US 12,069,085 B2
Automatic generation of trojan signatures for intrusion detection
Srivathsan Srinivasagopalan, Bee Cave, TX (US); and Ganesh Subramaniam, Bridgewater, NJ (US)
Assigned to AT&T Intellectual Property I, L.P., Atlanta, GA (US)
Filed by AT&T Intellectual Property I, L.P., Atlanta, GA (US)
Filed on Jun. 1, 2022, as Appl. No. 17/805,025.
Prior Publication US 2023/0396645 A1, Dec. 7, 2023
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/145 (2013.01) [H04L 63/1416 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
acquiring, by a processing system including at least one processor, a plurality of hypertext transfer protocol session packets associated with a plurality of known trojans, wherein all trojans in the plurality of known trojans are identified by a common signature identifier;
extracting, by the processing system, a plurality of request packets from the plurality of hypertext transfer protocol session packets;
identifying, by the processing system, a plurality of suspicious request packets within the plurality of request packets that is extracted from the hypertext transfer protocol session packets;
grouping, by the processing system, the plurality of suspicious request packets into a plurality of subsets;
computing, by the processing system, a centroid of one subset of the plurality of subsets;
identifying, by the processing system, a representative packet for the one subset, wherein the representative packet is identified based on the centroid; and
generating, by the processing system, a signature for the one subset, based on the representative packet, wherein the signature is deployable by an intrusion detection system to detect an instance of a trojan of the plurality of known trojans.