公开(公告)号：US10116538B2

公开(公告)日：2018-10-30

申请号：US15694484

申请日：2017-09-01

申请人： Narus, Inc.

发明人： Mario Baldi ,  Yong Liao ,  Amedeo Sapio

IPC分类号： G06F15/173 ,  H04L12/26

摘要： A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

公开(公告)号：US09912680B2

公开(公告)日：2018-03-06

申请号：US15368349

申请日：2016-12-02

申请人： Narus, Inc.

发明人： Ruben Torres ,  Hesham Mekky ,  Zhi-Li Zhang ,  Sabyasachi Saha ,  Antonio Nucci

IPC分类号： H04L29/06 ,  G06F21/50 ,  H04L29/08

CPC分类号： H04L63/1416 ,  G06F21/50 ,  G06F21/552 ,  G06F2221/2119 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/168 ,  H04L67/02 ,  H04L67/10 ,  H04L67/42

摘要： A method for detecting malicious HTTP redirections. The method includes obtaining, based on a single client IP address, HTTP flows triggered by visiting a website, extracting a sequence of URLs where a downstream URL is extracted from a child HTTP request that is triggered by a parent HTTP request containing an immediate upstream URL, analyzing the URL sequence to generate a statistical feature, and classifying, based on the statistical feature, the HTTP flows as containing at least one malicious HTTP redirection triggered by visiting the website.

公开(公告)号：US20180013646A1

公开(公告)日：2018-01-11

申请号：US15694484

申请日：2017-09-01

申请人： Narus, Inc.

发明人： Mario Baldi ,  Yong Liao ,  Amedeo Sapio

IPC分类号： H04L12/26

CPC分类号： H04L43/08 ,  H04L43/026 ,  H04L43/12 ,  H04L61/2514 ,  H04L61/2517

摘要： A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

公开(公告)号：US20180013645A1

公开(公告)日：2018-01-11

申请号：US15694481

申请日：2017-09-01

申请人： Narus, Inc.

发明人： Mario Baldi ,  Yong Liao ,  Amedeo Sapio

IPC分类号： H04L12/26

CPC分类号： H04L43/08 ,  H04L43/026 ,  H04L43/12 ,  H04L61/2514 ,  H04L61/2517

摘要： A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

公开(公告)号：US09769038B1

公开(公告)日：2017-09-19

申请号：US14294946

申请日：2014-06-03

申请人： Narus, Inc.

发明人： Mario Baldi ,  Yong Liao ,  Amedeo Sapio

IPC分类号： H04L12/26

CPC分类号： H04L43/08 ,  H04L43/026 ,  H04L43/12 ,  H04L61/2514 ,  H04L61/2517

摘要： A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

公开(公告)号：US20170012853A1

公开(公告)日：2017-01-12

申请号：US15271920

申请日：2016-09-21

申请人： Narus, Inc.

发明人： Ignacio Bermudez ,  Marios Iliofotou ,  Marco Mellia ,  Ram Keralapura ,  Maurizio Matteo Munafo

IPC分类号： H04L12/26 ,  H04L12/58

CPC分类号： H04L43/18 ,  G06F8/53 ,  G06F17/30861 ,  G06F17/30867 ,  G06F17/30908 ,  G06K9/6256 ,  G06N99/005 ,  H04L41/142 ,  H04L51/34 ,  H04L69/00

摘要： A method for analyzing a binary-based application protocol of a network. The method includes obtaining conversations from the network, extracting content of a candidate field from a message in each conversation, calculating a randomness measure of the content to represent a level of randomness of the content across all conversation, calculating a correlation measure of the content to represent a level of correlation, across all of conversations, between the content and an attribute of a corresponding conversation where the message containing the candidate field is located, and selecting, based on the randomness measure and the correlation measure, and using a pre-determined field selection criterion, the candidate offset from a set of candidate offsets as the offset defined by the protocol.

摘要翻译： 一种用于分析网络的基于二进制的应用协议的方法。 该方法包括从网络获取对话，从每个对话中的消息中提取候选字段的内容，计算内容的随机性度量，以表示所有对话内容的随机性水平，计算内容的相关性度量 表示在包含候选字段的消息所在的对应对话的内容和属性之间的所有会话中的相关级别，并且基于随机性度量和相关性度量来选择并使用预定的 场选择标准，作为由协议定义的偏移的候选偏移集合的候选偏移量。

公开(公告)号：US09531736B1

公开(公告)日：2016-12-27

申请号：US13726475

申请日：2012-12-24

申请人： Narus, Inc.

发明人： Ruben Torres ,  Hesham Mekky ,  Zhi-Li Zhang ,  Sabyasachi Saha ,  Antonio Nucci

IPC分类号： G06F21/50 ,  H04L29/06

CPC分类号： H04L63/1416 ,  G06F21/50 ,  G06F21/552 ,  G06F2221/2119 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/168 ,  H04L67/02 ,  H04L67/10 ,  H04L67/42

摘要： A method for detecting malicious HTTP redirections. The method includes obtaining, based on a single client IP address, HTTP flows triggered by visiting a website, extracting a sequence of URLs where a downstream URL is extracted from a child HTTP request that is triggered by a parent HTTP request containing an immediate upstream URL, analyzing the URL sequence to generate a statistical feature, and classifying, based on the statistical feature, the HTTP flows as containing at least one malicious HTTP redirection triggered by visiting the website.

