SOFTWARE NETWORK BEHAVIOR ANALYSIS AND IDENTIFICATION SYSTEM

US 20150096019A1
Filed: 09/30/2013
Published: 04/02/2015
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, at a detection module, an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, at least one of the network behavior profiles including an ordered sequence of network actions;

determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles; and

generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A particular method includes detecting, at a detection module, an indicator corresponding to a suspicious software component, where the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles. At least one of the network behavior profiles includes an ordered sequence of network actions. The method further includes determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles. The method further includes generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.

Citations

20 Claims

1. A method comprising:
- detecting, at a detection module, an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, at least one of the network behavior profiles including an ordered sequence of network actions;
  
  determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles; and
  
  generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the monitored network data is generated from network data generated when the suspicious software component is active on a device coupled to a network of the network system.
  - 3. The method of claim 1, wherein the suspicious software component includes at least one of malware, spyware, virus software, trojan software, advanced persistent threat software, or a particular software component targeted for removal.
  - 4. The method of claim 1, wherein the indicator corresponds to at least one of a timed sequence of network actions and pauses, an ordered sequence of network actions, a sequence of network actions within a time period, or a characteristic of a particular network action.
  - 5. The method of claim 4, wherein the characteristic includes at least one of an internet protocol address accessed during the particular network action, a duration of the particular network action, a communication protocol associated with the particular network action, or an amount of bandwidth associated with the particular network action.
  - 6. The method of claim 4, wherein the ordered sequence of network actions includes port accesses.
  - 7. The method of claim 1, wherein the monitored network data corresponds to activity of the suspicious software component.
  - 8. The method of claim 1, further comprising:
    - detecting, at the detection module, a second indicator corresponding to the suspicious software component, wherein the second indicator is detected based on the monitored network data of the network system and based on the plurality of network behavior profiles;
      
      determining, at the identification module, whether the second indicator corresponds to any of the plurality of network behavior profiles; and
      
      generating second output data in response to a determination that the indicator and the second indicator together do not correspond to any network behavior profile of the plurality of network behavior profiles.
  - 9. The method of claim 8, further comprising sending the second output data to a computing system configured to generate another network behavior profile based on the indicator and the second indicator.
  - 10. The method of claim 1, wherein the particular network behavior profile includes at least one of a detection setting, or weighting information.
  - 11. The method of claim 1, further comprising:
    - generating a first rating associated with the indicator based on weighting information;
      
      generating a second rating associated with another indicator based on the weighting information; and
      
      combining the first rating and the second rating to generate a total rating for a particular internet protocol address associated with a device that corresponds to the monitored network data.
  - 12. The method of claim 1, further comprising:
    - generating, for a particular internet protocol address associated with a device that corresponds to the monitored network data, a total rating based on the indicator;
      
      comparing the total rating to a rating threshold; and
      
      determining whether the indicator corresponds to at least one network behavior profile in response to a determination that the total rating satisfies the rating threshold.

13. A system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions that, when executed by the processor, cause the processor to perform operations comprising;
  
  detecting, at a detection module, an indicator corresponding to a suspicious software component, wherein the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles, at least one of the network behavior profiles including an ordered sequence of network actions;
  
  determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles; and
  
  generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein the operations further include:
    - receiving the plurality of network behavior profiles, wherein the plurality of network behavior profiles includes a plurality of detection settings associated with a plurality of software components;
      
      storing the plurality of network behavior profiles; and
      
      selecting a subset of the plurality of detection settings to generate a set of detectable detection settings, wherein each detection setting of the set of detectable detection settings is unique within the set of detectable detection settings.
  - 15. The system of claim 14, wherein the operations further include:
    - comparing each detection setting of the set of detectable detection settings to the monitored network data in parallel; and
      
      detecting the indicator when the monitored network data includes characteristics that match a particular detection setting of the set of detectable detection settings.
  - 16. The system of claim 13, wherein the operations further include:
    - generating a first identification rating based on a first correspondence between the indicator and a first network behavior profile of the plurality of network behavior profiles;
      
      generating a second identification rating based on a second correspondence between the indicator and a second network behavior profile of the plurality of network behavior profiles;
      
      wherein the suspicious software component is determined to correspond to the first network behavior profile based on a determination that the first identification rating is greater than a greatest identification rating associated with other network behavior profiles of the plurality of network behavior profiles and that the first identification rating satisfies an identification threshold; and
      
      wherein the suspicious software component is determined to not correspond to the first network behavior profile based on a determination that the first identification rating does not satisfy the identification threshold.
  - 17. The system of claim 13, wherein the operations further include:
    - generating a detection tree based on the plurality of network behavior profiles, wherein the detection tree indicates that a first detection setting of a plurality of detection settings depends on a second detection setting of the plurality of detection settings; and
      
      comparing the second detection setting to the monitored network data to detect a second indicator; and
      
      comparing the first detection setting to the monitored network data to detect a first indicator in response to a determination that the monitored network data includes the second indicator.

18. A computer-readable storage device storing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- detecting, at a detection module, an indicator corresponding to a suspicious software component based on monitored network data of a network system and based on a plurality of network behavior profiles, at least one of the network behavior profiles including an ordered sequence of network actions;
  
  determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles; and
  
  generating first output data in response to a determination that the indicator correspond to a particular network behavior profile of the plurality of network behavior profiles.
- View Dependent Claims (19, 20)
- - 19. The computer-readable storage device of claim 18, wherein the operations further include:
    - receiving information identifying a plurality of Internet protocol (IP) addresses at the processor;
      
      generating a filtered subset of the plurality of IP addresses; and
      
      detecting the indicator from the monitored network data corresponding to IP addresses of the filtered subset of the plurality of IP addresses.
  - 20. The computer-readable storage device of claim 18, wherein the operations further include, in response to the determination that the indicator corresponds to a particular network behavior profile, prohibiting a device associated with a particular internet protocol (IP) address from accessing a network of the network system, wherein the indicator corresponds to the particular IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Davis, Aaron R., Aldrich, Timothy M., Bialek, Matthew S., Lemm, Timothy M., Kospiah, Shaun

Granted Patent

US 9,479,521 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/145 the attack involving the pr...

SOFTWARE NETWORK BEHAVIOR ANALYSIS AND IDENTIFICATION SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SOFTWARE NETWORK BEHAVIOR ANALYSIS AND IDENTIFICATION SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links