Using a probability-based model to detect random content in a protocol field associated with network traffic

US 9,680,832 B1
Filed: 12/30/2014
Issued: 06/13/2017
Est. Priority Date: 12/30/2014
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

one or more processors to;

receive network traffic;

identify candidate text included in a communication protocol field associated with the network traffic;

identify a set of candidate strings included in the candidate text;

determine whether a candidate string, of the set of candidate strings, matches a model string,the model string being included in a model text associated with the communication protocol field,the model text being stored in a data structure;

identify a set of characters that precedes or follows the candidate string in the candidate text;

determine, using the data structure, a frequency with which the set of characters precedes or follows the candidate string;

determine whether the candidate text includes random text based on determining whether the candidate string matches the model string or based on the frequency; and

execute a policy to perform an action on the network traffic based on determining whether the candidate text includes random text.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may receive network traffic. The device may identify candidate text included in a protocol field associated with the network traffic. The device may identify a set of candidate strings included in the candidate text. The device may identify a set of characters that precedes or follows a candidate string, of the set of candidate strings, in the candidate text. The device may determine, using a data structure, a frequency with which the set of characters precedes or follows the candidate string. The device may determine whether the candidate text includes random text based on the frequency. The device may perform an action on the network traffic based on determining whether the candidate text includes random text.

9 Citations

View as Search Results

20 Claims

1. A device, comprising:
- one or more processors to;
  
  receive network traffic;
  
  identify candidate text included in a communication protocol field associated with the network traffic;
  
  identify a set of candidate strings included in the candidate text;
  
  determine whether a candidate string, of the set of candidate strings, matches a model string,the model string being included in a model text associated with the communication protocol field,the model text being stored in a data structure;
  
  identify a set of characters that precedes or follows the candidate string in the candidate text;
  
  determine, using the data structure, a frequency with which the set of characters precedes or follows the candidate string;
  
  determine whether the candidate text includes random text based on determining whether the candidate string matches the model string or based on the frequency; and
  
  execute a policy to perform an action on the network traffic based on determining whether the candidate text includes random text.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, where the set of characters is a first set of characters;
    - andwhere the one or more processors are further to;
      
      receive the model text;
      
      identify a set of model strings included in the model text;
      
      determine the frequency with which a second set of characters precedes or follows the set of model strings; and
      
      store, in the data structure, the set of model strings, and the frequency with which the second set of characters precedes or follows the set of model strings.
  - 3. The device of claim 1, where the one or more processors, when determining whether the candidate text includes random text, are further to:
    - determine whether the frequency satisfies a threshold; and
      
      determine whether the candidate text includes random text based on determining whether the frequency satisfies the threshold.
  - 4. The device of claim 1, where the one or more processors, when determining whether the candidate text includes random text, are further to:
    - determine a probability that the candidate text includes random text based on determining whether the candidate string matches the model string or based on the frequency;
      
      determine whether the probability satisfies a threshold; and
      
      determine whether the candidate text includes random text based on determining whether the probability satisfies the threshold.
  - 5. The device of claim 1, where the set of characters is a first set of characters;
    - andwhere the one or more processors are further to;
      
      identify the model text from live network traffic,the live network traffic being received from a live network deployment;
      
      identify a set of model strings included in the model text;
      
      determine a frequency with which a second set of characters precedes or follows the set of model strings; and
      
      store, in the data structure, the set of model strings and the frequency with which the second set of characters precedes or follows the set of model strings.
  - 6. The device of claim 1, where the set of characters is a first set of characters;
    - andwhere the one or more processors are further to;
      
      determine that the candidate text does not include random text;
      
      update the model text using the candidate text based on determining that the candidate text does not include random text;
      
      identify a set of model strings included in the model text;
      
      determine a frequency with which a second set of characters precedes or follows the set of model strings; and
      
      store, in the data structure, the set of model strings, and the frequency with which the second set of characters precedes or follows the set of model strings.
  - 7. The device of claim 1, where the one or more processors, when identifying the candidate text included in the communication protocol field, are further to:
    - receive a list of fields from which the candidate text is to be read; and
      
      read the candidate text based on the list of fields.

