Identifying threats based on hierarchical classification
US-2015334125-A1 · Nov 19, 2015 · US
Identifying threats based on hierarchical classification
US9800597B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9800597-B2 |
| Application number | US-201615284403-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 3, 2016 |
| Priority date | May 16, 2014 |
| Publication date | Oct 24, 2017 |
| Grant date | Oct 24, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, through a data network from an originating computing device, a plurality of packet flows that includes a set of packet flows associated with an event on the originating device; determining a plurality of set features for the set of packet flows by aggregating, into a particular set feature of the plurality of set features, a respective flow feature associated with each of two or more packet flows from the set of packet flows; classifying the set of packet flows into a set class based on the plurality of set features that include the particular set feature; wherein the set class corresponds to a threat level of the event on the originating computing device; based on the set class, reporting the threat level of the event on the originating computing device; and wherein the method is executed by one or more computing devices. 2. The method of claim 1 , wherein the respective flow feature is a particular native flow feature representing a respective intrinsic property of each of the two or more packet flows. 3. The method of claim 1 , wherein the respective flow feature is at least based on any one or more of: respective URL data from each of the two or more packet flows, a respective flow duration of each of the two or more packet flows, a respective number of bytes transferred in each of the two or more packet flows, a respective type of each of the two or more packet flows, a respective status of each of the two or more packet flows, a respective referrer of each of the two or more packet flows, a respective timestamp associated with each of the two or more packet flows, an internet address of a respective computing device originating each of the two or more packet flows, a type of a respective computing device originating each of the two or more packet flows, or a status of a respective computing device originating each of the two or more packet flows. 4. The method of claim 1 , wherein the respective flow feature is a particular complex flow feature and the method further comprises determining the particular complex flow feature by calculating statistical properties of one or more respective native flow features of each of the two or more packet flows. 5. The method of claim 1 , wherein the respective flow feature is a particular complex flow feature and the method further comprises determining the particular complex flow feature based on at least a portion of a respective URL string associated with each of the two or more packet flows. 6. The method of claim 5 , wherein the determining the particular complex flow feature is based on a frequency of changes between consonants and vowels in at least the portion of the respective URL string. 7. The method of claim 5 , wherein the determining the particular complex flow feature is based on whether at least the portion of the respective URL string contains any character that is in the UTF-8 character set but not in the ASCII character set. 8. The method of claim 5 , wherein the determining the particular complex flow feature is based on a maximum number of a recurrence of a particular character or a particular type of character in at least the portion of the respective URL string as compared to a length of at least the portion of the respective URL string. 9. The method of claim 8 , wherein the particular type of character is a special type of URL character. 10. The method of claim 5 , wherein the determining the particular complex flow feature further comprises: selecting one or more trigrams from at least the portion of the respective URL string; and comparing the one or more trigrams with a plurality of trigrams from an existing repository of well-known domains. 11. The method of claim 1 , further comprising: determining that the set of packet flows of the plurality of packet flows is associated with the event on the originating device by comparing one or more timestamps of one or more packet flows of the plurality of packet flows with one or more timestamps of one or more different packet flows of plurality of packet flows. 12. The method of claim 1 , further comprising: determining that the set of packet flows of the plurality of packet flows is associated with the event on the originating device by comparing one or more referrer flow features of one or more packet flows of the plurality of packet flows with one or more referrer flow features of one or more different packet flows of plurality of packet flows. 13. A computer system comprising: one or more network interfaces that are configured to couple to a data network and to receive a plurality of packet flows therefrom; one or more hardware processors coupled to the one or more network interfaces and memory storing one or more instructions which, when executed by the one or more hardware processors, cause: receiving, through the data network from an originating computing device, the plurality of packet flows that includes a set of packet flows associated with an event on the originating device; determining a plurality of set features for the set of packet flows by aggregating, into a particular set feature of the plurality of set features, a respective flow feature associated with each of two or more packet flows from the set of packet flows; classifying the set of packet flows into a set class based on the plurality of set features that include the particular set feature; wherein the set class corresponds to a threat level of the event on the originating computing device; based on the set class, reporting the threat level of the event on the originating computing device. 14. The system of claim 13 , wherein the respective flow feature is a particular native flow feature representing a respective intrinsic property of each of the two or more packet flows. 15. The system of claim 13 , wherein the respective flow feature is at least based on any one or more of: respective URL data from each of the two or more packet flows, a respective flow duration of each of the two or more packet flows, a respective number of bytes transferred in each of the two or more packet flows, a respective type of each of the two or more packet flows, a respective status of each of the two or more packet flows, a respective referrer of each of the two or more packet flows, a respective timestamp associated with each of the two or more packet flows, an internet address of a respective computing device originating each of the two or more packet flows, a type of a respective computing device originating each of the two or more packet flows, or a status of a respective computing device originating each of the two or more packet flows. 16. The system of claim 13 , wherein the respective flow feature is a particular complex flow feature and the one or more instructions comprise one or more instructions which, when executed by the one or more hardware processors, further cause determining the particular complex flow feature by calculating statistical properties of one or more respective native flow features of each of the two or more packet flows. 17. The system of claim 13 , wherein the respective flow feature is a particular complex flow feature and the one or more instructions comprise one or more instructions which, when executed by the one or more hardware processors, further cause determining the particular complex flow feature based on at least a portion of a respective URL string associated with each of the two or more packet flows. 18. The system of claim 17 , wherein the determining the particular complex flow
Assignees
Inventors
Classifications
Vulnerability analysis · CPC title
Denial of service attacks against network infrastructure · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
Retrieval from the web · CPC title
- G06F21/552Primary
involving long-term monitoring or reporting · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9800597B2 cover?
- A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system sele…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 24 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).