Abstract: A method for identifying malicious encrypted network traffic communicated via a network between a first and second computer system, the method including: monitoring network traffic over the network to detect a network connection as a new network connection; identifying characteristics of the network connection to determine a protocol of the network connection; retrieving a definition of a portion of network traffic for a network connection based on the determined protocol; evaluating Fourier transform coefficient values for each of a plurality of bytes in a portion of network traffic of the new network connection based on the retrieved definition; and comparing the evaluated coefficient values with a dictionary of one or more reference sets of coefficients, each of the one or more reference sets of coefficients being associated with a portion of network traffic of a malicious encrypted network connection, so as to determine if malicious encrypted network traffic is communicated over the network connection.

Abstract: A method for identifying malicious encrypted network traffic communicated via a computer network is disclosed. A malicious encrypted traffic detector is also disclosed.

Abstract: The disclosure relates to detection of malicious network communications. In one embodiment, a method for identifying malicious encrypted network traffic associated with a malware software component communicating via a network is disclosed. The method includes training a neural network based on images for extracted portions of network traffic such that subsequent network traffic can be classified by the neural network to identify malicious network traffic associated with malware based on an image generated to represent a defined portion of the subsequent network traffic.

Abstract: A malicious encrypted traffic detector connected to a computer network, the detector comprising: a Shannon entropy estimator; an entropy comparator; a store storing a reference measure of Shannon entropy of a portion of network traffic of a malicious encrypted network connection, wherein the estimator is adapted to estimate a measure of entropy for a corresponding portion of network traffic communicated over the computer network, and the entropy comparator is adapted to compare the estimated measure of entropy with the reference measure so as to determine if malicious encrypted network traffic is communicated over the network connection.

Abstract: A malicious encrypted traffic inhibitor connected to a computer network is disclosed. A method for inhibiting malicious encrypted network traffic communicated via a computer network also is disclosed. The malicious encrypted traffic inhibitor and method utilize an estimated measure of entropy for a portion of network traffic communicated over a network connection via the computer network. The estimated measure of entropy is calculated as a measure of a degree of indeterminacy of information communicated via the network connection, such as an estimated measure of Shannon entropy, and then compared with a reference measure of entropy for malicious encrypted network traffic. If the estimated measure of entropy for traffic communicated via the computer network is sufficiently similar to the reference measure of entropy, a positive identification of malicious traffic on the computer network can be output.

Abstract: A method for identifying malicious encrypted network traffic communicated via a network between a first and second computer system, the method including: monitoring network traffic over the network to detect a network connection as a new network connection; identifying characteristics of the network connection to determine a protocol of the network connection; retrieving a definition of a portion of network traffic for a network connection based on the determined protocol; evaluating Fourier transform coefficient values for each of a plurality of bytes in a portion of network traffic of the new network connection based on the retrieved definition; and comparing the evaluated coefficient values with a dictionary of one or more reference sets of coefficients, each of the one or more reference sets of coefficients being associated with a portion of network traffic of a malicious encrypted network connection, so as to determine if malicious encrypted network traffic is communicated over the network connection.

Abstract: A method for identifying malicious encrypted network traffic associated with a malware software component communicating via a network, the method including: defining, for the malware, a portion of network traffic including a plurality of contiguous bytes occurring at a predefined offset in a network communication of the malware; extracting the defined portion of network traffic for each of a plurality of disparate network connections for the malware; evaluating a metric for each byte in each extracted portion; representing each extracted portion in a matrix data structure as an image of pixels wherein each pixel corresponds to a byte of the extracted portion; training a neural network based on the images for the extracted portions such that subsequent network traffic can be classified by the neural network to identify malicious network traffic associated with the malware based on an image generated to represent the defined portion of the subsequent network traffic.

Abstract: A multi-stage event detector for monitoring a system to detect the occurrence of multistage events in the monitored system, the multi-stage event detector includes: one or more event detecting detector units (142, 144) for detecting observable events occurring on the monitored system; one or more parameter generating detector units (152, 154) for generating parameter values which vary over time dependent on the behavior of the monitored system; a hidden state determiner (120) for determining a likely sequence of states of interest of the system based on the outputs of the one or more event detecting detector units; and a transition determiner (130) for determining a likely transition occurrence based on a comparison of a set of values of a parameter or set of parameters generated by one or more of the one or more parameter generating detector units with a plurality of pre-specified functions or sets of values of a corresponding parameter or set of parameters associated with different transition occurrences.

Abstract: A malicious encrypted traffic inhibitor connected to a computer network is disclosed. A method for inhibiting malicious encrypted network traffic communicated via a computer network also is disclosed.

Abstract: A malicious encrypted traffic detector connected to a computer network method for identifying malicious encrypted network traffic communicated via a computer network, the method comprising: a storage storing a plurality of network traffic window definitions, each window defining a different subset of network traffic for a network connection; an analyzer adapted to identify characteristics of a network connection to determine a protocol of a network connection; a network traffic recorder adapted to record a subset of network traffic corresponding to a window of network traffic; an entropy estimator adapted to evaluate an estimated measure of entropy for a portion of network traffic of a network connection recorded by the network traffic recorder; and a window selector adapted to identify and store a window as a portion of a network connection for which an estimated measure of entropy is most similar for a plurality of network connections, the identified window being stored in association with an identifier of

Abstract: A malicious encrypted traffic detector connected to a computer network, the detector comprising: a Shannon entropy estimator; an entropy comparator; a store storing a reference measure of Shannon entropy of a portion of network traffic of a malicious encrypted network connection, wherein the estimator is adapted to estimate a measure of entropy for a corresponding portion of network traffic communicated over the computer network, and the entropy comparator is adapted to compare the estimated measure of entropy with the reference measure so as to determine if malicious encrypted network traffic is communicated over the network connection.

Abstract: A multi-stage event detector for monitoring a system to detect the occurrence of multistage events in the monitored system, the multi-stage event detector includes: one or more event detecting detector units (142, 144) for detecting observable events occurring on the monitored system; one or more parameter generating detector units (152, 154) for generating parameter values which vary over time dependent on the behaviour of the monitored system; a hidden state determiner (120) for determining a likely sequence of states of interest of the system based on the outputs of the one or more event detecting detector units; and a transition determiner (130) for determining a likely transition occurrence based on a comparison of a set of values of a parameter or set of parameters generated by one or more of the one or more parameter generating detector units with a plurality of pre-specified functions or sets of values of a corresponding parameter or set of parameters associated with different transition occurrences.