Remediating computer security threats using distributed sensor computers

US 10,084,815 B2
Filed: 06/13/2017
Issued: 09/25/2018
Est. Priority Date: 11/07/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method, comprising:

detecting, by a processor, network messages that are emitted by a compromised computer,wherein the compromised computer comprises at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers;

queuing copies of the network messages in a queue;

forwarding the network messages to original destinations;

determining whether the number of network messages exceeds a specified threshold associated with an attack vector;

filtering, by the processor, the copies that do not include one of a set of port values associated with known computer attacks;

analyzing, by the processor, timing of the copies with respect to a predetermined schedule including active hours and inactive hours,the analyzing comprising including an indication of a security threat when a first number of the network messages emitted during the active hours in the predetermined schedule is below a first threshold and a second number of the network messages emitted curing the inactive hours in the predetermined schedule is above a second threshold;

detecting one or more security threats caused by the comprised computer based on the determining, filtering, and the analyzing;

sending a result of the detecting to a security control computer over a communication network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method, comprising: detecting network messages that are emitted by a compromised computer, wherein the compromised computer comprises at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers; queuing copies of the network messages in a queue; forwarding the network messages to original destinations; determining whether the number of network messages exceeds a specified threshold associated with an attack vector; filtering by the processor, the copies that do not include one of a set of port values associated with known computer attacks; analyzing, by the processor, timing of the copies with respect to a predetermined schedule including active hours and inactive hours, detecting one or more security threats caused by the comprised computer based on the determining, filtering, and the analyzing, sending a result of the detecting to a security control computer over a communication network.

26 Citations

19 Claims

1. A computer-implemented data processing method, comprising:
- detecting, by a processor, network messages that are emitted by a compromised computer,wherein the compromised computer comprises at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers;
  
  queuing copies of the network messages in a queue;
  
  forwarding the network messages to original destinations;
  
  determining whether the number of network messages exceeds a specified threshold associated with an attack vector;
  
  filtering, by the processor, the copies that do not include one of a set of port values associated with known computer attacks;
  
  analyzing, by the processor, timing of the copies with respect to a predetermined schedule including active hours and inactive hours,the analyzing comprising including an indication of a security threat when a first number of the network messages emitted during the active hours in the predetermined schedule is below a first threshold and a second number of the network messages emitted curing the inactive hours in the predetermined schedule is above a second threshold;
  
  detecting one or more security threats caused by the comprised computer based on the determining, filtering, and the analyzing;
  
  sending a result of the detecting to a security control computer over a communication network.

2. A computer-implemented data processing method, comprising:
- obtaining, by a processor, from a sensor computer detection data relating to network messages that a compromised computer emits, as the compromised computer emits the network messages,wherein the sensor computer that is coupled to and co-located with the compromised computer,wherein the compromised computer comprises at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers;
  
  building a first queue of identifiers from the detection data;
  
  determining whether a web server associated with one of the identifiers in the first queue hosts data describing a policy of handling automatic retrieval of web data;
  
  when the web server hosts data describing a policy of handling automatic retrieval of web data, adding a corresponding identifier of one of the network messages into a second queue;
  
  when the web server does not host data describing a policy of handling automatic retrieval of web data, requesting the one network message from the web server;
  
  identifying, by the processor, one or more security threats that are indicated by the network messages;
  
  determining a specified remediation measure to remediate at least one of the one or more security threats;
  
  providing the specified remediation measure to one or more of the compromised computer, the sensor computer, and the one enterprise computer or network.
- View Dependent Claims (3, 4, 5, 6)
- - 3. The computer-implemented data processing method of claim 2, the detection data indicating at least one web link, and further comprising determining whether traversing one of the at least one web link leads to an endless loop of redirection or retrieval operations.
  - 4. The computer-implemented data processing method of claim 3, further comprising excluding one of the at least one web link the traversal of which leads to an endless loop from future traversal.
  - 5. The computer-implemented data processing method of claim 2,wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer, andwherein the specified remediation measure is provided to one or more of the compromised computer, the sensor computer, the firewall, and the one enterprise computer or network.
  - 6. The computer-implemented data processing method of claim 5, further comprising requesting a network message identified by one of the identifiers in the second queue in accordance with the data describing a policy of handling automatic retrieval of web data hosted by the web server associated with the identified network message.

