| 摘要 |
A method for detecting a malicious network activity. The method includes extracting, based on a pre-determined criterion, a plurality of protection phase feature sequences extracted from a first plurality of network traffic sessions exchanged during a protection phase between a server device and a first plurality of client devices of a network, comparing the plurality of protection phase feature sequences and a plurality of profiling phase feature sequences to generate a comparison result, where the plurality of profiling phase feature sequences were extracted from a second plurality of network traffic sessions exchanged during a profiling phase prior to the protection phase between the server device and a second plurality of client devices of the network, and generating, in response to detecting a statistical measure of the comparison result exceeding a pre-determined threshold, an alert indicating the malicious network activity. |
| 主权项 |
1. A method for detecting a malicious network activity, comprising:
extracting, based on a first pre-determined criterion and from a network traffic session exchanged during a protection phase between a server device and a client device of a network, a plurality of consecutive segments, wherein each of the plurality of consecutive segments comprises a sequence of consecutive packets exchanged between the server device and the client device; extracting, based on a second pre-determined criterion, a feature sequence from each of the plurality of consecutive segments, wherein the feature sequence comprises a sequence of feature vectors corresponding to and representing the sequence of consecutive packets, each feature vector corresponding to a packet in the sequence of consecutive packets and including: a packet direction, a packet payload length of a server transmitted packet, a packet payload length range of a client transmitted packet, packet flags, and a packet inter-arrival time; including the feature sequence in a plurality of protection phase feature sequences extracted from a first plurality of network traffic sessions exchanged during the protection phase between the server device and a first plurality of client devices of the network, wherein the plurality of protection phase feature sequences are extracted from the plurality of network traffic sessions based on the first pre-determined criterion and the second pre-determined criterion; comparing the plurality of protection phase feature sequences and a plurality of profiling phase feature sequences to generate a comparison result, wherein the plurality of profiling phase feature sequences were extracted from a second plurality of network traffic sessions exchanged during a profiling phase prior to the protection phase between the server device and a second plurality of client devices of the network, wherein generating a comparison result includes extracting, from the plurality of protection phase feature sequences, a set of suspicious feature sequences by excluding any feature sequence not found in the plurality of profiling phase feature sequences; and generating, in response to detecting a statistical measure of the comparison result exceeding a pre-determined threshold, an alert indicating the malicious network activity. |
