Systems and methods for traffic classification

US 10,050,986 B2
Filed: 02/08/2017
Issued: 08/14/2018
Est. Priority Date: 06/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method of classifying network traffic comprising:

performing processing associated with monitoring, with a domain identification module in communication with a processor circuit and a network, network traffic;

performing processing associated with comparing, with a traffic classification module in communication with the processor circuit and the domain identification module, the network traffic with a control protocol template (CPT) stored in a database in communication with the domain identification module and the processor circuit;

when a similarity between the monitored traffic and the CPT exceeds a match threshold, performing processing associated with associating, with the domain identification module, the monitored traffic with the CPT;

when the similarity between the monitored traffic and the CPT does not exceed the match threshold, performing processing associated with identifying, with the traffic classification module, the monitored traffic as having an unknown classification;

performing processing associated with monitoring, with a CPT generation module in communication with the processor circuit and the network, traffic on the network to identify malicious traffic;

performing processing associated with clustering, with the CPT generation module, identified associated traffic into a cluster including one or more similar network requests;

performing processing associated with generating, with the CPT generation module, a CPT associated with the cluster, the CPT including information allowing a network request similar to the one or more network requests of the cluster to be identified based on the CPT; and

performing processing associated with combining, with the CPT generation module, the CPT with a second CPT associated with a second cluster of one or more network requests similar to the network requests associated with the CPT.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of classifying network traffic may monitor network traffic. Monitored traffic may be compared with a control protocol template (CPT). When a similarity between the monitored traffic and the CPT exceeds a match threshold, the monitored traffic may be associated with the CPT.

278 Citations

18 Claims

1. A method of classifying network traffic comprising:
- performing processing associated with monitoring, with a domain identification module in communication with a processor circuit and a network, network traffic;
  
  performing processing associated with comparing, with a traffic classification module in communication with the processor circuit and the domain identification module, the network traffic with a control protocol template (CPT) stored in a database in communication with the domain identification module and the processor circuit;
  
  when a similarity between the monitored traffic and the CPT exceeds a match threshold, performing processing associated with associating, with the domain identification module, the monitored traffic with the CPT;
  
  when the similarity between the monitored traffic and the CPT does not exceed the match threshold, performing processing associated with identifying, with the traffic classification module, the monitored traffic as having an unknown classification;
  
  performing processing associated with monitoring, with a CPT generation module in communication with the processor circuit and the network, traffic on the network to identify malicious traffic;
  
  performing processing associated with clustering, with the CPT generation module, identified associated traffic into a cluster including one or more similar network requests;
  
  performing processing associated with generating, with the CPT generation module, a CPT associated with the cluster, the CPT including information allowing a network request similar to the one or more network requests of the cluster to be identified based on the CPT; and
  
  performing processing associated with combining, with the CPT generation module, the CPT with a second CPT associated with a second cluster of one or more network requests similar to the network requests associated with the CPT.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein:
    - performing processing associated with associating, with the traffic classification module, the monitored traffic with the CPT comprises identifying the monitored traffic as malicious and attributing the monitored traffic to a malware family associated with the CPT; and
      
      the CPT comprises malicious traffic data associated with the malware family and previously observed network traffic data.
  - 3. The method of claim 2, wherein:
    - performing processing associated with comparing, with the traffic classification module, the network traffic with the CPT comprises comparing the network traffic with a plurality of CPTs, wherein each of the plurality of CPTs comprises a different set of malicious traffic data; and
      
      performing processing associated with attributing, with the traffic classification module, the network traffic to a malware family associated with the CPT comprises attributing the network traffic to at least one malware family associated with at least one of the CPTs.
  - 4. The method of claim 2, further comprising:
    - performing processing associated with executing, with a binary classification module in communication with the processor circuit, the network, and the traffic classification module, a binary in a controlled environment and monitoring network traffic associated with the binary;
      
      performing processing associated with comparing, with the binary classification module, the network traffic associated with the binary to the CPT;
      
      when a similarity between the network traffic associated with the binary and the CPT exceeds a match threshold, performing processing associated with classifying, with the binary classification module, the binary as malicious and attributing the binary to a malware family associated with the CPT; and
      
      when the similarity between the network traffic associated with the binary and CPT does not exceed the match threshold, performing processing associated with classifying, with the binary classification module, the binary as having an unknown maliciousness.
  - 5. The method of claim 1, further comprising:
    - performing processing associated with adding, with the CPT generation module, the CPT to the database.
  - 6. The method of claim 1, further comprising:
    - performing processing associated with distributing, with the CPT generation module, the CPT to a remote computer in communication with the CPT generation module and the processor circuit via the network.
  - 7. The method of claim 2, further comprising:
    - performing processing associated with identifying, with an infected host identification module in communication with the processor circuit, a host which transmitted the monitored traffic and labeling the host as infected and/or attributing the host infection to a malware family.
  - 8. The method of claim 2, wherein:
    - performing processing associated with identifying, with the domain identification module in communication with the processor circuit, a domain associated with the monitored traffic and labeling the domain as malicious and/or attributing the domain to a malware family.

