Detecting anomaly action within a computer network

US 10,356,106 B2
Filed: 03/21/2016
Issued: 07/16/2019
Est. Priority Date: 07/26/2011
Status: Active Grant

First Claim

Patent Images

1. A method for network monitoring, comprising:

intercepting, in an anomaly detection module, data packets transmitted over a network;

extracting from the intercepted data packets, first data packets, each of the first data packets including two or more identities in a manner indicative that the two or more identities represent a same entity, the first data packets including packets of a network address assignment protocol, packets of a network address advertisement and discovery protocol and packets of a network diagnosis and error reporting protocol;

recording the two or more identities from the each of the first data packets, as identity associations in an association data structure forming associations between network addresses and strong identities;

assigning confidence levels to the identity associations, responsive to respective protocols from which the identity associations were derived;

when two or more of the identity associations conflict, choosing to record one of the conflicting identity associations in the association data structure responsive to the confidence levels of the conflicting identity associations;

identifying in the intercepted data packets, by the anomaly detection module, second data packets transmitted over the network and containing network addresses of the second data packets;

responsively to the network addresses of the second data packets and the identity associations in the association data structure, associating the second data packets with respective ones of the strong identities; and

analyzing the second data packets in order to detect anomalous behavior and to attribute the anomalous behavior to the respective ones of the strong identities.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for network monitoring includes intercepting, in an anomaly detection module, a first data packet transmitted over a network in accordance with a predefined protocol to or from an entity on the network. Both a network address that is assigned to the entity and a strong identity, which is incorporated in the first data packet in accordance with the predefined protocol, of the entity are extracted from the intercepted first data packet. An association is recorded between the network address and the strong identity. Second data packets transmitted over the network are intercepted, containing the network address. Responsively to the recorded association and the network address, the second data packets are associated with the strong identity. The associated second data packets are analyzed in order to detect anomalous behavior and to attribute the anomalous behavior to the entity.

122 Citations

32 Claims

1. A method for network monitoring, comprising:
- intercepting, in an anomaly detection module, data packets transmitted over a network;
  
  extracting from the intercepted data packets, first data packets, each of the first data packets including two or more identities in a manner indicative that the two or more identities represent a same entity, the first data packets including packets of a network address assignment protocol, packets of a network address advertisement and discovery protocol and packets of a network diagnosis and error reporting protocol;
  
  recording the two or more identities from the each of the first data packets, as identity associations in an association data structure forming associations between network addresses and strong identities;
  
  assigning confidence levels to the identity associations, responsive to respective protocols from which the identity associations were derived;
  
  when two or more of the identity associations conflict, choosing to record one of the conflicting identity associations in the association data structure responsive to the confidence levels of the conflicting identity associations;
  
  identifying in the intercepted data packets, by the anomaly detection module, second data packets transmitted over the network and containing network addresses of the second data packets;
  
  responsively to the network addresses of the second data packets and the identity associations in the association data structure, associating the second data packets with respective ones of the strong identities; and
  
  analyzing the second data packets in order to detect anomalous behavior and to attribute the anomalous behavior to the respective ones of the strong identities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 31)
- - 2. The method according to claim 1, wherein the strong identities comprise hostnames of host computers.
  - 3. The method according to claim 1, wherein the strong identities comprise usernames of users of computers.
  - 4. The method according to claim 1, wherein the extracting of the first data packets and the recording of the two or more identities as the identity associations comprises extracting the first data packets involved in allocation of network addresses, and updating the association data structure responsively to the first data packets involved in the allocation of network addresses.
  - 5. The method according to claim 4, and comprising identifying in the intercepted data packets, third data packets that are associated with one of the strong identities responsively to the updated association data structure, and analyzing the third data packets together with the second data packets in order to detect and attribute the anomalous behavior to an entity corresponding to the one of the strong identities.
  - 6. The method according to claim 1, wherein the recording of the two or more identities from the each of the first data packets comprises identifying a protocol for the each of the first data packets, and parsing a payload of the each of the first data packets responsively to the protocol for the each of the first data packets in order to extract the two or more identities from the each of the first data packets.
  - 7. The method according to claim 6, wherein the extracting the first data packets comprises additionally extracting from the intercepted data packets, packets according toa name registration protocol;
    - an authentication protocol; and
      
      a remote access protocol.
  - 8. The method according to claim 1, wherein the associating the second data packets with the respective ones of the strong identities comprises deciding whether to attribute the second data packets to a respective entity responsively to a confidence level assigned to a respective association.
  - 9. The method according to claim 8, wherein the recording of the two or more identities as the identity associations comprises applying a timestamp to each identity association of the identity associations, and wherein the assigning the confidence levels comprises reducing the confidence levels in response to time that has elapsed since the timestamp.
  - 10. The method according to claim 1, and comprising invalidating recorded associations in response to an expiration criterion.
  - 11. The method according to claim 10, wherein the analyzing the second data packets comprises, upon occurrence of the expiration criterion, retroactively disassociating one or more of the second data packets that were associated with one of the respective ones of the strong identities during a predefined period prior to the occurrence of the expiration criterion.
  - 12. The method according to claim 1, wherein the recording of the two or more identities from the each of the first data packets comprises deriving from one packet an association between an Internet Protocol (IP) address and a Media Access Control (MAC) address and deriving from another packet an association between the MAC address and a hostname, and wherein the recording the two or more identities from the each of the first data packets, as the identity associations, comprises associating the IP address with the hostname.
  - 13. The method according to claim 1, wherein the recording of the two or more identities from the each of the first data packets comprises additionally recording two or more identities from packets according to a NetBIOS protocol.
  - 14. The method according to claim 1, wherein the recording of the two or more identities from the each of the first data packets comprises additionally recording two or more identities from packets according to a Kerberos protocol.
  - 15. The method according to claim 1, wherein the recording of the two or more identities from the each of the first data packets comprises additionally recording two or more identities from packets according to a remote desktop protocol (RDP).
  - 16. The method according to claim 1, wherein the recording of the two or more identities from the each of the first data packets comprises recording the two or more identities from the each of the first data packets in accordance with Dynamic Host Configuration Protocol (DHCP), address resolution protocol (ARP) and Internet Control Message Protocol (ICMP).
  - 17. The method according to claim 1, wherein the assigning the confidence levels to the identity associations comprises assigning responsively to times of the first data packets.
  - 18. The method according to claim 1, further comprising discarding identity associations having a confidence level below a certain threshold.
  - 19. The method according to claim 1, wherein the choosing to record the one of the conflicting identity associations comprises discarding identity associations conflicting with another identity association, having a higher confidence level.
  - 31. The apparatus according to claim 13, wherein the processor is configured to derive from one packet an association between an Internet Protocol (IP) address and a Media Access Control (MAC) address and to derive from another packet an association between the MAC address and a hostname, and to record an identity association which associates the IP address with the hostname in the association data structure.