7. A data processing method performed by a security control computer, comprising:
- the security control computer being coupled to a sensor computer,the sensor computer being coupled to, co-located with, and on a same LAN segment as a compromised computer,the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers,the compromised computer being coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network,the one or more enterprise networks or enterprise computers being coupled to the network through an enterprise firewall,the compromised computer being logically between one or more attacker computers and the one or more enterprise networks or enterprise computers,causing selecting of one or more of network messages emitted from the compromised computer and directed toward the one enterprise computer,the selection comprising filtering the one or more network messages emitted from the compromised computer based upon one or more ports of interest;
  
  causing queuing of the selected one or more network messages in queues at the sensor computer;
  
  obtaining, from the sensor computer, detection data relating to the network messages that the compromised computer emits, as the compromised computer emits the network messages;
  
  using the detection data, identifying one or more security threats that are indicated by the network messages;
  
  determining a specified remediation measure to remediate the one or more the security threats;
  
  providing the specified remediation measure to one or more of the compromised computer, the sensor computer, the firewall, and an enterprise computer;
  
  causing inspecting and modifying of the queued one or more of network messages to remove one or more security threats before forwarding the queued one or more of network messages to the enterprise computer.
- View Dependent Claims (8, 9, 10, 11, 13, 14)
- - 8. The data processing method of claim 7, further comprisingproviding the specified remediation measure only to the sensor computer,the sensor computer being configured, in response to receiving the specified remediation measure, to reconfigure the firewall to which the compromised computer is coupled using firewall instructions that are based upon the specified remediation measure.
  - 9. The data processing method of claim 7, further comprisingproviding the specified remediation measure only to the sensor computer,the sensor computer being configured, in response to receiving the specified remediation measure, to reconfigure one or more of:
    - the firewall to which the compromised computer is coupled using firewall instructions;
      
      or the compromised computer,the reconfiguration causing the firewall or compromised computer to drop packets, disrupt establishment of a TCP connection or UDP connection that is partway through handshake negotiation, or disrupt or tear down an existing connection session in one or more of TCP/IP or an application layer protocol.
  - 10. The data processing method of claim 7, the providing comprising one or more of:
    - causing dropping packets associated with the compromised computer;
      
      causing disrupting establishment of a TCP connection or UDP connection that is partway through handshake negotiation using the compromised computer;
      
      causing disrupting an existing connection session in one or more of TCP/IP or an application layer protocol.
  - 11. The data processing method of claim 7, further comprising:
    - receiving, from one or more advertising exchange networks, advertising presentation data indicating presentations of advertisements to particular browsers that have browsed to particular websites;
      
      determining, based upon the detection data, whether the particular websites are associated with network attacks and/or malware;
      
      in response to the determining, storing transit data specifying computers that have visited the particular websites and using the transit data to determine a plurality of particular web pages to inspect for threats.
  - 13. The data processing method of claim 7, further comprising:
    - selecting, from a queue identifying a plurality of web pages, a particular web page to retrieve from one of a plurality of internet sources;
      
      causing retrieving a copy of the particular web page from a particular internet source;
      
      determining a hierarchical structure of the particular web page;
      
      based upon a hierarchical structure of the particular web page and without consideration of content of the particular web page, identifying one or more features, of links in the particular web page or files referenced in the particular web page, that indicate one or more security threats;
      
      determining a reputation score for the particular web page;
      
      determining a specified remediation measure, based upon the reputation score, to remediate a security threat that is identified in the particular web page;
      
      providing the specified remediation measure to one or more of the compromised computer, the sensor computer, the firewall, and the enterprise computer.
  - 14. The data processing method of claim 13, further comprising:
    - reviewing each link in the particular web page;
      
      computing a link score for each redirection path associated with that link;
      
      determining the reputation score at least in part based upon the link score.

12. A data processing method performed by a security control computer, comprising:
- the security control computer being coupled to a sensor computer,a sensor computer being coupled to, co-located with, and on a same LAN segment as a compromised computer,the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers,the compromised computer being coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network,the one or more enterprise networks or enterprise computers being coupled to the network through an enterprise firewall,the compromised computer being logically between one or more attacker computers and the one or more enterprise networks or enterprise computers,causing selecting of one or more of network messages emitted from the compromised computer and directed toward the one enterprise computer,the selection comprising selecting all network messages when a total message output or packet output of the compromised computer exceeds one or more specified thresholds;
  
  causing queuing of the selected one or more network messages in queues at the sensor computer;
  
  obtaining, from the sensor computer, detection data relating to the network messages that the compromised computer emits, as the compromised computer emits the network messages;
  
  using the detection data, identifying one or more security threats that are indicated by the network messages;
  
  determining a specified remediation measure to remediate the one or more the security threats;
  
  providing the specified remediation measure to the compromised computer, the sensor computer, the firewall, and an enterprise computer;
  
  causing inspecting and modification of the queued one or more of network messages to remove the one or more security threats before forwarding the queued one or more network messages to the enterprise computer.

