Using a probability-based model to detect random content in a protocol field associated with network traffic
First Claim
1. A device, comprising:
- one or more processors to;
receive network traffic;
identify candidate text included in a communication protocol field associated with the network traffic;
identify a set of candidate strings included in the candidate text;
determine whether a candidate string, of the set of candidate strings, matches a model string,the model string being included in a model text associated with the communication protocol field,the model text being stored in a data structure;
identify a set of characters that precedes or follows the candidate string in the candidate text;
determine, using the data structure, a frequency with which the set of characters precedes or follows the candidate string;
determine whether the candidate text includes random text based on determining whether the candidate string matches the model string or based on the frequency; and
execute a policy to perform an action on the network traffic based on determining whether the candidate text includes random text.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive network traffic. The device may identify candidate text included in a protocol field associated with the network traffic. The device may identify a set of candidate strings included in the candidate text. The device may identify a set of characters that precedes or follows a candidate string, of the set of candidate strings, in the candidate text. The device may determine, using a data structure, a frequency with which the set of characters precedes or follows the candidate string. The device may determine whether the candidate text includes random text based on the frequency. The device may perform an action on the network traffic based on determining whether the candidate text includes random text.
-
Citations
20 Claims
-
1. A device, comprising:
one or more processors to; receive network traffic; identify candidate text included in a communication protocol field associated with the network traffic; identify a set of candidate strings included in the candidate text; determine whether a candidate string, of the set of candidate strings, matches a model string, the model string being included in a model text associated with the communication protocol field, the model text being stored in a data structure; identify a set of characters that precedes or follows the candidate string in the candidate text; determine, using the data structure, a frequency with which the set of characters precedes or follows the candidate string; determine whether the candidate text includes random text based on determining whether the candidate string matches the model string or based on the frequency; and execute a policy to perform an action on the network traffic based on determining whether the candidate text includes random text. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A method, comprising:
-
receiving, by a device, network traffic; identifying, by the device, candidate text included in a communication protocol field associated with the network traffic; identifying, by the device, a set of candidate strings included in the candidate text; determining, by the device, whether a candidate string, of the set of candidate strings, is included in a data structure, the data structure storing model text associated with the communication protocol field; identifying, by the device, a set of characters that precedes or follows the candidate string in the candidate text; determining, by the device and using the data structure, a frequency with which the set of characters precedes or follows the candidate string; determining, by the device, whether the candidate text includes random text based on determining whether the candidate string is included in the data structure or based on the frequency; and performing, by the device, an action on the network traffic based on determining whether the candidate text includes random text. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; receive network traffic; identify candidate text included in a protocol field associated with the network traffic; identify a set of candidate strings included in the candidate text; identify a set of characters that precedes or follows a candidate string, of the set of candidate strings, in the candidate text; determine, using a data structure, a frequency with which the set of characters precedes or follows the candidate string; determine whether the candidate text includes random text based on the frequency; and perform an action on the network traffic based on determining whether the candidate text includes random text. - View Dependent Claims (15, 16, 17, 18, 19, 20)
Specification