US 11,057,403 B2
Suspicious packet detection device and suspicious packet detection method thereof
Chi-Kuan Chiu, Taoyuan (TW); Hsiao-Hsien Chang, Taipei (TW); and Te-En Wei, Taipei (TW)
Assigned to Institute For Information Industry, Taipei (TW)
Filed by Institute For Information Industry, Taipei (TW)
Filed on Nov. 27, 2018, as Appl. No. 16/202,084.
Claims priority of application No. 107138823 (TW), filed on Nov. 1, 2018.
Prior Publication US 2020/0145435 A1, May 7, 2020
Int. Cl. H04L 29/06 (2006.01); G06F 16/955 (2019.01); G06K 9/62 (2006.01); G06N 20/00 (2019.01); G06F 16/906 (2019.01)
CPC H04L 63/1416 (2013.01) [G06F 16/906 (2019.01); G06F 16/955 (2019.01); G06K 9/6218 (2013.01); G06N 20/00 (2019.01); H04L 63/14 (2013.01); H04L 63/1441 (2013.01); H04L 69/22 (2013.01)] 16 Claims
OG exemplary drawing
 
1. A suspicious packet detection device, comprising:
a storage, being configured to store a reference file and an emulated fingerprint file, the reference file recording a HyperText Transfer Protocol (HTTP) reference header, and the emulated fingerprint file recording relevance information;
a network interface; and
a processor electrically connected to the storage and the network interface, being configured to perform the following operations:
capturing an HTTP packet transmitted from an internal network to an external network via the network interface; and
comparing an HTTP header of the HTTP packet with the HTTP reference header to determine that the HTTP packet belongs to one of a browser category and an application category and identify the HTTP packet as one of a normal packet and a suspicious packet;
wherein when the HTTP packet is identified as the normal packet and belongs to the browser category, the processor further performs the following operations:
determining whether destination domain information and referer information of the HTTP header are included in the relevance information; and
determining whether the HTTP packet causes a count value associated with the destination domain information within a time window to exceed a first threshold when the destination domain information and the referer information are not included in the relevance information, and re-identifying the HTTP packet as the suspicious packet if the count value exceeds the first threshold, wherein the count value is the total number of a plurality of received HTTP packets within the time window, and another destination domain information and another referer information of another HTTP header of each of the received HTTP packets are not included in the relevance information.