Software network behavior analysis and identification system
First Claim
1. A method comprising:
- detecting, at a detection module, an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, wherein the plurality of network behavior profiles correspond to a plurality of suspicious software components, and wherein a first network behavior profile of the plurality of network behavior profiles includes a first ordered sequence of network actions associated with a first suspicious software component of the plurality of suspicious software components;
combining a first rating associated with the indicator and a second rating associated with a second indicator to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data;
after determining to provide the indicator to an identification module based on a comparison of the total rating with a threshold value, determining, at the identification module, whether the indicator corresponds to any of the plurality of network behavior profiles; and
generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.
1 Assignment
0 Petitions
Accused Products
Abstract
A particular method includes detecting, at a detection module, an indicator corresponding to a suspicious software component, where the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles. At least one of the network behavior profiles includes an ordered sequence of network actions. The method further includes determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles. The method further includes generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.
-
Citations
20 Claims
-
1. A method comprising:
-
detecting, at a detection module, an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, wherein the plurality of network behavior profiles correspond to a plurality of suspicious software components, and wherein a first network behavior profile of the plurality of network behavior profiles includes a first ordered sequence of network actions associated with a first suspicious software component of the plurality of suspicious software components; combining a first rating associated with the indicator and a second rating associated with a second indicator to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data; after determining to provide the indicator to an identification module based on a comparison of the total rating with a threshold value, determining, at the identification module, whether the indicator corresponds to any of the plurality of network behavior profiles; and generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a processor; and a memory coupled to the processor, the memory storing instructions that, when executed by the processor, cause the processor to perform operations comprising; detecting an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, wherein the plurality of network behavior profiles correspond to a plurality of suspicious software components, and wherein a first network behavior profile of the plurality of network behavior profiles includes a first ordered sequence of network actions associated with a first suspicious software component of the plurality of suspicious software components; combining a first rating associated with the indicator and a second rating associated with a second indicator to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data; after determining that the total rating satisfies a threshold value, determining whether the indicator corresponds to any of the plurality of network behavior profiles; and generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A computer-readable storage device storing instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
detecting an indicator corresponding to a suspicious software component based on monitored network data of a network system and based on a plurality of network behavior profiles, wherein the plurality of network behavior profiles correspond to a plurality of suspicious software components, and wherein a first network behavior profile of the plurality of network behavior profiles includes a first ordered sequence of network actions associated with a first suspicious software component of the plurality of suspicious software components; combining a first rating associated with the indicator and a second rating associated with a second indicator to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data; determining whether the indicator corresponds to any of the plurality of network behavior profiles in response to the total rating meeting a threshold value; and generating first output data in response to a determination that the indicator correspond to a particular network behavior profile of the plurality of network behavior profiles. - View Dependent Claims (19, 20)
-
Specification