Detecting anomalous network application behavior

US 8,185,953 B2
Filed: 03/08/2007
Issued: 05/22/2012
Est. Priority Date: 03/08/2007
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-accessible storage medium comprising program instructions for detecting anomalous network application behavior, wherein the program instructions are executable to:

monitor a first plurality of communications between at least one client and a first one or more servers, wherein the at least one client and the first one or more servers communicate using one or more application protocols, wherein said monitoring the first plurality of communications is performed without participating in the communication between the at least one client and the first one or more servers;

determine a plurality of identifiers based on said monitoring the first plurality of communications, wherein at least a subset of the plurality of identifiers are comprised in content of the first plurality of communications, wherein said determining is performed without participating in the communication between the at least one client and the one or more servers, and wherein the plurality of identifiers comprise one or more of a contact, an IP address, a uniform resource identifier (URI), an extensible resource identifier (XRI), an email address, a service name, a device name, a telephone number, an SIP address, a domain name, an online screen name, an online handle, or a user name;

monitor a second plurality of communications between the at least one client and a second one or more servers, wherein the at least one client and the second one or more servers communicate using one or more application protocols, wherein said monitoring the second plurality of communications is performed without participating in the communication between the at least one client and the second one or more servers;

for one or more communications of the second plurality of communications, determine if the one or more communications are anomalous based at least in part on the at least a subset of the determined plurality of identifiers, wherein said determining is performed at the application-protocol level, wherein if the one or more communications do not correspond to one of the plurality of identifiers, the one or more communications of the at least one client are determined to be anomalous, wherein said determining comprises;

analyzing the second plurality of communications to determine non-anomalous network application behavior between the at least one client and the one or more servers using the at least a subset of the determined plurality of identifiers; and

determining the anomalous network application behavior by eliminating the determined non-anomalous network application behavior from the second plurality of communications; and

store information regarding the determined anomalous network application behavior.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and Method for detecting anomalous network application behavior. Network traffic between at least one client and one or more servers may be monitored. The client and the one or more servers may communicate using one or more application protocols. The network traffic may be analyzed at the application-protocol level to determine anomalous network application behavior. Analyzing the network traffic may include determining, for one or more communications involving the client, if the client has previously stored or received an identifier corresponding to the one or more communications. If no such identifier has been observed in a previous communication, then the one or more communications involving the client may be determined to be anomalous. A network monitoring device may perform one or more of the network monitoring, the information extraction, or the information analysis.

219 Citations

23 Claims

1. A non-transitory computer-accessible storage medium comprising program instructions for detecting anomalous network application behavior, wherein the program instructions are executable to:
- monitor a first plurality of communications between at least one client and a first one or more servers, wherein the at least one client and the first one or more servers communicate using one or more application protocols, wherein said monitoring the first plurality of communications is performed without participating in the communication between the at least one client and the first one or more servers;
  
  determine a plurality of identifiers based on said monitoring the first plurality of communications, wherein at least a subset of the plurality of identifiers are comprised in content of the first plurality of communications, wherein said determining is performed without participating in the communication between the at least one client and the one or more servers, and wherein the plurality of identifiers comprise one or more of a contact, an IP address, a uniform resource identifier (URI), an extensible resource identifier (XRI), an email address, a service name, a device name, a telephone number, an SIP address, a domain name, an online screen name, an online handle, or a user name;
  
  monitor a second plurality of communications between the at least one client and a second one or more servers, wherein the at least one client and the second one or more servers communicate using one or more application protocols, wherein said monitoring the second plurality of communications is performed without participating in the communication between the at least one client and the second one or more servers;
  
  for one or more communications of the second plurality of communications, determine if the one or more communications are anomalous based at least in part on the at least a subset of the determined plurality of identifiers, wherein said determining is performed at the application-protocol level, wherein if the one or more communications do not correspond to one of the plurality of identifiers, the one or more communications of the at least one client are determined to be anomalous, wherein said determining comprises;
  
  analyzing the second plurality of communications to determine non-anomalous network application behavior between the at least one client and the one or more servers using the at least a subset of the determined plurality of identifiers; and
  
  determining the anomalous network application behavior by eliminating the determined non-anomalous network application behavior from the second plurality of communications; and
  
