Network security system that detects a common attacker who attacks from different source addresses
US11770394B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Jun 2, 2021 |
| Grant date | Sep 26, 2023 |
| Priority date | — |
| Expiry date | Nov 10, 2041 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/1458
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
A network security system that analyzes data from network attacks to determine which attacks came from the same attacker, even if the attacker tries to disguise its identity by spreading attacks out over time and attacking from multiple IP addresses. Intrusion detection systems or firewalls may log data for each attack, such as the time of the attack, the type of attack, and the source and target addresses. Embodiments may augment this data with derived attributes that may profile the attacker's behavior. For example, some attackers may spread out attacks over time, but always attack on the same day of the week; some attackers may spread out attacks over different IP addresses, but these addresses may all be in the same country. The original and augmented data may be clustered using an algorithm such as DBSCAN, and each attacker may be identified with one of the resulting clusters.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.