Software network behavior analysis and identification system

US 9,479,521 B2
Filed: 09/30/2013
Issued: 10/25/2016
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, at a detection module, an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, wherein the plurality of network behavior profiles correspond to a plurality of suspicious software components, and wherein a first network behavior profile of the plurality of network behavior profiles includes a first ordered sequence of network actions associated with a first suspicious software component of the plurality of suspicious software components;

combining a first rating associated with the indicator and a second rating associated with a second indicator to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data;

after determining to provide the indicator to an identification module based on a comparison of the total rating with a threshold value, determining, at the identification module, whether the indicator corresponds to any of the plurality of network behavior profiles; and

generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A particular method includes detecting, at a detection module, an indicator corresponding to a suspicious software component, where the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles. At least one of the network behavior profiles includes an ordered sequence of network actions. The method further includes determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles. The method further includes generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.

115 Citations

20 Claims

1. A method comprising:
- detecting, at a detection module, an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, wherein the plurality of network behavior profiles correspond to a plurality of suspicious software components, and wherein a first network behavior profile of the plurality of network behavior profiles includes a first ordered sequence of network actions associated with a first suspicious software component of the plurality of suspicious software components;
  
  combining a first rating associated with the indicator and a second rating associated with a second indicator to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data;
  
  after determining to provide the indicator to an identification module based on a comparison of the total rating with a threshold value, determining, at the identification module, whether the indicator corresponds to any of the plurality of network behavior profiles; and
  
  generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein a second network behavior profile of the plurality of network behavior profiles includes a second ordered sequence of network actions associated with a second suspicious software component of the plurality of suspicious software components, wherein the second ordered sequence of network actions is distinct from the first ordered sequence of network actions, and wherein the second suspicious software component is distinct from the first suspicious software component.
  - 3. The method of claim 1, wherein the output data indicates the particular network behavior profile corresponding to the indicator, and wherein the threshold value indicates whether the total rating corresponds to a particular network behavior profile of the plurality of network behavior profiles.
  - 4. The method of claim 1, wherein the indicator corresponds to at least one of a timed sequence of network actions and pauses, an ordered sequence of network actions, a sequence of network actions within a time period, or a characteristic of a particular network action.
  - 5. The method of claim 4, wherein the characteristic includes at least one of an internet protocol address accessed during the particular network action, a duration of the particular network action, a communication protocol associated with the particular network action, or an amount of bandwidth associated with the particular network action.
  - 6. The method of claim 1, wherein the first ordered sequence of network actions includes at least one of a network port access, a secure shell communication, a domain name system server query, an attempt to access a particular internet protocol port, an internet control message protocol request, a ping, or an attempt to access a particular service.
  - 7. The method of claim 1, wherein the first ordered sequence of network actions comprises a first network port access, a particular secure shell communication after the first network port access, and a second network port access after the particular secure shell communication.
  - 8. The method of claim 1, further comprising:
    - detecting, at the detection module, the second indicator corresponding to the suspicious software component, wherein the second indicator is detected based on the monitored network data of the network system and based on the plurality of network behavior profiles;
      
      determining, at the identification module, whether the second indicator corresponds to any of the plurality of network behavior profiles; and
      
      generating second output data in response to a determination that the indicator and the second indicator together do not correspond to any network behavior profile of the plurality of network behavior profiles.
  - 9. The method of claim 8, further comprising sending the second output data to a computing system.
  - 10. The method of claim 1, further comprising, prior to combining the first rating and the second rating:
    - generating the first rating based on information derived from the first network behavior profile; and
      
      generating the second rating based on information derived from a second network behavior profile.
  - 11. The method of claim 1, further comprising:
    - comparing the total rating to the threshold value; and
      
      determining whether the indicator corresponds to at least one network behavior profile in response to a determination that the total rating satisfies the threshold value.
  - 12. The method of claim 1, further comprising:
    - prior to detecting the indicator and the second indicator, filtering the monitored network data to generate a portion of the monitored network data;
      
      detecting the indicator and the second indicator in the portion of the monitored network data;
      
      generating the first rating and the second rating based on information derived from the first network behavior profile and a second network behavior profile;
      
      receiving the threshold value, the threshold value indicative of a correspondence between the total rating and the particular network behavior profile; and
      
      comparing the total rating and the threshold value.

