| CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1458 (2013.01)] | 20 Claims |
|
1. A system comprising:
a network monitoring device connected to a communications network, the network monitoring device configured to monitor network traffic transmitted to and from a server across the communications network, the network monitoring device comprising one or more processors coupled with memory, the memory storing executable instructions that, when executed by the one or more processors, cause the one or more processors to:
monitor a first plurality of encrypted data packet exchanges between the server and a plurality of network devices;
determine, based at least on the first plurality of encrypted data packet exchanges, one or more metric baselines corresponding to a plurality of metric types for communication between the server and the plurality of network devices;
monitor, subsequent to the determination of the one or more metric baselines, a second plurality of encrypted data packet exchanges between the server and a second plurality of network devices;
identify a set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges each having a duration exceeding a first threshold;
determine an exchange metric for each of the plurality of metric types for each of the set of encrypted data packet exchanges;
identify one or more encrypted data packet exchanges of the set of encrypted data packet exchanges having at least one exchange metric exceeding a metric baseline of the one or more metric baselines of the same metric type; and
apply a tag to one or more network devices of the second plurality of network devices associated with the identified one or more encrypted data packet exchanges identifying the one or more network devices as malicious.
|