library, wherein the second network data layer group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of first network data layer signatures correlates to a subset of the plurality of historical flows;
  
  a statistical classifier configured to generate a target flow set based on the second network data layer group behavioral model applied to the second network data layer, wherein generating the target flow set comprises;
  
  select a flow in the network traffic for including in a target flow set, wherein the second network data layer of the flow matches the second network data layer group behavioral model, wherein the first network data layer of the flow is not correlated to any of the plurality of first network data layer signatures; and
  
  a signature generator configured to expand, in response to generating the target flow set based on the second network data layer group behavioral model applied to the second network data layer, the signature library based on the payload based signature generation algorithm applied to the first network data layer, wherein expanding the signature library comprises;
  
  analyze, using the payload based signature generation algorithm, the target flow set to generate a new first network data layer signature; and
  
  add the new first network data layer signature to the signature library.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The system of claim 11,wherein the statistical classifier is further configured to:
    - analyze the flow based on a second pre-determined criterion to identify the flow as matching the second network data layer group behavioral model;
      
      determine a correlation between the flow and any corresponding application of the plurality of first network data layer signatures as not meeting a pre-determined threshold; and
      
      include, in response to identifying the flow as matching the second network data layer group behavioral model and the correlation not meeting the pre-determined threshold, the flow in the target flow set,wherein the system further comprises a cluster analyzer executing on the processor and configured to analyze, in response to a size of the target flow set exceeding a pre-determined size, the target flow set to identify a plurality of clusters in the target flow set, andwherein the signature generator is further configured to analyze at least one cluster of the plurality of clusters to generate the new first network data layer signature representing second data characteristics associated with the at least one cluster.
  - 13. The system of claim 11,wherein the statistical model generator is further configured to update the second network data layer group behavioral model in response to adding the new first network data layer signature to the signature library, andwherein the statistical classifier is further configured to update the target flow set in response to adding the new first network data layer signature to the signature library.
  - 14. The system of claim 11, further comprising a pattern matching engine configured to:
    - identify each subset of the plurality of historical flows from the network traffic based on a matched first network data layer signature in the plurality of first network data layer signatures; and
      
      analyze the flow based on the plurality of first network data layer signatures to determine the correlation between the flow and any corresponding application of the plurality of first network data layer signatures.
  - 15. The system of claim 11,wherein the statistical model generator is further configured to analyze, for each of the plurality of first network data layer signatures, a matched subset of the plurality of historical flows to generate a corresponding behavioral model, andwherein the statistical classifier is further configured to analyze, based on the corresponding behavioral model for each of the plurality of first network data layer signatures and without using the plurality of first network data layer signatures, the flow to determine the correlation between the flow and any corresponding application of the plurality of first network data layer signatures.
  - 16. The system of claim 11,wherein each first data characteristics of the plurality of first network data layer signatures is associated with a malicious activity generated by the corresponding application, andwherein the second network data layer group behavioral model comprises a threat model.
  - 17. The system of claim 16, further comprises a situation awareness module configured to:
    - identify a plurality of suspicious hosts in the network based on the malicious activity,wherein analyzing the target flow set and generating the new first network data layer signature comprise analyzing the flow based on association with the plurality of suspicious hosts.
  - 18. The system of claim 11,wherein each of the plurality of first network data layer signatures comprises a layer 7 signature.
  - 19. The system of claim 11,wherein analyzing the at least one cluster of the plurality of clusters to generate the new first network data layer signature comprises analyzing layer 7 contents of the at least one cluster of the plurality of clusters.
  - 20. The system of claim 11,wherein generating the second network data layer group behavioral model comprises analyzing layer 3 and layer 4 contents of the plurality of historical flows based on a supervised machine learning algorithm, andwherein generating the corresponding behavioral model comprises analyzing layer 3 and layer 4 contents of the matched subset of the plurality of historical flows based on the supervised machine learning algorithm.
  - 21. The system of claim 11,wherein analyzing the target flow set to identify the plurality of clusters is based on an unsupervised machine learning algorithm.