13. A system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions that, when executed by the processor, cause the processor to perform operations comprising;
  
  detecting an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, wherein the plurality of network behavior profiles correspond to a plurality of suspicious software components, and wherein a first network behavior profile of the plurality of network behavior profiles includes a first ordered sequence of network actions associated with a first suspicious software component of the plurality of suspicious software components;
  
  combining a first rating associated with the indicator and a second rating associated with a second indicator to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data;
  
  after determining that the total rating satisfies a threshold value, determining whether the indicator corresponds to any of the plurality of network behavior profiles; and
  
  generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein the operations further include:
    - receiving the plurality of network behavior profiles, wherein the plurality of network behavior profiles includes a plurality of detection settings associated with a plurality of software components;
      
      storing the plurality of network behavior profiles; and
      
      selecting a subset of the plurality of detection settings to generate a set of detectable detection settings, wherein each detection setting of the set of detectable detection settings is unique within the set of detectable detection settings.
  - 15. The system of claim 14, wherein the operations further include:
    - comparing each detection setting of the set of detectable detection settings to the monitored network data in parallel; and
      
      detecting the indicator when the monitored network data includes characteristics that match a particular detection setting of the set of detectable detection settings.
  - 16. The system of claim 13, wherein the operations further include:
    - generating the first rating based on a first correspondence between the indicator and the first network behavior profile of the plurality of network behavior profiles;
      
      generating the second rating based on a second correspondence between the indicator and a second network behavior profile of the plurality of network behavior profiles;
      
      wherein the suspicious software component is determined to correspond to the first network behavior profile based on a determination that the first rating is greater than a greatest identification rating associated with other network behavior profiles of the plurality of network behavior profiles and that the first rating satisfies an identification threshold; and
      
      wherein the suspicious software component is determined to not correspond to the first network behavior profile based on a determination that the first identification rating does not satisfy the identification threshold.
  - 17. The system of claim 13, wherein the operations further include:
    - generating a detection tree based on the plurality of network behavior profiles, wherein the detection tree indicates that a first detection setting of a plurality of detection settings depends on a second detection setting of the plurality of detection settings;
      
      comparing the second detection setting to the monitored network data to detect the second indicator; and
      
      comparing the first detection setting to the monitored network data to detect a first indicator in response to a determination that the monitored network data includes the second indicator.

18. A computer-readable storage device storing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- detecting an indicator corresponding to a suspicious software component based on monitored network data of a network system and based on a plurality of network behavior profiles, wherein the plurality of network behavior profiles correspond to a plurality of suspicious software components, and wherein a first network behavior profile of the plurality of network behavior profiles includes a first ordered sequence of network actions associated with a first suspicious software component of the plurality of suspicious software components;
  
  combining a first rating associated with the indicator and a second rating associated with a second indicator to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data;
  
  determining whether the indicator corresponds to any of the plurality of network behavior profiles in response to the total rating meeting a threshold value; and
  
  generating first output data in response to a determination that the indicator correspond to a particular network behavior profile of the plurality of network behavior profiles.
- View Dependent Claims (19, 20)
- - 19. The computer-readable storage device of claim 18, wherein the operations further include:
    - receiving information identifying a plurality of internet protocol addresses at the processor;
      
      generating a filtered subset of the plurality of internet protocol addresses; and
      
      detecting that the indicator corresponds to at least one internet protocol address of the filtered subset of the plurality of internet protocol addresses.
  - 20. The computer-readable storage device of claim 18, wherein the operations further include, in response to the determination that the indicator corresponds to the particular network behavior profile, prohibiting a device associated with the particular internet protocol address from accessing a network of the network system, wherein the indicator corresponds to the particular internet protocol address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Davis, Aaron R., Aldrich, Timothy M., Bialek, Matthew S., Lemm, Timothy M., Kospiah, Shaun
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US14/042,153
Publication Number

US 20150096019A1
Time in Patent Office

1,121 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/145 the attack involving the pr...

Software network behavior analysis and identification system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

115 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Software network behavior analysis and identification system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links