  store information regarding the determined anomalous network application behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The non-transitory computer-accessible storage medium of claim 1, wherein said determining if the one or more communications are anomalous comprises:
    - for the one or more communications of the second plurality of communications, determining if the one or more communications are anomalous based on a list of known anomalous identifiers, wherein if the one or more communications correspond to a known anomalous identifier, the one or more communications between the at least one client and the server are determined to be anomalous.
  - 3. The non-transitory computer-accessible storage medium of claim 1, wherein said determining the plurality of identifiers comprises determining an identifier from one or more emails received by the at least one client.
  - 4. The non-transitory computer-accessible storage medium of claim 1, wherein said analyzing the second plurality of communications uses a Universal Resource Identifier (URI) comprised in the first plurality of communications.
  - 5. The non-transitory computer-accessible storage medium of claim 1, wherein said analyzing the second plurality of communications uses an identifier comprised in one or more recent searches comprised in the first plurality of communications.
  - 6. The non-transitory computer-accessible storage medium of claim 1, wherein said analyzing the second plurality of communications uses an identifier comprised in one or more online chat or instant messages received by the at least one client comprised in the first plurality of communications.
  - 7. The non-transitory computer-accessible storage medium of claim 1, wherein said analyzing the second plurality of communications uses an identifier associated with contacts with whom the at least one client has already communicated in the first plurality of communications.
  - 8. The non-transitory computer-accessible storage medium of claim 1, wherein said determining the plurality of identifiers comprises one or more of:
    - determining requested resources;
      
      determining resources that are referenced in response to requests;
      
      determining resources that are referenced in communications;
      
      determining contacts with whom a user of the client communicates;
      
      ordetermining contacts that are embedded in resources and/or communications.
  - 9. The non-transitory computer-accessible storage medium of claim 1, wherein said determining the plurality of identifiers comprises one or more of:
    - using a threshold value;
      
      comparing contacts to known ratings or reputation;
      
      determining geographic location of the contact;
      
      comparing an access time of the contact with the current time;
      
      comparing a communication with nearby communications to determine context of the communication;
      
      ordetermining at least one client communication patterns, wherein said determining anomalous network application behavior is based on the determined at least one client communication patterns.
  - 10. The non-transitory computer-accessible storage medium of claim 1, wherein said monitoring the first plurality of communications, said determining the plurality of identifiers, said monitoring the second plurality of communications, and said determining if the one or more communications are anomalous is performed by a network monitor device (NMD).
  - 11. The non-transitory computer-accessible storage medium of claim 1, wherein the program instructions are further executable to:
    - display the information regarding the determined anomalous network application behavior;
      
      receive user input regarding one or more of the anomalous communications specifying the one or more communications as anomalous or non-anomalous.
  - 12. The non-transitory computer-accessible storage medium of claim 1, wherein the program instructions are further executable to:
    - receive input specifying that a communication between a client and a server which was determined to be anomalous is non-anomalous; and
      
      store the identifier corresponding to the communication for future determinations, wherein future communications involving the identifier and the at least one client are not determined to be anomalous.
  - 13. The non-transitory computer-accessible storage medium of claim 1, wherein the program instructions are further executable to:
    - block communications determined to be anomalous;
      
      orreport communications determined to be anomalous.
  - 14. The non-transitory computer-accessible storage medium of claim 1, wherein the first plurality of communications between the at least one client and the first one or more servers or the second plurality of communications between the at least one client and the second one or more server comprises one or more of:
    - a request from an HTTP client to an HTTP server;
      
      a transaction to send or receive an email;
      
      ora message using an online chat or instant messaging service.
  - 15. The non-transitory computer-accessible storage medium of claim 1, wherein said determining the plurality of identifiers and determining if the one or more communications are anomalous comprises:
    - mapping the identifier to one or more other identifiers; and
      
      using the one or more other identifiers to determine if the one or more communications of the at least one client are anomalous.
  - 16. The non-transitory computer-accessible storage medium of claim 1, wherein the at least a subset of the plurality of identifiers comprise one or more email addresses comprised in a body of an email.
  - 17. The non-transitory computer-accessible storage medium of claim 16, wherein said determining if the one or more communications are anomalous comprises:
    - determining that a first communication of the one or more communications specifies an email address of the one or more email addresses as a destination email address; and
      
      determining that the first communication is not anomalous based on determining that the first communication specifies the email address as a destination email address.
  - 18. The non-transitory computer-accessible storage medium of claim 1, wherein the at least a subset of the plurality of identifiers comprise one or more URIs comprised in a body of a web page.
  - 19. The non-transitory computer-accessible storage medium of claim 18, wherein the web page comprises a search results web page of a search engine, wherein the one or more URIs correspond to search results of an initial query provided to the search engine.
  - 20. The non-transitory computer-accessible storage medium of claim 18, wherein said determining if the one or more communications are anomalous comprises:
    - determining that a first communication of the one or more communications specifies a first URI of the one or more URIs as a destination URI; and
      
      determining that the first communication is not anomalous based on determining that the first communication specifies the first URI as the destination URI.