15. A data processing method performed by a security control computer, comprising:
- the security control computer being coupled to a sensor computer,the sensor computer coupled to, co-located with, and on a same LAN segment as a compromised computer,the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers,the compromised computer being logically between one or more attacker computers and the one or more enterprise networks or enterprise computers,the compromised computer being coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network,the one or more enterprise networks or enterprise computers being coupled to the network through an enterprise firewall,causing selection of one or more of network messages emitted from the compromised computers and directed toward the one enterprise computer,the selection comprising filtering the one or more network messages emitted from the compromised computers based upon one or more ports of interest;
  
  causing queuing of the selected one or more network messages in queues at the sensor computer;
  
  obtaining, from the sensor computer, detection data relating to the selected one or more network messages that the compromised computers emit, as the compromised computers emit the network messages;
  
  using the detection data, identifying one or more security threats that are indicated by the network messages;
  
  determining a specified remediation measure to remediate the one or more security threats,the specified remediation measure comprising one or more of;
  
  causing dropping packets associated with the compromised computer;
  
  causing disrupting establishment of a TCP connection or UDP connection that is partway through handshake negotiation using the compromised computer;
  
  causing disrupting an existing connection session in one or more of TCP/IP or an application layer protocol;
  
  configuring one or more of the compromised computer, the sensor computer, the firewall, and an enterprise computer to perform the specified remediation measure;
  
  causing inspecting and modifying of the queued one or more of network messages to remove one or more security threats before forwarding the queued one or more of network messages to the enterprise computer.
- View Dependent Claims (16, 17)
- - 16. The data processing method of claim 15, further comprising:
    - selecting, from a queue identifying a plurality of web pages, a particular web page to retrieve from one of a plurality of internet sources;
      
      causing retrieving a copy of the particular web page from a particular internet source;
      
      determining a hierarchical structure of the particular web page;
      
      based upon a hierarchical structure of the particular web page and without consideration of content of the particular web page, identifying one or more features, of links in the particular web page or files referenced in the particular web page, that indicate one or more security threats;
      
      determining a reputation score for the particular web page;
      
      determining a specified remediation measure, based upon the reputation score, to remediate a security threat that is identified in the particular web page;
      
      providing the specified remediation measure to one or more of the compromised computer, the sensor computer, the firewall, and the enterprise computer.
  - 17. The data processing method of claim 16, further comprising selecting based upon one or more of advertising exchange network bid data and feedback from analysis of previous web pages.

18. A data processing method performed by a sensor computer, comprising:
- the sensor computer being coupled to, co-located with, and on a same LAN segment as a compromised computer,the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers,the compromised computer being coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network,the one or more enterprise networks or enterprise computers being coupled to the network through an enterprise firewall,the compromised computer being logically between one or more attacker computers and the one or more enterprise networks or enterprise computers,selecting one or more of network messages emitted from the compromised computer and directed toward the one enterprise computer,the selecting comprising filtering the one or more network messages emitted from the compromised computer based upon one or more ports of interest;
  
  queuing the selected one or more network messages in queues at the sensor computer;
  
  sending to a security control computer that is coupled to the sensor computer via a network, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages;
  
  receiving a specified remediation measure from the security control computer which remediation measure has been determined using the detection data to identify one or more security threats that are indicated by the network messages;
  
  causing inspection and modification of the queued one or more network messages to remove the one or more security threats before forwarding the queued one or more network messages to the one enterprise computer.

19. A data processing method performed by a sensor computer, comprising:
- the sensor computer being coupled to, co-located with, and on a same LAN segment as a compromised computerthe compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers,the compromised computer being coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network,the one or more enterprise networks or enterprise computers being coupled to the network through an enterprise firewall,the compromised computer being logically between one or more attacker computers and the one or more enterprise networks or enterprise computers,selecting one or more of network messages emitted from the compromised computer and directed toward the one enterprise computer,the selection comprising selecting all network messages when a total message output or packet output of the compromised computer exceeds one or more specified thresholds;
  
  queuing the selected one or more network messages in queues at the sensor computer;
  
  sending to a security control computer that is coupled to the sensor computer via a network, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages;
  
  receiving a specified remediation measure from the security control computer which remediation measure has been determined using the detection data to identify one or more security threats that are indicated by the network messages;
  
  causing inspecting and modifying of the queued one or more network messages to remove the one or more security threats before forwarding the queued one or more of network messages to the one enterprise computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
Area 1 Security, Inc.
Inventors
Falkowitz, Oren, Syme, Philip, Darche, Blake
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/621,975
Publication Number

US 20170279816A1
Time in Patent Office

469 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Remediating computer security threats using distributed sensor computers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Remediating computer security threats using distributed sensor computers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links