Automated discovery, attribution, analysis, and risk assessment of security threats

摘要

A method for profiling network traffic of a network. The method includes obtaining a signature library comprising a plurality of signatures each representing first data characteristics associated with a corresponding application executing in the network, generating, based on a first pre-determined criterion, a group behavioral model associated with the signature library, wherein the group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of signatures correlates to a subset of the plurality of historical flows, selecting a flow in the network traffic for including in a target flow set, wherein the flow matches the group behavioral model without being correlated to any corresponding application of the plurality of signatures, analyzing the target flow set to generate a new signature, and adding the new signature to the signature library.