Training a classifier used to detect network anomalies with supervised learning
US-2019138938-A1 · May 9, 2019 · US
Non-protocol specific system and method for classifying suspect IP addresses as sources of non-targeted attacks on cloud based machines
US10511615B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10511615-B2 |
| Application number | US-201715587588-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 5, 2017 |
| Priority date | May 5, 2017 |
| Publication date | Dec 17, 2019 |
| Grant date | Dec 17, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system for detecting a non-targeted attack by a first machine on a second machine is provided. The system includes an application that includes instructions configured to: extract network data corresponding to traffic flow between the first and second machines, where the second machine is implemented in a cloud-based network; identify a first suspect external IP address based on the network data; calculate features for the first suspect external IP address, where the features include exploration type features and exploitation type features; train a classifier based on predetermined examples and the features to generate and update a model; classify the first suspect external IP address based on the model and at least some of the features; and perform a countermeasure if a classification provided from classifying the first suspect external IP address indicates that the first suspect external IP address is associated with a malicious attack on the second machine.
First claim
Opening claim text (preview).
What is claimed is: 1. A system for detecting a non-targeted attack by a first machine on a second machine, wherein the second machine is implemented in a server computer of a service provider, the system comprising: a processor; a memory; and an application stored in the memory and including instructions, which are executable by the processor and that are configured to extract network data corresponding to traffic flow between the first machine and the second machine, wherein the second machine is implemented in a cloud-based network, identify a first suspect external Internet protocol address based on the network data, calculate a plurality of features for the first suspect external Internet protocol address, wherein the plurality of features include exploration type features and exploitation type features, train a classifier based on predetermined examples and the plurality of features to generate and update a model, classify the first suspect external Internet protocol address based on the model and at least some of the plurality of features, and perform a countermeasure if a classification provided from classifying the first suspect external Internet protocol address indicates that the first suspect external Internet protocol address is associated with a malicious attack on the second machine. 2. The system of claim 1 , wherein: the network data includes Internet protocol flow information export data; and the instructions are configured to determine the first suspect external Internet protocol address based on the Internet protocol flow information export data. 3. The system of claim 1 , wherein the instructions are further configured to: identify a plurality of external Internet protocol addresses based on the network data; and pre-filter the plurality of external Internet protocol addresses to provide at least the first suspect external Internet protocol address. 4. The system of claim 1 , wherein the instructions are further configured to: identify whether a plurality of interactions between the first suspect external Internet protocol address and one or more internal Internet protocol addresses are short interactions or long interactions, wherein the one or more internal Internet protocol addresses are of one or more machines in the cloud-based network, and wherein the one or more machines includes the second machine; and identify the first suspect external Internet protocol address as an address to classify based on the identification of the plurality of interactions as short interactions or long interactions. 5. The system of claim 4 , wherein the instructions are further configured to: identify a plurality of external Internet protocol addresses based on the network data; pre-filter the plurality of external Internet protocol addresses to provide a plurality of suspect external Internet protocol addresses including the first suspect external Internet protocol address; filter the plurality of suspect external Internet protocol addresses to provide a subset based on the identifying of the plurality of interactions as short interactions or long interactions; and classify the suspect external Internet protocol addresses in the subset based on the identifying of the plurality of interactions as short interactions or long interactions. 6. The system of claim 1 , wherein: a first portion of the plurality of features are associated with exploration interactions; a second portion of the plurality of features are associated with exploitation interactions; and the classifying of the first suspect external Internet protocol address is based on the first portion and the second portion. 7. The system of claim 1 , wherein the instructions are further configured to: identify a plurality of suspect external Internet protocol addresses including the first suspect external Internet protocol address; filter out external Internet protocol addresses with less than a first predetermined number of short interactions or less than a second predetermined number of long interactions to provide a first subset; filter out each external Internet protocol address of the first subset for which a predetermined number or percentage of interactions between the corresponding external Internet protocol address and one or more internal Internet protocol addresses were not via a single port of the first machine to provide a second subset; and classify the suspect external Internet protocol addresses in the second subset. 8. The system of claim 1 , wherein the instructions are further configured to: determine at least one of a first number of interactions between (i) the first suspect external Internet protocol address and (ii) internal Internet protocol addresses of machines in the cloud-based network associated with subscriptions of a service provider of the cloud-based network, a second number of interactions between (i) the first suspect external Internet protocol address and (ii) machines in the cloud-based network associated with subscriptions of a service provider of the cloud-based network, or a number of different subscriptions associated with internal Internet protocol addresses interacted with by the first suspect external Internet protocol address; and generate the countermeasure if at least one of the first number of interactions, the second number of interactions or the number of subscriptions is less than a predetermined value. 9. The system of claim 1 , wherein the instructions are further configured to: determine whether an interaction between the first suspect external Internet protocol address and an internal Internet protocol addresses is a long interaction, wherein the internal Internet protocol address is an address of the second machine; and perform the countermeasure including alerting the second machine of the malicious attack. 10. A system for detecting an attack by a first machine on a second machine, wherein the second machine is implemented in a server computer of a service provider, the system comprising: a processor; a memory; and an application stored in the memory and including instructions, which are executable by the processor and that are configured to extract network data corresponding to traffic flow between the first machine and the second machine, wherein the second machine is implemented in a cloud-based network, determine a first suspect external Internet protocol address based on the network data, calculate a plurality of features for the first suspect external Internet protocol address, wherein the plurality of features include exploration type features and exploitation type features, classify the first suspect external Internet protocol address based on a model and at least some of the plurality of features, wherein the model is based on predetermined examples, and wherein each of the predetermined examples has a respective set of features, and perform a countermeasure if classification of the suspect Internet protocol address indicates that the suspect Internet protocol address is associated with a malicious attack on the second machine. 11. The system of claim 10 , wherein: the network data includes Internet protocol flow information export data; and the instructions are configured to determine the suspect Internet protocol address based on the Internet protocol flow information export data. 12. The system of claim 10 , wherein the instructions are further configured to: identify a plurality of external Internet protocol addresses based on the network data; and pre-filter the plurality of external Internet protocol addresses to provide at least the first suspect external Internet protocol a
Assignees
Inventors
Classifications
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Machine learning · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10511615B2 cover?
- A system for detecting a non-targeted attack by a first machine on a second machine is provided. The system includes an application that includes instructions configured to: extract network data corresponding to traffic flow between the first and second machines, where the second machine is implemented in a cloud-based network; identify a first suspect external IP address based on the network d…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 17 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).