公开(公告)号：US09769190B2

公开(公告)日：2017-09-19

申请号：US15354214

申请日：2016-11-17

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Baris Coskun

IPC: G06F21/50 ,  H04L29/06 ,  G06F17/30 ,  H04L12/26

CPC classification number: H04L63/1425 ,  G06F17/30864 ,  H04L43/04 ,  H04L63/0254 ,  H04L63/1416

Abstract: Example network monitoring methods disclosed herein include iteratively adjusting respective weights assigned to respective types of network activity features for devices monitored in a network, the iterative adjusting to determine an output set of weights corresponding to ones of the types of network activity features indicative of malicious network activity. For example, the iterative adjusting is to (1) reduce a first distance calculated between a first pair of reference devices previously classified as being associated with malicious network activity, and (2) increase a second distance calculated between a first one of the pair of the reference devices and a first unclassified device. Disclosed example network monitoring methods also include determining whether a second unclassified device is associated with malicious network activity based on the output set of weights.

公开(公告)号：US09641545B2

公开(公告)日：2017-05-02

申请号：US14922744

申请日：2015-10-26

Applicant: AT&T INTELLECTUAL PROPERTY I, L.P.

Inventor： Nathaniel Boggs ,  Wei Wang ,  Baris Coskun ,  Suhas Mathur

IPC: G06F15/173 ,  H04L29/06 ,  H04L12/24 ,  H04W12/12

CPC classification number: H04L63/1425 ,  H04L41/14 ,  H04L63/1416 ,  H04W12/12

Abstract: Anomalies are detected in a network by detecting communication between a plurality of entities and a set of users in the network, determining an overlap between subsets of the set of users that the entities comprising the plurality of entities communicated with, respectively, and determining whether the communication between the plurality of entities and the set of users is anomalous based on the overlap.

公开(公告)号：US20150312186A1

公开(公告)日：2015-10-29

申请号：US14264159

申请日：2014-04-29

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Paul Giura ,  Baris Coskun

IPC: H04L12/58 ,  H04L29/08

CPC classification number: H04L51/12

Abstract: A method of generating a signature for a group of electronic messages that each include a plurality of characters comprises extracting a plurality of blocks of characters from each of the electronic messages, mathematically processing each of the blocks of characters from each electronic message, and generating a signature for the group of electronic messages based at least in part on the mathematically processed blocks of characters. In some embodiments a counting Bloom filter may be used to generate the signature. The signatures generated by these methods may be used to identify spam.

Abstract translation: 一种生成每个包括多个字符的一组电子消息的签名的方法包括从每个电子消息中提取多个字符块，从每个电子消息中数学地处理每个字符块，并且生成 至少部分地基于数学处理的字符块，对于该组电子消息的签名。 在一些实施例中，可以使用计数布隆过滤器来生成签名。 由这些方法生成的签名可用于识别垃圾邮件。

公开(公告)号：US09083730B2

公开(公告)日：2015-07-14

申请号：US14099600

申请日：2013-12-06

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Baris Coskun ,  Suhrid Balakrishnan ,  Suhas Mathur

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1425 ,  H04L2463/146

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to identify an Internet protocol address blacklist boundary. An example method includes identifying a netblock associated with a malicious Internet protocol address, the netblock having a lower boundary and an upper boundary, collecting netflow data associated with a plurality of Internet protocol addresses in the netblock, establishing a first window associated with a lower portion of Internet protocol addresses numerically lower than a candidate Internet protocol address, establishing a second window associated with an upper portion of Internet protocol addresses numerically higher than a candidate Internet protocol address, calculating a breakpoint score based on a comparison between a behavioral profile of the first window and a behavioral profile of the second window, and identifying a first sub-netblock when the breakpoint score exceeds a threshold value.

Abstract translation: 公开了方法，装置，系统和制品以识别因特网协议地址黑名单边界。 示例性方法包括识别与恶意因特网协议地址相关联的网络块，网络块具有下边界和上边界，收集与网络块中的多个因特网协议地址相关联的网络流数据，建立与下部相关联的第一窗口 互联网协议地址数字地低于候选互联网协议地址，建立与互联网协议地址的上部相关联的第二窗口，数字地高于候选互联网协议地址，计算断点得分，基于第一 窗口和第二窗口的行为简档，以及当断点得分超过阈值时识别第一子网块。

公开(公告)号：US20150135320A1

公开(公告)日：2015-05-14

申请号：US14080532

申请日：2013-11-14

Applicant: AT&T Intellectual Property I, L.P.

Inventor： Baris Coskun

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F17/30864 ,  H04L43/04 ,  H04L63/0254 ,  H04L63/1416

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to learn malicious activity. An example method includes assigning weights of a distance function to respective statistical features; iteratively calculating, with a processor, the distance function to adjust the weights (1) to cause a reduction in a first distance calculated according to the distance function for a first pair of entities in a reference group associated with malicious activity and (2) to cause an increase in a second distance calculated according to the distance function for a first one of the entities included in the reference group and a second entity not included in the reference group; and determining whether a first statistical feature is indicative of malicious activity based on a respective adjusted weight of the first statistical feature determined after calculating the distance function for a number of iterations.

Abstract translation: 公开了方法，装置，系统和制品来学习恶意活动。 一种示例性方法包括将距离函数的权重分配给相应的统计特征; 使用处理器迭代地计算所述距离函数以调整所述权重（1）以导致根据与恶意活动相关联的参考组中的第一对实体的距离函数计算的第一距离的减小;以及（2）至 导致对于包括在参考组中的第一个实体和不包括在参考组中的第二实体的根据距离函数计算的第二距离的增加; 以及基于在计算多个迭代的距离函数之后确定的所述第一统计特征的相应调整的权重来确定第一统计特征是否指示恶意活动。