Detecting attacks using passive network monitoring
First Claim
1. A method for detecting one or more attacks on one or more networks, wherein one or more processors of one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
- instantiating one or more network monitoring engines to passively monitor one or more network flows; and
responsive to the one or more network monitoring engines detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
instantiating an attack detection engine to perform actions, including;
executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations;
providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations;
in response to the one or more metrics indicating occurrence of the one or more attacks in the network, selectively extracting one or more portions of file data from read packets associated with one or more file read operations; and
employing the one or more extracted portions of file data to provide one or more files to one or more client computers.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to detecting one or more attacks in a network. One or more network flows may be monitored using one or more network monitoring computers (NMCs). If one or more file write operations are detected based on information included in one or more packets of the one or more network flows, one or more detection rules may be executed to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations. One or more metrics may be provided based on the one or more detection rules and one or more of the file information, the one or more file write operations, or the like. If one or more metrics exceed one or more threshold values, one or more reports of one or more attacks may be provided.
34 Citations
20 Claims
-
1. A method for detecting one or more attacks on one or more networks, wherein one or more processors of one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
-
instantiating one or more network monitoring engines to passively monitor one or more network flows; and responsive to the one or more network monitoring engines detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including; instantiating an attack detection engine to perform actions, including; executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations; providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations; in response to the one or more metrics indicating occurrence of the one or more attacks in the network, selectively extracting one or more portions of file data from read packets associated with one or more file read operations; and employing the one or more extracted portions of file data to provide one or more files to one or more client computers. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting one or more attacks in one or more networks, comprising:
a plurality of network monitoring computers (NMCs), wherein one or more processors of the plurality of NMCs execute instructions to perform actions, comprising; instantiating one or more network monitoring engines to passively monitor one or more network flows; and responsive to the one or more network monitoring engines detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including; instantiating an attack detection engine to perform actions, including; executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations; providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations; in response to the one or more metrics indicating occurrence of the one or more attacks in the network, selectively extracting one or more portions of file data from read packets associated with one or more file read operations; and employing the one or more extracted portions of file data to provide one or more files to one or more client computers. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A network computer for detecting one or more attacks in one or more networks, comprising:
-
one or more memories that store one or more instructions; and one or more processors that execute the one or more instructions to perform actions, including; instantiating one or more network monitoring engines to passively monitor one or more network flows; and responsive to the one or more network monitoring engines detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including; instantiating an attack detection engine to perform actions, including; executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations; providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations; in response to the one or more metrics indicating occurrence of the one or more attacks in the network, selectively extracting one or more portions of file data from read packets associated with one or more file read operations; and employing the one or more extracted portions of file data to provide one or more files to one or more client computers. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification