US2021160259A1PendingUtilityA1

System for automated signature generation and refinement

51
Assignee: PETABI INCPriority: Sep 15, 2017Filed: Feb 2, 2021Published: May 27, 2021
Est. expirySep 15, 2037(~11.2 yrs left)· nominal 20-yr term from priority
H04L 43/50H04L 63/1416G06F 21/64H04L 41/145G06F 16/90344H04L 63/1441G06F 21/554G06F 16/24578H04L 63/1425
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems and methods are provided for generating samples of network traffic and characterizing the samples to easily identify exploits. A first embodiment of the present disclosure can generate traffic between a sample generator and the target computing device based on a particular exploit. The traffic can be a plurality of samples of the exploit using an exploit script. The method can provide for collecting and storing the plurality of samples. These samples can then be used to characterize the exploit by identifying invariant portions and variable portions of the samples. The method can further provide for removing any artifacts from the samples. Regular expressions can be constructed based on the samples. Each regular expression can be tested and ranked according to metrics of efficiency and accuracy.

Claims

exact text as granted — not AI-modified
1 . A method for generating samples of network traffic attempting to gain unauthorized access to a target computing device, comprising:
 receiving an exploit script at a host device, wherein the exploit script configures a sample generator at the host device to attempt unauthorized access to the target computing device;   generating traffic, based on the exploit script, between the sample generator and the target computing device;   collecting a plurality of samples of the generated traffic; and   storing the plurality of samples in a storage device, wherein the storage device is accessible by the host device.   
     
     
         2 . The method of  claim 1 , wherein each sample in the plurality of samples further comprises at least one distinct portion from remaining samples in the plurality of samples. 
     
     
         3 . The method of  claim 1 , wherein each sample in the plurality of samples can further comprise invariant portions and variable portions, wherein the invariant portions have identical values for different generations of the exploit script and the variable portions have unique values for different generations of the exploit script. 
     
     
         4 . The method of  claim 1 , wherein the generated traffic occurs via a separate and private network between the host device and the target computing device. 
     
     
         5 . The method of  claim 1 , further comprising determining at least one characteristic of the exploit from the collected plurality of samples to detect the exploit. 
     
     
         6 . A system for generating samples of network traffic, comprising:
 a target computing device;   a storage device; and   a host device comprising a sample generator, wherein the host device is configured to:
 receive an exploit script, wherein the exploit script configures the sample generator to attempt unauthorized access to the target computing device; 
 generate traffic, based on the received exploit script, between the sample generator and the target computing device; 
 collect a plurality of samples of the generated traffic; and 
 store the plurality of samples on the storage device. 
   
     
     
         7 . A non-transitory machine-readable medium, having stored thereon instructions for performing a method of generating samples of network traffic, the non-transitory machine-readable medium comprising machine executable code, which, when executed by at least one machine, causes the machine to:
 receive an exploit script at a host device, wherein the exploit script configures a sample generator at the host device to attempt unauthorized access to a target computing device;   generate traffic, based on the exploit script, between a sample generator and the target computing device;   collect a plurality of samples of the generated traffic; and   store the plurality of samples in a storage device, wherein the storage device is accessible by the host device.   
     
     
         8 - 19 . (canceled) 
     
     
         20 . The system of  claim 6 , wherein each sample in the plurality of samples further comprises at least one distinct portion from remaining samples in the plurality of samples. 
     
     
         21 . The system of  claim 6 , wherein each sample in the plurality of samples can further comprise invariant portions and variable portions, wherein the invariant portions have identical values for different generations of the exploit script and the variable portions have unique values for different generations of the exploit script. 
     
     
         22 . The system of  claim 6 , wherein the generated traffic occurs via a separate and private network between the host device and the target computing device. 
     
     
         23 . The system of  claim 6 , wherein the exploit script configures the sample generator to determine at least one characteristic of the exploit from the collected plurality of samples to detect the exploit. 
     
     
         24 . The system of  claim 6 , wherein the storage device stores harvested samples from at least one of logs, direct observation or an anomaly detection system of a legacy computer system. 
     
     
         25 . The system of  claim 24 , wherein the harvested samples are labeled with a class of exploits. 
     
     
         26 . The system of  claim 1 , wherein the host device transfers the plurality of samples to a legacy computer security system. 
     
     
         27 . The method of  claim 1 , further comprising storing harvested samples from at least one of logs, direct observation or an anomaly detection system of a legacy computer system in the storage device. 
     
     
         28 . The method of  claim 27 , further comprising labeling the harvested samples with a class of exploits. 
     
     
         29 . The method of  claim 27 , further comprising transferring the plurality of samples to a legacy computer security system.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.