20. Network monitoring apparatus, comprising:
- a sensor configured to intercept data packets transmitted over a network;
  
  a memory; and
  
  a processor, which is configured to extract from the intercepted data packets, first data packets, each of the first data packets including two or more identities in a manner indicative that the two or more identities represent a same entity, the first data packets including packets of a network address assignment protocol, packets of a network address advertisement and discovery protocol and packets of a network diagnosis and error reporting protocol, to record the two or more identities from the each of the first data packets, as identity associations in an association data structure in the memory, wherein the identity associations associate between network addresses and strong identities, to assign confidence levels to the identity associations, responsive to respective protocols from which the identity associations were derived, when two or more of the identity associations conflict, to choose to record one of the conflicting identity associations in the association data structure in the memory responsive to the confidence levels of the conflicting identity associations, to identify in the intercepted data packets, second data packets transmitted over the network and containing specific network addresses of the second data packets, to associate the second data packets with respective ones of the strong identities responsively to the specific network addresses of the second data packets and the identity associations in the association data structure, and to analyze the second data packets in order to detect anomalous behavior and to attribute the anomalous behavior to the respective ones of the strong identities.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 21. The apparatus according to claim 20, wherein the strong identities comprise hostnames of computers.
  - 22. The apparatus according to claim 20, wherein the strong identities comprise usernames.
  - 23. The apparatus according to claim 20, wherein the processor is configured to extract the first data packets involved in allocation of network addresses, and to update the association data structure responsively to the first data packets.
  - 24. The apparatus according to claim 23, wherein the processor is configured to associate third data packets with the respective ones of the strong identities responsively to the association data structure, and to analyze the third data packets together with the second data packets in order to detect and attribute the anomalous behavior to an entity corresponding to one of the respective ones of the strong identities.
  - 25. The apparatus according to claim 20, wherein the processor is configured to identify, for the first data packets, a protocol of the each of the first data packet, and to parse a payload of the each of the first data packets responsively to the protocol of the each of the first data packets in order to extract the two or more identities from the each of the first data packets.
  - 26. The apparatus according to claim 25, wherein the processor is additionally configured to extract identity associations from packets according to:
    - a name registration protocol;
      
      an authentication protocol; and
      
      a remote access protocol.
  - 27. The apparatus according to claim 20, wherein the processor is configured to decide whether to attribute the second data packets to a respective entity responsively to a confidence level assigned to a respective association.
  - 28. The apparatus according to claim 27, wherein the processor is configured to apply a timestamp to each association of the identity associations, and to reduce the confidence level in response to time that has elapsed since the timestamp.
  - 29. The apparatus according to claim 20, wherein the processor is configured to invalidate recorded associations in response to an expiration criterion.
  - 30. The apparatus according to claim 29, wherein the processor is configured, upon occurrence of the expiration criterion, to retroactively disassociate one or more of the second data packets that were associated with one of the respective ones of the strong identities during a predefined period prior to the occurrence of the expiration criterion.

32. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, the instructions, when read by a computer, cause the computer to intercept data packets transmitted over a network, to extract from the intercepted data packets, first data packets including packets of a network address assignment protocol, packets of a network address advertisement and discovery protocol and packets of a network diagnosis and error reporting protocol, wherein each of the first data packets including two or more identities in a manner indicative that the two or more identities represent a same entity, and to record the two or more identities from the each of the first data packets, as identity associations in an association data structure forming associations between network addresses and strong identities, to assign confidence levels to the identity associations, responsive to respective protocols from which the identity associations were derived, when two or more of the identity associations conflict, to choose to record one of the conflicting identity associations responsive to the confidence levels of the conflicting identity associations, to identify in the intercepted data packets, second data packets transmitted over the network and containing network addresses of the second data packets, wherein the instructions further cause the computer to associate, responsively to the network addresses of the second data packets and the identity associations in the association data structure, the second data packets with respective ones of the strong identities, and to analyze the second data packets in order to detect anomalous behavior and to attribute the anomalous behavior to the respective ones of the strong identities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Inventors
Engel, Giora, Mumcuoglu, Michael
Primary Examiner(s)
Nguyen, Trong H
Assistant Examiner(s)
Lin, Amie C.

Application Number

US15/075,343
Publication Number

US 20160234167A1
Time in Patent Office

1,212 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/106 using time related informat...

H04L 63/1408 by monitoring network traff...

Detecting anomaly action within a computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting anomaly action within a computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links