International Business Machines Corporation
Fast identification of offense and attack execution in network traffic patterns

Abstract:

A method, apparatus and computer system to identify threats on a TCP/IP-based network. The approach leverages a set of reference patterns (or "network spectrals") associated with one or more defined Indicators of Compromise (IoCs). At least one reference pattern is time-bounded and profiles a network traffic pattern using a set of session data (e.g., volume, direction, traffic metadata) that is payload-neutral and may be derived in part by time-series compression of at least one non-varying encoding interval. Network traffic data associated with a traffic pattern under test is received and encoded to generate a test spectral. A stream-based real-time comparison is performed to determine whether the test spectral matches against any of the reference spectrals. Responsive to identifying a match, a given remediation or mitigation action is then taken. A reference spectral may represent a bi- or multi-directional flow, and the multi-directional flow may involve multiple entities.