System and method for detecting network activity of interest

摘要

A network activity detection system is trained to detect network activities of interest such as threats by malicious computer data. The training involves distilling the characteristics of known network activities of interest (e.g., intrusion by computer viruses, exploits, worms, or the like) into a minimal set of meta-expressions. At run-time, the network activity detection system combines the minimal set of meta-expressions with efficient computer algorithms for evaluating meta-expressions to detect known network activities of interest, as well as their unknown variants, among an unknown set of network activity. The network activity detection system may produce appropriate responses upon the detection of network activities of interest.

主权项

1. A computer-implemented method for detecting a network activity of interest, the method comprising:
(a) obtaining, by one or more processors, a plurality of network packets from a network, wherein the obtained plurality of network packets comprises network packets categorized as Transmission Control Protocol (TCP) packets and Internet Protocol (IP) packets, wherein the obtained plurality of network packets include the network activity of interest; (b) creating, by the one or more processors, a combined packet from at least two network packets of the plurality of network packets obtained in (a),
wherein creating the combined packet comprises converting, bitwise, content from a portion of a first network packet and a portion of a second network packet into a plurality of integers,wherein the first network packet represents a communication from a first node to a second node, andwherein the second network packet represents a communication from the second node to the first node,wherein the combined packet comprises the plurality of integers; (c) obtaining a stored meta-expression that:
comprises a plurality of integers in an order, andcorresponds to presence of the network activity of interest in network traffic; (d) determining whether the meta-expression obtained in (c) appears in the combined packet created in (b); (e) in response to determining that the meta-expression obtained in (c) appears in the combined packet created in (b), initiating an operation.