Automated discovery, attribution, analysis, and risk assessment of security threats
First Claim
1. A method for profiling network traffic of a network, comprising:
- obtaining a signature library comprising a plurality of first network data layer signatures each representing first data characteristics associated with a corresponding application executing in the network, wherein the plurality of first network data layer signatures are generated by analyzing a first network data layer using a payload based signature generation algorithm;
generating, by a processor of a computer system using a statistical feature based signature generation algorithm, a second network data layer group behavioral model associated with the signature library, wherein the second network data layer group behavioral model represents a common behavior in a second network data layer of a plurality of historical flows identified from the network traffic, wherein the first network data layer and the second network data layer are identified by a hierarchical network data model of the network traffic, wherein each of the plurality of first network data layer signatures correlates to a subset of the plurality of historical flows;
generating a target flow set based on the second network data layer group behavioral model applied to the second network data layer, comprising;
selecting, by the processor, a flow in the network traffic for including in a target flow set, wherein the second network data layer of the flow matches the second network data layer group behavioral model, wherein the first network data layer of the flow is not correlated to any of the plurality of first network data layer signatures; and
expanding, in response to generating the target flow set based on the second network data layer group behavioral model applied to the second network data layer, the signature library based on the payload based signature generation algorithm applied to the first network data layer, comprising;
analyzing, by the processor using the payload based signature generation algorithm, the target flow set to generate a new first network data layer signature; and
adding the new first network data layer signature to the signature library.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for profiling network traffic of a network. The method includes obtaining a signature library comprising a plurality of signatures each representing first data characteristics associated with a corresponding application executing in the network, generating, based on a first pre-determined criterion, a group behavioral model associated with the signature library, wherein the group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of signatures correlates to a subset of the plurality of historical flows, selecting a flow in the network traffic for including in a target flow set, wherein the flow matches the group behavioral model without being correlated to any corresponding application of the plurality of signatures, analyzing the target flow set to generate a new signature, and adding the new signature to the signature library.
-
Citations
30 Claims
-
1. A method for profiling network traffic of a network, comprising:
-
obtaining a signature library comprising a plurality of first network data layer signatures each representing first data characteristics associated with a corresponding application executing in the network, wherein the plurality of first network data layer signatures are generated by analyzing a first network data layer using a payload based signature generation algorithm; generating, by a processor of a computer system using a statistical feature based signature generation algorithm, a second network data layer group behavioral model associated with the signature library, wherein the second network data layer group behavioral model represents a common behavior in a second network data layer of a plurality of historical flows identified from the network traffic, wherein the first network data layer and the second network data layer are identified by a hierarchical network data model of the network traffic, wherein each of the plurality of first network data layer signatures correlates to a subset of the plurality of historical flows; generating a target flow set based on the second network data layer group behavioral model applied to the second network data layer, comprising; selecting, by the processor, a flow in the network traffic for including in a target flow set, wherein the second network data layer of the flow matches the second network data layer group behavioral model, wherein the first network data layer of the flow is not correlated to any of the plurality of first network data layer signatures; and expanding, in response to generating the target flow set based on the second network data layer group behavioral model applied to the second network data layer, the signature library based on the payload based signature generation algorithm applied to the first network data layer, comprising; analyzing, by the processor using the payload based signature generation algorithm, the target flow set to generate a new first network data layer signature; and adding the new first network data layer signature to the signature library. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 28, 29)
-
-
11. A system for profiling network traffic of a network, comprising:
-
a signature library comprising a plurality of first network data layer signatures each representing first data characteristics associated with a corresponding application executing in the network, wherein the plurality of first network data layer signatures are generated using a payload based signature generation algorithm; a processor of a computer system; and memory storing instructions executable by the processor, the instructions comprising; a statistical model generator configured to generate, using a statistical feature based signature generation algorithm, a second network data layer group behavioral model associated with the signature library, wherein the second network data layer group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of first network data layer signatures correlates to a subset of the plurality of historical flows; a statistical classifier configured to generate a target flow set based on the second network data layer group behavioral model applied to the second network data layer, wherein generating the target flow set comprises; select a flow in the network traffic for including in a target flow set, wherein the second network data layer of the flow matches the second network data layer group behavioral model, wherein the first network data layer of the flow is not correlated to any of the plurality of first network data layer signatures; and a signature generator configured to expand, in response to generating the target flow set based on the second network data layer group behavioral model applied to the second network data layer, the signature library based on the payload based signature generation algorithm applied to the first network data layer, wherein expanding the signature library comprises; analyze, using the payload based signature generation algorithm, the target flow set to generate a new first network data layer signature; and add the new first network data layer signature to the signature library. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory computer readable medium, embodying instructions to profile network traffic of a network, the instructions when executed by the computer comprising functionality for:
-
obtaining a signature library comprising a plurality of first network data layer signatures each representing first data characteristics associated with a corresponding application executing in the network, wherein the plurality of first network data layer signatures are generated using a payload based signature generation algorithm; generating, using a statistical feature based signature generation algorithm, a second network data layer group behavioral model associated with the signature library, wherein the second network data layer group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of first network data layer signatures correlates to a subset of the plurality of historical flows; and profiling the network traffic, based on a combination of the payload based signature generation algorithm and the statistical feature based signature generation algorithm, by at least; selecting a flow in the network traffic for including in a target flow set, comprising; analyzing the flow based on a second pre-determined criterion to identify the second network data layer of the flow as matching the second network data layer group behavioral model; determining a correlation between the first network data layer the flow and any of the plurality of first network data layer signatures as not meeting a pre-determined threshold; and including, in response to identifying the flow as matching the second network data layer group behavioral model and the correlation not meeting the pre-determined threshold, the flow in the target flow set; analyzing, using the payload based signature generation algorithm, the target flow set to generate a new first network data layer signature, comprising; analyzing, in response to a size of the target flow set exceeding a pre-determined size, the target flow set to identify a plurality of clusters in the target flow set; and analyzing at least one cluster of the plurality of clusters to generate the new first network data layer signature representing second data characteristics associated with the at least one cluster; and adding the new first network data layer signature to the signature library, wherein the network traffic is profiled based at least on the new first network data layer signature. - View Dependent Claims (23, 24, 25, 26, 27, 30)
-
Specification