| 发明名称 |
Detection of malicious network connections |
| 摘要 |
In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described. |
| 申请公布号 |
US9344441(B2) |
申请公布日期 |
2016.05.17 |
| 申请号 |
US201414485731 |
申请日期 |
2014.09.14 |
| 申请人 |
Cisco Technology, Inc. |
发明人 |
Kohout Jan;Jusko Jan;Pevny Tomas;Rehak Martin |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
Atlow Stuart C. |
| 主权项 |
1. A method for detecting a malicious network connection, the method comprising:
determining, for each connection over a network, if each connection is a persistent connection, wherein the persistence, p, of a connection is defined as:p(c,W)=1n∑i=1ncibiwhere:
c is the connection in question; W=[b1, . . . bn] is the observation window composed of n measurement windows; and 1cibi is a function which is equal to 1 if the connection was active at least once during the measurement window bi, otherwise the function 1cibi is equal to 0; if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection; creating a feature vector for the first connection based on the collected statistics, wherein the feature vectors comprise more than one of the following features: logarithm of the total amount of bytes sent or received within the persistent connection; autocorrelation of time series generated by sent bytes of packets within the persistent connection; and ratio of bytes sent and received by the persistent connection; performing outlier detection for all of the feature vectors for all connections over a network which have been determined to be persistent connections, wherein the outlier detection is based on detecting deviation from an anticipated value of a curve of at least one feature of the feature vectors showing feature values versus probability; and reporting detected outliers. |
| 地址 |
San Jose CA US |
