Patent application number | Description | Published |
20150264061 | SYSTEM AND METHOD FOR DETECTING NETWORK INTRUSIONS USING LAYERED HOST SCORING - Approaches for detecting network intrusions, such as malware infection, Trojans, worms, or bot net mining activities includes: identifying one or more threat detections in session datasets, the session datasets corresponding to network traffic from a plurality of hosts; determining a layered detection score, the layered detection score corresponding to a certainty score and threat score; determining a layered host score, the layered host score corresponding to a certainty score and threat score; and generating alarm data comprising the layered detection score and the layered host score. In some embodiments, the network traffic may be received passively through a network switch; for example, by “tapping” the switch. Other additional objects, features, and advantages of the invention are described in the detailed description, figures and claims. | 09-17-2015 |
20150264068 | METHOD AND SYSTEM FOR DETECTING BOT BEHAVIOR - A bot detection engine to determine whether hosts in an organization's network are performing bot-related activities is disclosed. is A bot detection engine can receive network traffic between hosts in a network, and/or between hosts across several networks. The bot engine may parse the network traffic into session datasets and discard the session datasets that were not initiated by hosts in a given network. The session datasets may be analyzed and state data may be accumulated. The state data may correspond to actions performed by the hosts, such as requesting a website or clicking ads, or requesting content within the website (e.g. clicking on a image which forms a HTTP request/response transaction for the image file). | 09-17-2015 |
20150264069 | METHOD AND SYSTEM FOR DETECTING EXTERNAL CONTROL OF COMPROMISED HOSTS - A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway. | 09-17-2015 |
20150264078 | DETECTING NETWORK RECONNAISSANCE BY TRACKING INTRANET DARK-NET COMMUNICATIONS - A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance. | 09-17-2015 |
20150264083 | MALICIOUS RELAY DETECTION ON NETWORKS - A system and method for detecting malicious relay communications is disclosed. Network communications can be received and analyzed using such network components as a network switch. The received traffic can be parsed into sessions. Relay metadata can be extracted from the sessions and further be used to categorize the sessions into one or more types of relay metadata behaviors. Once a significant amount of sessions are detected an alarm may be triggered and/or alarm data may be generated for analysis by network security administrators. | 09-17-2015 |