System and method of determining malicious processes
First Claim
Patent Images
1. A method comprising:
- capturing data from a first capturing agent at a physical layer within a network, a second capturing agent at a hypervisor layer of the network and a third capturing agent at a virtual layer of the network;
developing, the data, a lineage for a process associated with network activity;
analyzing the lineage, for any anomaly within the network; and
identifying an anomaly in the network in response to the analyzing revealing at least one of the following conditions;
the process was triggered by an external command;
the process was triggered by a hidden command that was not accidental;
the lineage does not follow an expected pattern;
wherein the lineage is a sequence of commands and/or processes that triggered the process associated with network activity.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. A method includes determining a lineage for a process within the network and then evaluating, through knowledge of the lineage, the source of the command that initiated the process. The method includes capturing data from a plurality of capture agents at different layers of a network, each capture agent of the plurality of capture agents configured to observe network activity at a particular location in the network, developing, based on the data, a lineage for a process associated with the network activity and, based on the lineage, identifying an anomaly within the network.
-
Citations
3 Claims
-
1. A method comprising:
-
capturing data from a first capturing agent at a physical layer within a network, a second capturing agent at a hypervisor layer of the network and a third capturing agent at a virtual layer of the network; developing, the data, a lineage for a process associated with network activity; analyzing the lineage, for any anomaly within the network; and identifying an anomaly in the network in response to the analyzing revealing at least one of the following conditions; the process was triggered by an external command; the process was triggered by a hidden command that was not accidental; the lineage does not follow an expected pattern; wherein the lineage is a sequence of commands and/or processes that triggered the process associated with network activity.
-
-
2. A system comprising:
-
a processor; and a non-statutory computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising; capturing data from a first capturing agent at a physical layer within a network, a second capturing agent at a hypervisor layer of the network and a third capturing agent at a virtual layer of the network; developing, based on the data, a lineage for a process associated with network activity; and analyzing the lineage, for any anomaly within the network;
identifying an anomaly in the network in response to the analyzing revealing at least one of the following conditions;the process was triggered by an external command;
the process was triggered by a hidden command that was not accidental;the lineage does not follow an expected pattern; wherein the lineage is a sequence of commands and/or processes that triggered the process associated with network activity.
-
-
3. A computer-readable storage device storing instructions which, when executed by a processor, cause the processor to perform operations comprising:
-
capturing data from a first capturing agent at a physical layer within a network, a second capturing agent at a hypervisor layer of the network and a third capturing agent at a virtual layer of the network; developing, based on the data, a lineage for a process associated with network activity; and analyzing the lineage, for any anomaly within the network; and identifying an anomaly in the network in response to the analyzing revealing at least one of the following conditions; the process was triggered by an external command; the process was triggered by a hidden command that was not accidental; the lineage does not follow an expected pattern; wherein the lineage a sequence of commands and/or processes that triggered the process associated with network activity.
-
Specification