US 12,081,572 B2
Apparatus having engine using artificial intelligence for detecting bot anomalies in a computer network
Naveen S. Bisht, Sunnyvale, CA (US); Ravi Someshwar, Springfield, IL (US); and Kanna Rajan, Sunnyvale, CA (US)
Assigned to AKITRA, INC., Sunnyvale, CA (US)
Filed by AKITRA, INC., Sunnyvale, CA (US)
Filed on Aug. 9, 2022, as Appl. No. 17/884,180.
Application 17/884,180 is a continuation of application No. 16/367,055, filed on Mar. 27, 2019, granted, now 11,457,031.
Prior Publication US 2023/0171276 A1, Jun. 1, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 16/901 (2019.01); G06F 16/906 (2019.01); G06N 20/00 (2019.01)
CPC H04L 63/1425 (2013.01) [G06F 16/9024 (2019.01); G06F 16/906 (2019.01); G06N 20/00 (2019.01); H04L 63/1441 (2013.01); H04L 2463/144 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A method of using bot detection engine the method comprising:
providing an apparatus, the apparatus comprising:
a message broker module coupled to a data source, the message broker module being configured to direct data in a netflow format to one or more processing engines for analysis of a bot in the data, the netflow format comprising: a source IP address; a destination IP address; an IP protocol; a source port for UDP or TCP; a destination port for UDP or TCP; and an IP type of service;
a graph based learning processor engine coupled to the message broker module, the graph based learning processor engine comprising:
a data feeder;
an extraction engine coupled to the data feeder to process the data to extract a plurality of netflow data comprising the source IP address, the destination IP address, the IP protocol, the source port for UDP or TCP, the destination port for UDP or TCP and the IP type of service;
a graph engine configured to associate the plurality of netflow data that has been extracted to one or more predetermined graph based models and identify a plurality of features in the plurality of netflow data to output a plurality of objects, each of the objects including a node list, a mac address, and a plurality of graph features; and using the node list, the mac address, and the plurality of graph features to retrain the graph based models including the plurality of objects;
a clustering engine coupled to the graph engine, the clustering engine being configured using a clustering process to self-organize the plurality of objects including the node list, the mac address, and the plurality of graph features into a plurality of clusters; and
a bot detection engine coupled to the clustering engine, the bot detection engine being configured to identify a malicious bot from the plurality of clusters; and
identifying a malicious bot from the plurality of clusters using the bot detection engine coupled to the clustering engine and storing a result information associated with malicious bot in the data.