21. A method for detecting anomalous network application behavior, comprising:
- monitoring a first plurality of communications between at least one client and a first one or more servers, wherein the at least one client and the first one or more servers communicate using one or more application protocols, wherein said monitoring the first plurality of communications is performed without participating in the communication between the at least one client and the first one or more servers;
  
  determining a plurality of uniform resource identifiers (URIs) based on said monitoring, wherein at least a subset of the plurality of URIs are comprised in content of the first plurality of communications, wherein said determining is performed without participating in the communication between the at least one client and the one or more servers;
  
  monitoring a second plurality of communications between the at least one client and a second one or more servers, wherein the at least one client and the second one or more servers communicate using one or more application protocols, wherein said monitoring the second plurality of communications is performed without participating in the communication between the at least one client and the second one or more servers;
  
  for one or more communications of the second plurality of communications, determining if the one or more communications are anomalous based at least in part on the at least a subset of the determined plurality of URIs, wherein said determining is performed at the application-protocol level, wherein if the one or more communications do not correspond to the plurality of URIs, the one or more communications of the at least one client are determined to be anomalous, wherein said determining comprises;
  
  analyzing the second plurality of communications to determine non-anomalous network application behavior between the at least one client and the one or more servers using the at least a subset of the determined plurality of identifiers; and
  
  determining the anomalous network application behavior by eliminating the determined non-anomalous network application behavior from the second plurality of communications; and
  
  storing information regarding the determined anomalous network application behavior.
- View Dependent Claims (22)
- - 22. The method of claim 21, further comprising:
    - flagging the one or more communications involving the at least one client for further analysis if they are determined to be anomalous; and
      
      performing one or more security actions based on said flagging.

23. A system for detecting anomalous network application behavior, comprising:
- a processor; and
  
  a memory medium coupled to the processor, comprising program instructions executable by the processor to;
  
  monitor network traffic between at least one client and one or more servers, wherein the at least one client and the one or more servers communicate using one or more application protocols, wherein said monitoring is performed without participating in the communication between the at least one client and the one or more servers, and wherein the network traffic comprises a first plurality of communications and a second plurality of communications;
  
  analyze the network traffic to determine anomalous network application behavior between the at least one client and the one or more servers, wherein said analyzing the network traffic to determine anomalous network application behavior comprises;
  
  determining a plurality of identifiers based on said monitoring, wherein at least a subset of the plurality of identifiers are comprised in content of the first plurality of communications, wherein said determining is performed without participating in the communication between the at least one client and the one or more servers, and wherein the plurality of identifiers comprise one or more of a contact, an IP address, a uniform resource identifier (URI), an extensible resource identifier (XRI), an email address, a service name, a device name, a telephone number, an SIP address, a domain name, an online screen name, an online handle, or a user name;
  
  for one or more communications of the second plurality of communications, determining if the one or more communications are anomalous based at least in part on the at least a subset of the determined plurality of identifiers, wherein said determining is performed at the application-protocol level, wherein if the one or more communications do not correspond to one of the plurality of identifiers, the one or more communications of the at least one client are determined to be anomalous, wherein said determining comprises;
  
  analyzing the second plurality of communications to determine non-anomalous network application behavior between the at least one client and the one or more servers using the at least a subset of the determined plurality of identifiers; and
  
  determining the anomalous network application behavior by eliminating the determined non-anomalous network application behavior from the second plurality of communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Rothstein, Jesse Abraham, Mukerji, Arindum
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
HOLDER, BRADLEY W

Application Number

US11/683,643
Publication Number

US 20080222717A1
Time in Patent Office

1,902 Days
Field of Search

726/14, 726/22, 726/23, 726/24, 726/25
US Class Current

726/22
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1416 Event detection, e.g. attac...

Detecting anomalous network application behavior

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

219 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting anomalous network application behavior

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

219 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links