9. A method of comparing network traffic comprising:
- performing processing associated with comparing, with a malicious traffic comparison module in communication with a processor circuit and a network, malicious traffic of interest with historical malicious traffic data;
  
  performing processing associated with generating, with the malicious traffic comparison module, a report comprising the results of the comparison;
  
  performing processing associated with identifying, with the malicious traffic comparison module, a binary associated with the historical malicious traffic data;
  
  performing processing associated with monitoring, with a control protocol template (CPT) generation module in communication with the processor circuit and the network, traffic on the network to identify malicious traffic;
  
  performing processing associated with clustering, with the CPT generation module, identified malicious traffic into a cluster including one or more similar network requests;
  
  performing processing associated with generating, with the CPT generation module, a CPT associated with the cluster, the CPT including information allowing a network request similar to the one or more network requests of the cluster to be identified based on the CPT; and
  
  performing processing associated with combining, with the CPT generation module, the CPT with a second CPT associated with a second cluster of one or more network requests similar to the network requests associated with the CPT.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, wherein the report comprises a visual comparison of the known malicious traffic and a portion of the historical malicious traffic data with a highest similarity to the malicious traffic of interest.
  - 11. The method of claim 9, wherein the identified binary is associated with a portion of the historical malicious traffic data with a highest similarity to the malicious traffic of interest.
  - 12. The method of claim 9, further comprising:
    - performing processing associated with identifying, with the malicious traffic comparison module, a system trace and/or a network trace associated with the binary.
  - 13. The method of claim 9, further comprising:
    - performing processing associated with monitoring, with a traffic classification module in communication with the processor circuit, the network, and the malicious traffic comparison module, network traffic;
      
      performing processing associated with comparing, with the traffic classification module, the network traffic with a CPT stored in a database in communication with the binary classification module and the processor circuit;
      
      when a similarity between the monitored traffic and the CPT exceeds a match threshold, performing processing associated with identifying, with the traffic classification module, the monitored traffic as malicious and attributing the monitored traffic to a malware family associated with the CPT; and
      
      when the similarity between the monitored traffic and the CPT does not exceed the match threshold, performing processing associated with identifying, with the traffic classification module, the monitored traffic as having an unknown maliciousness,wherein the CPT comprises malicious traffic data associated with the malware family and previously observed network traffic data.
  - 14. The method of claim 13, wherein:
    - performing processing associated with comparing, with the traffic classification module, the network traffic with the CPT comprises comparing the network traffic with a plurality of CPTs, wherein each of the plurality of CPTs comprises a different set of malicious traffic data; and
      
      performing processing associated with attributing, with the traffic classification module, the network traffic to a malware family associated with the CPT comprises attributing the network traffic to at least one malware family associated with at least one of the CPTs.
  - 15. The method of claim 9, further comprising:
    - performing processing associated with executing, with a binary classification module in communication with the processor circuit, the network, and the malicious traffic comparison module, a binary in a controlled environment and monitoring network traffic associated with the binary;
      
      performing processing associated with comparing, with the binary classification module, the network traffic associated with the binary to the CPT;
      
      when a similarity between the network traffic associated with the binary and the CPT exceeds a match threshold, performing processing associated with classifying, with the binary classification module, the binary as malicious and attributing the binary to a malware family associated with the CPT; and
      
      when the similarity between the network traffic associated with the binary and CPT does not exceed the match threshold, performing processing associated with classifying, with the binary classification module, the binary as having an unknown maliciousness.
  - 16. The method of claim 9, further comprising:
    - performing processing associated with adding, with the CPT generation module, the CPT to the database.
  - 17. The method of claim 9, further comprising:
    - performing processing associated with distributing, with the CPT generation module, the CPT to a remote computer in communication with the CPT generation module and the processor circuit via the network.
  - 18. The method of claim 9, wherein:
    - the previously observed network traffic data comprises data indicating a frequency for each of a plurality of network traffic types; and
      
      the match threshold is based on the frequencies, wherein a match threshold associated with one of the plurality of network traffic types having a relatively high frequency is higher than a match threshold associated with one of the plurality of network traffic types having a relatively low frequency.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Nelms, Terry Lee, Hobson, Andrew, Ward, Joseph
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US15/427,150
Publication Number

US 20170230393A1
Time in Patent Office

552 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Systems and methods for traffic classification

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

278 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for traffic classification

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

278 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links