8. A method, comprising:
- receiving, by a device, network traffic;
  
  identifying, by the device, candidate text included in a communication protocol field associated with the network traffic;
  
  identifying, by the device, a set of candidate strings included in the candidate text;
  
  determining, by the device, whether a candidate string, of the set of candidate strings, is included in a data structure,the data structure storing model text associated with the communication protocol field;
  
  identifying, by the device, a set of characters that precedes or follows the candidate string in the candidate text;
  
  determining, by the device and using the data structure, a frequency with which the set of characters precedes or follows the candidate string;
  
  determining, by the device, whether the candidate text includes random text based on determining whether the candidate string is included in the data structure or based on the frequency; and
  
  performing, by the device, an action on the network traffic based on determining whether the candidate text includes random text.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, where the set of characters is a first set of characters;
    - andwhere the method further comprises;
      
      receiving the model text associated with the communication protocol field;
      
      identifying a set of model strings included in the model text;
      
      determining a frequency with which a second set of characters precedes or follows the set of model strings; and
      
      storing, in the data structure, the set of model strings and the frequency with which the second set of characters precedes or follows the set of model strings.
  - 10. The method of claim 8, where the candidate string, of the set of candidate strings, is n characters in length and is included in an n-gram sequence of the candidate text,n being an integer greater than or equal to one;
    - andwhere a model string, included in the model text, is n characters in length and is included in an n-gram sequence of the model text.
  - 11. The method of claim 8, where determining whether the candidate text includes random text further comprises:
    - determining whether a threshold quantity or proportion of candidate strings are absent from the model text; and
      
      determining whether the candidate text includes random text based on determining whether the threshold quantity or proportion of candidate strings are absent from the model text.
  - 12. The method of claim 8, where determining whether the candidate text includes random text further comprises:
    - calculating a score by applying weights to frequencies with which the set of characters precedes or follows one or more candidate strings, of the set of candidate strings;
      
      determining whether the score satisfies a threshold; and
      
      determining whether the candidate text includes random text based on determining whether the score satisfies the threshold.
  - 13. The method of claim 8, where determining whether the candidate text includes random text further comprises:
    - determining whether the candidate string, of the set of candidate strings, is included in the data structure; and
      
      determining whether the candidate text includes random text based on determining whether the candidate string is included in the data structure.

14. A computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  receive network traffic;
  
  identify candidate text included in a protocol field associated with the network traffic;
  
  identify a set of candidate strings included in the candidate text;
  
  identify a set of characters that precedes or follows a candidate string, of the set of candidate strings, in the candidate text;
  
  determine, using a data structure, a frequency with which the set of characters precedes or follows the candidate string;
  
  determine whether the candidate text includes random text based on the frequency; and
  
  perform an action on the network traffic based on determining whether the candidate text includes random text.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-readable medium of claim 14, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine whether the candidate string matches a model string,the model string being included in a model text associated with the protocol field,the model text being stored in the data structure; and
      
      determine whether the candidate text includes random text based on determining whether the candidate string matches the model string.
  - 16. The computer-readable medium of claim 14, where the set of characters is a first set of characters;
    - andwhere the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      receive model text;
      
      identify a set of model strings included in the model text;
      
      determine a frequency with which a second set of characters precedes or follows the set of model strings; and
      
      store, in the data structure, the set of model strings and the frequency with which the second set of characters precedes or follows the set of model strings.
  - 17. The computer-readable medium of claim 14, where the candidate string, of the set of candidate strings, is n characters in length and is included in an n-gram sequence of the candidate text,n being an integer greater than or equal to one;
    - andwhere a model string is n characters in length and is included in an n-gram sequence of model text.
  - 18. The computer-readable medium of claim 14, where the set of characters is a first set of characters;
    - andwhere the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      determine that the candidate text does not include random text;
      
      update model text using the candidate text based on determining that the candidate text does not include random text;
      
      identify a set of model strings included in the model text;
      
      determine a frequency with which a second set of characters precedes or follows the set of model strings; and
      
      store, in the data structure, the set of model strings and the frequency with which the second set of characters precedes or follows the set of model strings.
  - 19. The computer-readable medium of claim 14, where the set of characters is a first set of characters;
    - andwhere the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      identify model text from live network traffic,the live network traffic being received from a live network deployment;
      
      identify a set of model strings included in the model text;
      
      determine a frequency with which a second set of characters precedes or follows the set of model strings; and
      
      store, in the data structure, the set of model strings and the frequency with which the second set of characters precedes or follows the set of model strings.
  - 20. The computer-readable medium of claim 14, where the one or more instructions, that cause the one or more processors to determine whether the candidate text includes random text, further cause the one or more processors to:
    - determine whether the frequency satisfies a threshold; and
      
      determine whether the candidate text includes random text based on determining whether the frequency satisfies the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Tyagi, Ankur
Primary Examiner(s)
Brown, Anthony
Assistant Examiner(s)
Anderson, Michael D

Application Number

US14/586,144
Time in Patent Office

896 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/562   Static detection

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

Using a probability-based model to detect random content in a protocol field associated with network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Using a probability-based model to detect random content in a protocol field associated with network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links