US 12,445,465 B2
Unknown exploit detection using attack traffic analysis and real-time attack event streaming
Weihan Jiang, San Jose, CA (US); Zhibin Zhang, Santa Clara, CA (US); Kenneth Hsu, Campbell, CA (US); Xuya Jiang, San Jose, CA (US); and Hui Gao, Sunnyvale, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Jun. 9, 2023, as Appl. No. 18/208,198.
Prior Publication US 2024/0414175 A1, Dec. 12, 2024
Int. Cl. H04L 9/40 (2022.01); H04L 41/16 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 41/16 (2013.01); H04L 63/1408 (2013.01)] 19 Claims
OG exemplary drawing
 
1. A system, comprising:
a processor configured to:
receive a stream that includes a plurality of attack events from a security platform at a cloud security service;
generate a cluster of attack events included in a moving window from the stream;
in response to a determination that an attack event that is not included in the moving window is associated with the cluster of attack events, include the attack event in the cluster of attack events included in the moving window;
chronologically order the cluster of attack events included in the moving window using information from a different log source; and
tag the cluster with an unknown attack pattern for further automated security analysis at the cloud security service, wherein the tagged unknown attack pattern cluster does not match a preexisting signature for a known attack pattern; and
a memory coupled to the processor and configured to provide the processor with instructions.