System and methods for computer network security involving user confirmation of network connections
First Claim
Patent Images
1. A computer system for monitoring a data communication network comprising:
- at least one processor configured for;
receiving security event data from a sensor, the sensor operatively coupled to the data communication network and operative for determining the existence of a client/server connection on the data communication network;
transmitting a notification to a particular user of a machine on the data communication network associated with the client of the client/server connection, the notification comprising the indication of the nature of a security event represented in the security event data and a query as to the nature of the particular user'"'"'s network activity relating to a server of the client/server connection, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic, and wherein the security indication characteristic includes data indicating;
(a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk;
receiving the particular user'"'"'s response to the query;
based upon the particular user'"'"'s response to the query, generating a security alert based on the response to the query and the security event data;
communicating the security alert to a security analyst computer system associated with the data communication network; and
employing user responses in connection with pre-stored data obtained by logging of information derived from one or more prior communications with a particular server, to enable the security analyst computer system to analyze historical traffic data with the particular server and use that historical traffic data to assess a security risk for the particular server.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for detecting anomalies in network traffic and providing notification to the users of the computers that generated the network traffic for confirmation of the activities that resulted in the network traffic are described herein. According to particular embodiments, the system is configured to collect data regarding network activity (e.g., via sensors), generate inquiries to users regarding that activity, receive the user'"'"'s response to those inquiries, and provide the user'"'"'s response along with the network activity to a security analyst.
47 Citations
27 Claims
-
1. A computer system for monitoring a data communication network comprising:
at least one processor configured for; receiving security event data from a sensor, the sensor operatively coupled to the data communication network and operative for determining the existence of a client/server connection on the data communication network; transmitting a notification to a particular user of a machine on the data communication network associated with the client of the client/server connection, the notification comprising the indication of the nature of a security event represented in the security event data and a query as to the nature of the particular user'"'"'s network activity relating to a server of the client/server connection, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic, and wherein the security indication characteristic includes data indicating;
(a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk;receiving the particular user'"'"'s response to the query; based upon the particular user'"'"'s response to the query, generating a security alert based on the response to the query and the security event data; communicating the security alert to a security analyst computer system associated with the data communication network; and employing user responses in connection with pre-stored data obtained by logging of information derived from one or more prior communications with a particular server, to enable the security analyst computer system to analyze historical traffic data with the particular server and use that historical traffic data to assess a security risk for the particular server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
18. A method for monitoring a data communication network, comprising:
-
receiving security event data from a sensor, the sensor operatively coupled to the data communication network and operative for determining the existence of a client/server connection on the data communication network; transmitting a notification to a particular user of a machine on the data communication network associated with the client of the client/server connection, the notification comprising the indication of the nature of a security event represented in the security event data and a query as to the nature of the particular user'"'"'s network activity relating to a server of the client/server connection, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic, and wherein the security indication characteristic includes data indicating;
(a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk;receiving the particular user'"'"'s response to the query; based upon the particular user'"'"'s response to the query, generating a security alert based on the response to the query and the security event data; communicating the security alert to a security analyst computer system associated with the data communication network; and employing user responses in connection with prestored data obtained by logging of information derived from one or more prior communications with a particular server, to enable the security analyst computer system to analyze historical traffic data with the particular server and use that historical traffic data to assess a security risk for the particular server. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations including:
-
receiving security event data from a sensor, the sensor operatively coupled to a data communication network and operative for determining the existence of a client/server connection on the data communication network; transmitting a notification to a particular user of a machine on the data communication network associated with the client of the client/server connection, the notification comprising the indication of the nature of a security event represented in the security event data and a query as to the nature of the particular user'"'"'s network activity relating to a server of the client/server connection, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic, and wherein the security indication characteristic includes data indicating;
(a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk;receiving the particular user'"'"'s response to the query; based upon the particular user'"'"'s response to the query, generating a security alert based on the response to the query and the security event data; communicating the security alert to a security analyst computer system associated with the data communication network; and employing user responses in connection with pre-stored data obtained by logging of information derived from one or more prior communications with a particular server, to enable the security analyst computer system to analyze historical traffic data with the particular server and use that historical traffic data to assess a security risk for the particular server. - View Dependent Claims (24, 25, 26, 27)
-
Specification