Detecting attacks using passive network monitoring

US 10,243,978 B2
Filed: 09/01/2017
Issued: 03/26/2019
Est. Priority Date: 11/18/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting one or more attacks on one or more networks, wherein one or more processors of one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:

instantiating one or more network monitoring engines to passively monitor one or more network flows; and

responsive to the one or more network monitoring engines detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including;

instantiating an attack detection engine to perform actions, including;

executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations;

providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations;

in response to the one or more metrics indicating occurrence of the one or more attacks in the network, selectively extracting one or more portions of file data from read packets associated with one or more file read operations; and

employing the one or more extracted portions of file data to provide one or more files to one or more client computers.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to detecting one or more attacks in a network. One or more network flows may be monitored using one or more network monitoring computers (NMCs). If one or more file write operations are detected based on information included in one or more packets of the one or more network flows, one or more detection rules may be executed to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations. One or more metrics may be provided based on the one or more detection rules and one or more of the file information, the one or more file write operations, or the like. If one or more metrics exceed one or more threshold values, one or more reports of one or more attacks may be provided.

34 Citations

20 Claims

1. A method for detecting one or more attacks on one or more networks, wherein one or more processors of one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
- instantiating one or more network monitoring engines to passively monitor one or more network flows; and
  
  responsive to the one or more network monitoring engines detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
  
  instantiating an attack detection engine to perform actions, including;
  
  executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations;
  
  providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations;
  
  in response to the one or more metrics indicating occurrence of the one or more attacks in the network, selectively extracting one or more portions of file data from read packets associated with one or more file read operations; and
  
  employing the one or more extracted portions of file data to provide one or more files to one or more client computers.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the attack detection engine performs further actions, including providing one or more reports of the one or more attacks based on one or more exceeded threshold values for one or more of the one or more metrics.
  - 3. The method of claim 1, wherein the attack detection engine performs further actions, including remediating the one or more attacks by providing recovery of previously stored original copies of the file data.
  - 4. The method of claim 1, wherein the attack detection engine performs further actions, including improving performance of the one or more NMCs by employing the one or more detection rules to monitor less than all types of file operations.
  - 5. The method of claim 1, wherein the attack detection engine performs further actions, including updating the one or more detection rules based on feedback from one or more users of one or more client computers.
  - 6. The method of claim 1, wherein the attack detection engine performs further actions, including providing one or more periods of time within which the one or more attacks began.
  - 7. The method of claim 1, wherein the selective extraction of the one or more portions of file data is based on one or more directions of read packets associated with one or more file read operations.

8. A system for detecting one or more attacks in one or more networks, comprising:
- a plurality of network monitoring computers (NMCs), wherein one or more processors of the plurality of NMCs execute instructions to perform actions, comprising;
  
  instantiating one or more network monitoring engines to passively monitor one or more network flows; and
  
  responsive to the one or more network monitoring engines detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
  
  instantiating an attack detection engine to perform actions, including;
  
  executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations;
  
  providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations;
  
  in response to the one or more metrics indicating occurrence of the one or more attacks in the network, selectively extracting one or more portions of file data from read packets associated with one or more file read operations; and
  
  employing the one or more extracted portions of file data to provide one or more files to one or more client computers.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the attack detection engine performs further actions, including providing one or more reports of the one or more attacks based on one or more exceeded threshold values for one or more of the one or more metrics.
  - 10. The system of claim 8, wherein the attack detection engine performs further actions, including remediating the one or more attacks by providing recovery of previously stored original copies of the file data.
  - 11. The system of claim 8, wherein the attack detection engine performs further actions, including improving performance of the plurality of NMCs by employing the one or more detection rules to monitor less than all types of file operations.
  - 12. The system of claim 8, wherein the attack detection engine performs further actions, including updating the one or more detection rules based on feedback from one or more users of one or more client computers.
  - 13. The system of claim 8, wherein the attack detection engine performs further actions, including providing one or more periods of time within which the one or more attacks began.
  - 14. The system of claim 8, wherein the selective extraction of the one or more portions of file data is based on one or more directions of read packets associated with one or more file read operations.

15. A network computer for detecting one or more attacks in one or more networks, comprising:
- one or more memories that store one or more instructions; and
  
  one or more processors that execute the one or more instructions to perform actions, including;
  
  instantiating one or more network monitoring engines to passively monitor one or more network flows; and
  
  responsive to the one or more network monitoring engines detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
  
  instantiating an attack detection engine to perform actions, including;
  
  executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations;
  
  providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations;
  
  in response to the one or more metrics indicating occurrence of the one or more attacks in the network, selectively extracting one or more portions of file data from read packets associated with one or more file read operations; and
  
  employing the one or more extracted portions of file data to provide one or more files to one or more client computers.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network computer of claim 15, wherein the attack detection engine performs further actions, including remediating the one or more attacks by providing recovery of previously stored original copies of the file data.
  - 17. The network computer of claim 15, wherein the attack detection engine performs further actions, including improving performance of the network computer by employing the one or more detection rules to monitor less than all types of file operations.
  - 18. The network computer of claim 15, wherein the attack detection engine performs further actions, including updating the one or more detection rules based on feedback from one or more users of one or more client computers.
  - 19. The network computer of claim 15, wherein the attack detection engine performs further actions, including providing one or more periods of time within which the one or more attacks began.
  - 20. The network computer of claim 15, wherein the selective extraction of the one or more portions of file data is based on one or more directions of read packets associated with one or more file read operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Roeh, Thomas Lawrence, Clement, Samuel Kanen, Kiefer, John Augustus
Primary Examiner(s)
Sholeman, Abu S

Application Number

US15/694,229
Publication Number

US 20180145995A1
Time in Patent Office

571 Days
Field of Search

726 22, 726 23
US Class Current
CPC Class Codes

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 49/9047   including multiple buffers,...

H04L 63/0245   Filtering by information in...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Detecting attacks using passive network monitoring

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting attacks using passive network monitoring

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links