公开(公告)号：US20170063892A1

公开(公告)日：2017-03-02

申请号：US14946156

申请日：2015-11-19

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Michal Sofka

IPC: H04L29/06

CPC classification number: H04L63/1425

Abstract: Techniques are presented that identify malware network communications between a computing device and a server based on a cumulative feature vector generated from a group of network traffic records associated with communications between computing devices and servers. Feature vectors are generated, each vector including features extracted from the network traffic records in the group. A self-similarity matrix is computed for each feature which is a representation of the feature that is invariant to an increase or a decrease of feature values across all feature vectors in the group. Each self-similarity matrix is transformed into corresponding histograms to be invariant to a number of network traffic records in the group. The cumulative feature vector is a cumulative representation of the predefined set of features of all network traffic records included in the at least one group of network traffic records and is generated based on the corresponding histograms.

Abstract translation: 提供了基于从与计算设备和服务器之间的通信相关联的一组网络业务记录生成的累积特征向量来识别计算设备和服务器之间的恶意软件网络通信的技术。 生成特征向量，每个矢量包括从组中的网络流量记录中提取的特征。 对于每个特征计算自相似矩阵，该特征是对于组中的所有特征向量的特征值的增加或减小而不变的特征的表示。 每个自相似矩阵被转换成相应的直方图，以便对组中的多个网络流量记录是不变的。 累积特征向量是包括在至少一组网络业务记录中的所有网络流量记录的预定义特征集合的累积表示，并且基于相应的直方图生成。