22. A non-transitory computer readable medium, embodying instructions to profile network traffic of a network, the instructions when executed by the computer comprising functionality for:
- obtaining a signature library comprising a plurality of first network data layer signatures each representing first data characteristics associated with a corresponding application executing in the network, wherein the plurality of first network data layer signatures are generated using a payload based signature generation algorithm;
  
  generating, using a statistical feature based signature generation algorithm, a second network data layer group behavioral model associated with the signature library, wherein the second network data layer group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of first network data layer signatures correlates to a subset of the plurality of historical flows; and
  
  profiling the network traffic, based on a combination of the payload based signature generation algorithm and the statistical feature based signature generation algorithm, by at least;
  
  selecting a flow in the network traffic for including in a target flow set, comprising;
  
  analyzing the flow based on a second pre-determined criterion to identify the second network data layer of the flow as matching the second network data layer group behavioral model;
  
  determining a correlation between the first network data layer the flow and any of the plurality of first network data layer signatures as not meeting a pre-determined threshold; and
  
  including, in response to identifying the flow as matching the second network data layer group behavioral model and the correlation not meeting the pre-determined threshold, the flow in the target flow set;
  
  analyzing, using the payload based signature generation algorithm, the target flow set to generate a new first network data layer signature, comprising;
  
  analyzing, in response to a size of the target flow set exceeding a pre-determined size, the target flow set to identify a plurality of clusters in the target flow set; and
  
  analyzing at least one cluster of the plurality of clusters to generate the new first network data layer signature representing second data characteristics associated with the at least one cluster; and
  
  adding the new first network data layer signature to the signature library,wherein the network traffic is profiled based at least on the new first network data layer signature.
- View Dependent Claims (23, 24, 25, 26, 27, 30)
- - 23. The non-transitory computer readable medium of claim 22, the instructions when executed by the computer further comprising functionality for:
    - updating the second network data layer group behavioral model and the target flow set in response to adding the new first network data layer signature to the signature library.
  - 24. The non-transitory computer readable medium of claim 22, the instructions when executed by the computer further comprising functionality for:
    - identifying each subset of the plurality of historical flows from the network traffic based on a matched first network data layer signature in the plurality of first network data layer signatures; and
      
      analyzing the flow based on the plurality of first network data layer signatures to determine the correlation between the flow and any corresponding application of the plurality of first network data layer signatures.
  - 25. The non-transitory computer readable medium of claim 22, the instructions when executed by the computer further comprising functionality for:
    - analyzing, for each of the plurality of first network data layer signatures, a matched subset of the plurality of historical flows to generate a corresponding behavioral model; and
      
      analyzing, based on the corresponding behavioral model for at least one of the plurality of first network data layer signatures and without using the plurality of first network data layer signatures, the flow to determine the correlation between the flow and any corresponding application of the plurality of first network data layer signatures.
  - 26. The non-transitory computer readable medium of claim 22,wherein each first data characteristics of the plurality of first network data layer signatures is associated with a malicious activity generated by the corresponding application, andwherein the second network data layer group behavioral model comprises a threat model.
  - 27. The non-transitory computer readable medium of claim 26, the instructions when executed by the computer further comprising functionality for:
    - identifying a plurality of suspicious hosts in the network based on the malicious activity,wherein analyzing the target flow set to generate the new first network data layer signature further comprises analyzing the flow based on association with the plurality of suspicious hosts.
  - 30. The non-transitory computer readable medium of claim 22,wherein the target flow set is analyzed, to generate the new first network data layer signature, separate from any flow correlating to any corresponding application of the plurality of first network data layer signatures, andwherein the instructions when executed by the computer further comprising functionality for updating the second network data layer group behavioral model in response to adding the new first network data layer signature to the signature library.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
Narus, Inc. (Gen Digital Inc.)
Inventors
Nucci, Antonio, Saha, Sabyasachi
Primary Examiner(s)
Wang, Harris

Application Number

US13/282,010
Time in Patent Office

1,371 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/026   using flow identification

Y02D 30/50   in wire-line communication ...

Automated discovery, attribution, analysis, and risk assessment of security threats

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Automated discovery, attribution, analysis, and risk assessment of security threats

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links