公开(公告)号：US08843627B1

公开(公告)日：2014-09-23

申请号：US13694025

申请日：2012-10-19

申请人： Narus, Inc.

发明人： Mario Baldi ,  Yong Liao ,  Stanislav Miskovic ,  Qiang Xu

IPC分类号： G06F15/173 ,  H04L12/26

CPC分类号： H04L43/026 ,  H04L43/50 ,  Y02D50/30

摘要： Embodiments of the invention provide a method, system, and computer readable medium for classifying network traffic based on application signatures generated during a training phase. The application signatures are generated using (a) seeding flows obtained from a network trace based on a pre-determined selection criterion, and (b) for each seeding flow, a seeded flow group that is obtained from the network trace based on a pre-determined seeding criterion associated with the seeding flow. Specifically, persistent data patterns frequently occurring across multiple seeded flow groups are analyzed to generate the signatures.

摘要翻译： 本发明的实施例提供了一种用于基于在训练阶段期间生成的应用签名来分类网络业务的方法，系统和计算机可读介质。 使用（a）基于预定的选择标准从网络跟踪获得的播种流生成应用签名，以及（b）对于每个播种流，基于预先确定的从网络跟踪获得的种子流组， 确定与种子流相关的种子准则。 具体来说，分析在多个种子流组中频繁发生的持久数据模式以生成签名。

公开(公告)号：US10419351B1

公开(公告)日：2019-09-17

申请号：US13857092

申请日：2013-04-04

申请人： Narus, Inc.

发明人： Mario Baldi ,  Yong Liao ,  Stanislav Miskovic ,  Antonio Nucci

IPC分类号： G06F15/173 ,  H04L12/851

摘要： A method for classifying network traffic in a network. The method includes obtaining, from an application distribution source, an application distribution data set of comprising information associated with distributing an application from the pre-determined application distribution source, extracting, based on a pre-determined extraction criterion, a token from the application distribution data set of the application, obtaining, from the network traffic, a plurality of flows generated by the application, extracting, in response to detecting the token in a flow of the plurality of flows, context information associated with the token in the flow, and generating an identification rule of the application based on the token and the context information, wherein the identification rule describes one or more rule steps to locate the token in the flow, wherein the network traffic is classified using at least the identification rule.

公开(公告)号：US10332005B1

公开(公告)日：2019-06-25

申请号：US13626070

申请日：2012-09-25

申请人： Narus, Inc.

发明人： Yong Liao ,  Mario Baldi ,  Stanislav Miskovic ,  Antonio Nucci ,  Qiang Xu

IPC分类号： G06N5/00 ,  G06N99/00

摘要： Embodiments of the invention provide a method, system, and computer readable medium for classifying network traffic based on application signatures generated during a training phase. The application signatures are generated based on tokens extracted from a training set that is generated by a particular application during the training phase. Accordingly, a new token extracted in real-time from current network data is compared to the application signatures to determine if the current network data is generated by the particular application.

公开(公告)号：US10263868B1

公开(公告)日：2019-04-16

申请号：US14334141

申请日：2014-07-17

申请人： Narus, Inc.

发明人： Mario Baldi ,  Yong Liao ,  Stanislav Miskovic ,  Antonio Nucci ,  Han Hee Song

IPC分类号： H04L12/26

摘要： A method for applying a user-specific policy in a network. The method includes identifying a historical portion of network traffic of the network as associated with a user, analyzing, by a computer processor, the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, identifying, by the computer processor, an ongoing portion of network traffic of the network as associated with the user, analyzing, by the computer processor and based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic, and applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.

公开(公告)号：US08959643B1

公开(公告)日：2015-02-17

申请号：US13963958

申请日：2013-08-09

申请人： Narus, Inc.

发明人： Luca Invernizzi ,  Stanislav Miskovic ,  Ruben Torres ,  Sabyasachi Saha ,  Christopher Kruegel ,  Antonio Nucci ,  Sung-Ju Lee ,  Giovanni Vigna

IPC分类号： G06F11/00 ,  H04L29/06 ,  G06F21/56

CPC分类号： H04L63/145 ,  G06F21/566 ,  G06F2221/033 ,  H04L63/1408 ,  H04L63/1425

摘要： A method for detecting a malicious activity in a network. The method includes obtaining file download flows from the network, analyzing, the file download flows to generate malicious indications using a pre-determined malicious behavior detection algorithm, extracting a file download attribute from a suspicious file download flow of a malicious indication, wherein the file download attribute represents one or more of the URL, the FQDN, the top-level domain name, the URL path, the URL file name, and the payload of the suspicious file download flow, determining the file download attribute as being shared by at least two suspicious file download flows, identifying related suspicious file download flows and determining a level of association between based at least on the file download attribute, computing a malicious score of the suspicious file download flow based on the level of association, and presenting the malicious score to an analyst user of the network.

摘要翻译： 一种用于检测网络中的恶意活动的方法。 该方法包括从网络获取文件下载流，分析文件下载流，使用预定的恶意行为检测算法产生恶意指示，从恶意指示的可疑文件下载流中提取文件下载属性，其中文件 下载属性表示可疑文件下载流中的一个或多个URL，FQDN，顶级域名，URL路径，URL文件名和有效载荷，至少将文件下载属性确定为至少共享 两个可疑文件下载流，识别相关的可疑文件下载流，并至少基于文件下载属性确定关联级别，基于关联级别计算可疑文件下载流的恶意分数，并呈现恶意分数 到网络的分析师用户。