Detection of advanced persistent threat attack on a private computer network

US 10,320,814 B2
Filed: 10/02/2015
Issued: 06/11/2019
Est. Priority Date: 10/02/2015
Status: Active Grant

First Claim

Patent Images

1. A system for detecting an advanced persistent threat (APT) attack on a private computer network of an organization, the system comprising:

a plurality of hosts computers, the plurality of hosts computers receives network traffic over the private computer network, parses the network traffic to generate event data that indicate access to particular computers on the private computer network that store confidential data of the organization, and transmits the event data over the private computer network; and

an APT detection server comprising one or more computers that receive the event data from the plurality of hosts computers, store the event data in an event log, and correlate data in the event log using a set of alert rules to detect an APT attack by identifying, from the event log, at least two anomalous accesses made by a same user or to a same computer among the particular computers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting an advanced persistent threat (APT) attack on a private computer network includes hosts computers that receive network traffic and process the network traffic to identify an access event that indicates access to a critical asset of an organization that owns or maintains the private computer network. The critical asset may be a computer that stores confidential data of the organization. Access events may be stored in an event log as event data. Access events indicated in the event log may be correlated using a set of alert rules to identify an APT attack.

15 Citations

View as Search Results

17 Claims

1. A system for detecting an advanced persistent threat (APT) attack on a private computer network of an organization, the system comprising:
- a plurality of hosts computers, the plurality of hosts computers receives network traffic over the private computer network, parses the network traffic to generate event data that indicate access to particular computers on the private computer network that store confidential data of the organization, and transmits the event data over the private computer network; and
  
  an APT detection server comprising one or more computers that receive the event data from the plurality of hosts computers, store the event data in an event log, and correlate data in the event log using a set of alert rules to detect an APT attack by identifying, from the event log, at least two anomalous accesses made by a same user or to a same computer among the particular computers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the set of alert rules comprises rules that identify the particular computers.
  - 3. The system of claim 2, wherein the particular computers are identified by IP addresses.
  - 4. The system of claim 1, wherein the set of alert rules comprises rules that indicate normal access times of the particular computers.
  - 5. The system of claim 1, wherein the set of alert rules comprises rules that indicate authorized users of the particular computers.
  - 6. The system of claim 5, wherein the set of alert rules comprises rules that indicate behavior profiles of the authorized users of the particular computers.
  - 7. The system of claim 1, wherein the APT detection server is on-premise within the private computer network.
  - 8. The system of claim 1, wherein the APT detection server receives the event data from the plurality of host computers over the Internet.
  - 9. The system of claim 1, further comprising a gateway that receives the event data from the plurality of the host computers over the private computer network and forwards the event data to the APT detection server over the Internet.

10. A computer-implemented method of detecting an advanced persistent threat (APT) attack on a private computer network of an organization, the method comprising:
- receiving network traffic in hosts computers on the private computer network;
  
  the hosts computers parsing the network traffic to generate event data that indicate access to particular computers on the private computer network that store confidential data of the organization;
  
  the host computers transmitting the event data to an APT detection server that comprises one or more computers;
  
  the APT detection server receiving the event data from the host computers, storing the event data in an event log, correlating data in the event log using a set of alert rules, and detecting an APT attack by identifying, from the event log, at least two anomalous accesses made by a same user or to a same computer among the particular computers.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the set of alert rules comprises rules that identify the particular computers.
  - 12. The method of claim 11, wherein the particular computers are identified by IP addresses.
  - 13. The method of claim 11, wherein the set of alert rules comprises rules that indicate normal access times of the particular computers.
  - 14. The method of claim 11, wherein the set of alert rules comprises rules that indicate authorized users of the particular computers.
  - 15. The method of claim 14, wherein the set of alert rules comprises rules that indicate behavior profiles of the authorized users of the particular computers.
  - 16. The method of claim 11, wherein the APT detection server is on-premise within the private computer network and receives the event data from the hosts computers over the private computer network.
  - 17. The method of claim 11, wherein the APT detection server receives the event data from the host computers over the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Chiu, Li-Hsiang, Chang, Wei-Ching, Weng, Shih-Hao
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US14/873,627
Publication Number

US 20170099306A1
Time in Patent Office

1,348 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Detection of advanced persistent threat attack on a private computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of advanced persistent threat attack on a private computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links