Methods and apparatus to identify malicious activity in a network
First Claim
1. A method comprising:
- generating, with a processor, a set of statistical features based on communications between a plurality of network devices including a set of suspect devices classified as being associated with malicious activity and a set of unclassified devices;
iteratively adjusting, with the processor and for a first number of iterations, a set of weights of a distance function representing differences between vectors of statistical features for different devices, the weights corresponding to the statistical features, the set of weights to be adjusted at each iteration based on a calculated gradient and step size to (1) reduce a first distance calculated between a first suspect device of the set of suspect devices and a second suspect device of the set of suspect devices and (2) increase a second distance calculated between the first suspect device and a first unclassified device of the set of unclassified devices; and
in response to determining a first statistical feature of the set of statistical features is indicative of malicious activity based on a corresponding first weight, sending information identifying the first statistical feature of the set of statistical features to a network monitor that is to determine whether any of the unclassified devices are associated with malicious activity.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, apparatus, systems and articles of manufacture are disclosed to learn malicious activity. An example method includes assigning weights of a distance function to respective statistical features; iteratively calculating, with a processor, the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations.
28 Citations
18 Claims
-
1. A method comprising:
-
generating, with a processor, a set of statistical features based on communications between a plurality of network devices including a set of suspect devices classified as being associated with malicious activity and a set of unclassified devices; iteratively adjusting, with the processor and for a first number of iterations, a set of weights of a distance function representing differences between vectors of statistical features for different devices, the weights corresponding to the statistical features, the set of weights to be adjusted at each iteration based on a calculated gradient and step size to (1) reduce a first distance calculated between a first suspect device of the set of suspect devices and a second suspect device of the set of suspect devices and (2) increase a second distance calculated between the first suspect device and a first unclassified device of the set of unclassified devices; and in response to determining a first statistical feature of the set of statistical features is indicative of malicious activity based on a corresponding first weight, sending information identifying the first statistical feature of the set of statistical features to a network monitor that is to determine whether any of the unclassified devices are associated with malicious activity. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
a memory to store machine readable instructions; and a processor to execute the instructions to perform operations including; generating a set of statistical features based on communications between a plurality of network devices including a set of suspect devices classified as being associated with malicious activity and a set of unclassified devices; iteratively adjusting, for a first number of iterations, a set of weights of a distance function representing differences between vectors of statistical features for different devices, the weights corresponding to the statistical features, the set of weights to be adjusted at each iteration based on a calculated gradient and step size to (1) reduce a first distance calculated between a first suspect device of the set of suspect devices and a second suspect device of the set of suspect devices and (2) increase a second distance calculated between the first suspect device and a first unclassified device of the set of unclassified devices; and in response to determining a first statistical feature of the set of statistical features is indicative of malicious activity based on a corresponding first weight, sending information identifying a first statistical feature of the set of statistical features to a network monitor that is to determine whether any of the unclassified devices are associated with malicious activity. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A tangible machine readable storage medium including instructions which, when executed, cause a machine to perform operations comprising:
-
generating a set of statistical features based on communications between a plurality of network devices including a set of suspect devices classified as being associated with malicious activity and a set of unclassified devices; iteratively adjusting, for a first number of iterations, a set of weights of a distance function representing differences between vectors of statistical features for different devices, the weights corresponding to the statistical features, the set of weights to be adjusted at each iteration based on a calculated gradient and step size to (1) reduce a first distance calculated between a first suspect device of the set of suspect devices and a second suspect device of the set of suspect devices and (2) an increase a second distance calculated between the first suspect device and a first unclassified device of the set of unclassified devices; and in response to determining a first statistical feature of the set of statistical features is indicative of malicious activity based on a corresponding first weight, sending information identifying a first statistical feature of a set of statistical features to a network monitor that is to determine whether any of the unclassified devices are associated with malicious activity. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification