DETECTING MALICIOUS NETWORK SOFTWARE AGENTS

摘要

This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.

主权项

1. A method comprising:
receiving, with a network device, packets of a network session; assembling network session data for the network session from the packets, the network session data comprising application-layer data and packet flow data for the network session; calculating a plurality of scores for the network session based on a plurality of metrics applied to the network session data, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, and wherein each of the scores represents a likelihood that the network session is originated by an automated software agent; aggregating the plurality of scores to produce an aggregate score; determining that the network session is originated by an automated software agent when the aggregate score exceeds a threshold; and executing a programmed response when the network session is determined to be originated by an automated software agent.