Vulnerability detection based on aggregated primitives
First Claim
Patent Images
1. A computer based vulnerability detection system comprising:
- an interface of a computer configured to receive a plurality of network messages, each of the plurality of network messages including a network message payload;
a translation module of the computer executable by the computer to translate each of the network message payloads into one or more primitives;
an aggregation module of the computer configured to aggregate each of the network message payloads, including aggregating primitives of a first primitive data type and primitives of a second primitive data type, wherein the first primitive data type and the second primitive data type are different primitive data types, to produce aggregated primitives;
an analysis module of the computer configured to generate an analysis outputupon identifying a match between the aggregated primitives and a policy, wherein a difference between a first value in the aggregated primitives and a second value in the aggregated primitives is identified by the policy as an indication of a threat, wherein the first value is associated with a first primitive corresponding to a first network message payload and wherein the second value is associated with a second primitive corresponding to a second network message payload; and
an enforcement module configured to generate a security alert based on the analysis output.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and computer-readable media are disclosed for detecting vulnerabilities based on aggregated primitives. A particular method includes receiving a plurality of data transmissions. At least one of the data transmissions includes a protocol anomaly that is not indicative of a security threat. The method includes identifying a plurality of primitives associated with the data transmissions. The primitives are aggregated, and an attack condition is identified based on the aggregated primitives. A security alert is generated based on the identified attack condition.
-
Citations
20 Claims
-
1. A computer based vulnerability detection system comprising:
-
an interface of a computer configured to receive a plurality of network messages, each of the plurality of network messages including a network message payload; a translation module of the computer executable by the computer to translate each of the network message payloads into one or more primitives; an aggregation module of the computer configured to aggregate each of the network message payloads, including aggregating primitives of a first primitive data type and primitives of a second primitive data type, wherein the first primitive data type and the second primitive data type are different primitive data types, to produce aggregated primitives; an analysis module of the computer configured to generate an analysis output upon identifying a match between the aggregated primitives and a policy, wherein a difference between a first value in the aggregated primitives and a second value in the aggregated primitives is identified by the policy as an indication of a threat, wherein the first value is associated with a first primitive corresponding to a first network message payload and wherein the second value is associated with a second primitive corresponding to a second network message payload; and an enforcement module configured to generate a security alert based on the analysis output. - View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
-
-
8. A method comprising:
-
receiving a plurality of network messages including a first network message including a first payload and a second network message including a second payload, wherein the first payload includes a first protocol anomaly and the second payload includes a second protocol anomaly wherein the first protocol anomaly and the second protocol anomaly are not individually indicative of a security threat; identifying a plurality of primitives by translating the first payload and the second payload into primitives, wherein the primitives include primitives of a first primitive data type and primitives of a second primitive data type, wherein the first primitive data type and the second primitive data type are different primitive data types; aggregating the identified plurality of primitives to produce aggregated primitives, the aggregated primitives including a first primitive translated from the first protocol anomaly and a second primitive translated from the second protocol anomaly, wherein the first primitive corresponds to a first value and the second primitive corresponds to a second value, and wherein the second value being different than the first value indicates an attack condition; and generating a security alert based on the indicated attack condition. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable storage device comprising instructions, that when executed by a computer, cause the computer to:
-
receive a plurality of network message payloads, the network message payloads from anomalous data transmissions, wherein each of the anomalous data transmissions does not individually trigger a security response; translate the plurality of network message payloads into a plurality of primitives including primitives of a first primitive data type and primitives of a second primitive data type, wherein the first primitive data type and the second primitive data type are different primitive data types; aggregate the plurality of primitives; identify an attack condition based on the aggregated plurality of primitives; and trigger an action based on the identified attack condition, wherein the aggregated plurality of primitives includes a first primitive translated from a first network message payload and a second primitive translated from a second network message payload, wherein the first primitive corresponds to a first value, wherein the second primitive corresponds to a second value, and wherein the second value differing from the first value indicates malicious activity. - View Dependent Claims (16, 17, 18, 19)
-
Specification