US 12,381,910 B2
Network attack detection with targeted feature extraction from exploit tools
Zhibin Zhang, Santa Clara, CA (US); Jin Chen, San Jose, CA (US); Yu Fu, Campbell, CA (US); Stefan Achleitner, Arlington, VA (US); Bo Qu, Saratoga, CA (US); and Lei Xu, Santa Clara, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Jul. 12, 2022, as Appl. No. 17/862,869.
Prior Publication US 2024/0022600 A1, Jan. 18, 2024
Int. Cl. H04L 9/40 (2022.01); G06N 20/10 (2019.01)
CPC H04L 63/1466 (2013.01) [G06N 20/10 (2019.01); H04L 63/1416 (2013.01); H04L 63/20 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system, comprising: one or more processors configured to:
obtain an SQL or command injection string; extract a set of features for the SQL or command injection string, the set of features comprising a first subset of features corresponding to a set of defined regex patterns, and a second subset of features corresponding to a term frequency-inverse document frequency (TF-IDF) analysis;
determine whether the SQL or command injection string is malicious based at least in part on a machine learning model and the set of features for the SQL or command injection string; in response to determining that the SQL or command injection string is malicious, update a blacklist of SQL or command injection strings that are deemed to be malicious, the blacklist of SQL or command injection strings being updated to include an identifier corresponding to the obtained SQL or command injection string; and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions.