Graph-based techniques for detecting coordinated network attacks
First Claim
Patent Images
1. A system, comprising:
- a processor; and
a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;
process one or more proxy logs in order to generate a graph of domains, wherein those domain pairs in the graph that are connected have low support in that the number of times the domain pairs are visited is lower than a predetermined support threshold and high confidence in that users accessing the domain pairs are redirected to another domain a greater number of times than a predetermined confidence threshold;
identify one or more domains within the graph that are highly connected to other domains in the graph in that the one or more domains have a degree of connectivity to said other domains higher than a connectivity threshold; and
flag the identified domains as suspicious domains, wherein processing the proxy logs includes;
deciding whether to normalize domain names;
in the event it is decided to normalize domain names, normalizing domain names so that all domain names are at a same level;
deciding whether to filter domain names using a whitelist;
in the event it is decided to filter domain names, filtering out whitelisted domains using the whitelist;
filtering out invalid domain names;
performing user-specific sessionization using a specified time window to create a plurality of buckets;
calculating a support value and a confidence value for each possible domain pair from the overall plurality of buckets in the full dataset; and
creating an edge in the graph between those domain pairs that have a support value that is less than a support threshold and a confidence value that is greater than a confidence threshold.
10 Assignments
0 Petitions
Accused Products
Abstract
One or more proxy logs are processed in order to generate a graph of domains, wherein those domain pairs in the graph that are connected have low support and high confidence. One or more domains within the graph that are highly connected to other domains in the graph are identified. The identified domains are flagged as suspicious domains.
-
Citations
14 Claims
-
1. A system, comprising:
-
a processor; and a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to; process one or more proxy logs in order to generate a graph of domains, wherein those domain pairs in the graph that are connected have low support in that the number of times the domain pairs are visited is lower than a predetermined support threshold and high confidence in that users accessing the domain pairs are redirected to another domain a greater number of times than a predetermined confidence threshold; identify one or more domains within the graph that are highly connected to other domains in the graph in that the one or more domains have a degree of connectivity to said other domains higher than a connectivity threshold; and flag the identified domains as suspicious domains, wherein processing the proxy logs includes; deciding whether to normalize domain names; in the event it is decided to normalize domain names, normalizing domain names so that all domain names are at a same level; deciding whether to filter domain names using a whitelist; in the event it is decided to filter domain names, filtering out whitelisted domains using the whitelist; filtering out invalid domain names; performing user-specific sessionization using a specified time window to create a plurality of buckets; calculating a support value and a confidence value for each possible domain pair from the overall plurality of buckets in the full dataset; and creating an edge in the graph between those domain pairs that have a support value that is less than a support threshold and a confidence value that is greater than a confidence threshold. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method, comprising:
-
using a processor to process one or more proxy logs in order to generate a graph of domains, wherein those domain pairs in the graph that are connected have low support in that the number of times the domain pairs are visited is lower than a predetermined support threshold and high confidence in that users accessing the domain pairs are redirected to another domain a greater number of times than a predetermined confidence threshold; identifying one or more domains within the graph that are highly connected to other domains in the graph in that the one or more domains have a degree of connectivity to said other domains higher than a connectivity threshold; and flagging the identified domains as suspicious domains, wherein processing the proxy logs includes; deciding whether to normalize domain names; in the event it is decided to normalize domain names, normalizing domain names so that all domain names are at a same level; deciding whether to filter domain names using a whitelist; in the event it is decided to filter domain names, filtering out whitelisted domains using the whitelist; filtering out invalid domain names; performing user-specific sessionization using a specified time window to create a plurality of buckets; calculating a support value and a confidence value for each possible domain pair from the overall plurality of buckets in the full dataset; and creating an edge in the graph between those domain pairs that have a support value that is less than a support threshold and a confidence value that is greater than a confidence threshold. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
processing one or more proxy logs in order to generate a graph of domains, wherein those domain pairs in the graph that are connected have in that the number of times the domain pairs are visited is lower than a predetermined support threshold and high confidence in that users accessing the domain pairs are redirected to another domain a greater number of times than a predetermined confidence threshold; identifying one or more domains within the graph that are highly connected to other domains in the graph in that the one or more domains have a degree of connectivity to said other domains higher than a connectivity threshold; and flagging the identified domains as suspicious domains, wherein processing the proxy logs includes; deciding whether to normalize domain names; in the event it is decided to normalize domain names, normalizing domain names so that all domain names are at a same level; deciding whether to filter domain names using a whitelist; in the event it is decided to filter domain names, filtering out whitelisted domains using the whitelist; filtering out invalid domain names; performing user-specific sessionization using a specified time window to create a plurality of buckets; calculating a support value and a confidence value for each possible domain pair from the overall plurality of buckets in the full dataset; and creating an edge in the graph between those domain pairs that have a support value that is less than a support threshold and a confidence value that is greater than a confidence threshold. - View Dependent Claims (12, 13, 14)
-
Specification