摘要翻译： 一种用于检测恶意HTTP重定向的方法。 该方法包括基于单个客户端IP地址获取通过访问网站触发的HTTP流，从由包含直接上游URL的父HTTP请求触发的小HTTP请求中提取下游URL提取的URL序列 ，分析URL序列以生成统计特征，并根据统计特征将HTTP流分类为包含访问网站触发的至少一个恶意HTTP重定向。

公开(公告)号：US09521162B1

公开(公告)日：2016-12-13

申请号：US14550422

申请日：2014-11-21

申请人： Narus, Inc.

发明人： Ali Zand ,  Gaspar Modelo-Howard ,  Alok Tongaonkar ,  Sung-Ju Lee ,  Christopher Kruegel ,  Giovanni Vigna

IPC分类号： G06F11/00 ,  H04L29/06

CPC分类号： H04L63/1441 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/145 ,  H04L63/1458

摘要： A method for detecting a malicious network activity. The method includes extracting, based on a pre-determined criterion, a plurality of protection phase feature sequences extracted from a first plurality of network traffic sessions exchanged during a protection phase between a server device and a first plurality of client devices of a network, comparing the plurality of protection phase feature sequences and a plurality of profiling phase feature sequences to generate a comparison result, where the plurality of profiling phase feature sequences were extracted from a second plurality of network traffic sessions exchanged during a profiling phase prior to the protection phase between the server device and a second plurality of client devices of the network, and generating, in response to detecting a statistical measure of the comparison result exceeding a pre-determined threshold, an alert indicating the malicious network activity.

摘要翻译： 一种检测恶意网络活动的方法。 该方法包括基于预定标准提取从在网络的服务器设备和第一多个客户端设备之间的保护阶段期间交换的第一多个网络业务会话中提取的多个保护相位特征序列，比较 多个保护阶段特征序列和多个分析阶段特征序列以生成比较结果，其中从在第二多个网络流量会话之间交换的多个分析阶段特征序列提取在分析阶段之前的保护阶段之间， 所述服务器设备和所述网络的第二多个客户端设备，并且响应于检测到超过预定阈值的比较结果的统计测量，生成指示所述恶意网络活动的警报。

公开(公告)号：US09210090B1

公开(公告)日：2015-12-08

申请号：US14161517

申请日：2014-01-22

申请人： Narus, Inc.

发明人： Mario Baldi ,  Syed M. Hussain ,  Yong Liao ,  Alok Tongaonkar ,  Antonio Nucci

IPC分类号： H04L12/26 ,  H04L12/833

CPC分类号： H04L47/31 ,  H04L47/2441

摘要： A method for accessing (e.g., processing, storing, retrieving, etc.) network traffic data of a network. The method includes using separate data analysis device and data access device for capturing and analyzing network traffic data blocks concurrently and cooperatively to store and retrieve large amount of high speed network traffic data. In particular, the data analysis device and the data access device are synchronized using a linked set containing unique data block identifier and associated packet identifiers. The synchronization allows the data analysis device to focus on the full packet analysis task and the data access device to focus on the full packet storing and retrieving task without analyzing full packet content.

摘要翻译： 一种用于访问（例如，处理，存储，检索等）网络的网络业务数据的方法。 该方法包括使用单独的数据分析设备和数据访问设备，并行并协同地捕获和分析网络流量数据块，以存储和检索大量的高速网络流量数据。 特别地，使用包含唯一数据块标识符和相关联的分组标识符的链接集来同步数据分析设备和数据访问设备。 同步允许数据分析设备专注于全分组分析任务和数据访问设备，以集中在完整的分组存储和检索任务，而不分析全分组内容。

公开(公告)号：US08843493B1

公开(公告)日：2014-09-23

申请号：US13622316

申请日：2012-09-18

申请人： Narus, Inc.

发明人： Yong Liao ,  Antonio Nucci

IPC分类号： G06F17/30 ,  G06F17/27

CPC分类号： G06F17/30985 ,  G06F17/2211 ,  G06F17/274 ,  G06F17/30622 ,  G06F21/6209

摘要： A method for comparing documents, including extracting, by a computer processor, a plurality of extracted elements from a first image of a first formatted document, wherein each of the plurality of extracted elements corresponds to a text element of the first formatted document, extracting, by the computer processor, a first plurality of text fingerprints from a sequence of the plurality of extracted elements to form a first text feature of the first image, comparing, by the computer processor, the first text feature and a second formatted document to generate a comparison result, and determining, in response to the comparison result meeting a pre-determined criterion, that each of the first formatted document and the second formatted document contains common text content.

摘要翻译： 一种用于比较文档的方法，包括由计算机处理器从第一格式化文档的第一图像提取多个提取的元素，其中所述多个提取元素中的每一个对应于所述第一格式化文档的文本元素， 由所述计算机处理器从所述多个提取元素的序列中获取第一多个文本指纹，以形成所述第一图像的第一文本特征，由所述计算机处理器比较所述第一文本特征和第二格式化文档以生成 比较结果，并且响应于满足预定标准的比较结果，确定每个第一格式化文档和第二格式化文档包含公共文本内容。