公开(公告)号：US20170230395A1

公开(公告)日：2017-08-10

申请号：US15496683

申请日：2017-04-25

Applicant: Cisco Technology, Inc.

Inventor： Tomás Komárek ,  Martin Grill ,  Tomás Pevny

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06F17/30185 ,  G06F17/30979 ,  G06N99/005 ,  H04L41/142 ,  H04L41/16 ,  H04L43/00 ,  H04L43/04 ,  H04L61/2514 ,  H04L63/1408

Abstract: Actual traffic logs of network traffic to and from host devices in a network are collected over time. Artificial traffic logs for each of multiple artificial network address translation (NAT) devices are generated from the actual traffic logs. The actual traffic logs and the artificial traffic logs are labeled as being indicative of non-NAT devices and NAT devices, respectively, to produce labeled traffic logs. From the labeled traffic logs for each artificial NAT device and each non-NAT device, respective, correspondingly labeled, network traffic features indicative of whether the device behaves like a NAT device or a non-NAT device are extracted. A classifier device is trained using the network traffic features extracted for each artificial NAT device and each non-NAT device to classify between an actual NAT device and an actual non-NAT device based on further actual traffic logs.

公开(公告)号：US20160315952A1

公开(公告)日：2016-10-27

申请号：US14696947

申请日：2015-04-27

Applicant: Cisco Technology, Inc.

Inventor： Tomás Komárek ,  Martin Grill ,  Tomás Pevný

IPC: H04L29/06 ,  G06F17/30 ,  G06N99/00 ,  H04L29/12

CPC classification number: H04L63/1425 ,  G06F17/30185 ,  G06F17/30979 ,  G06N99/005 ,  H04L41/142 ,  H04L41/16 ,  H04L43/00 ,  H04L43/04 ,  H04L61/2514 ,  H04L63/1408

Abstract: Network traffic logs of network traffic to and from host devices connected to a network that were collected over time are accessed. For each host device identified in the logs, a set of network traffic features indicative of whether the host device behaves like a Network Address Translation (NAT) device or an end host device is extracted from the logs for the host device. Each feature has values that vary over time based on the logs. A trained host device behavior classifier classifies the host device as either a NAT device or an end host device based on one or more of the feature values.

Abstract translation: 访问连接到网络的主机设备的网络流量的网络流量日志，这些网络流量记录随时间被收集。 对于在日志中标识的每个主机设备，指示主机设备是否像主机设备的日志中提取主机设备的行为类似于网络地址转换（NAT）设备或终端主机设备的一组网络流量特征。 每个功能的值都会根据日志随时间而变化。 经过训练的主机设备行为分类器基于一个或多个特征值将主机设备分类为NAT设备或终端主机设备。