Network traffic analysis for malware detection and performance reporting
First Claim
Patent Images
1. A method, comprising:
- receiving, by a computer system from an endpoint agent corresponding to a first endpoint node on a network, first packet information regarding a first plurality of data packets transmitted by the first endpoint node during a first time period;
generating, by the computer system, an operating system fingerprint corresponding to a first operating system of the first endpoint node based on the first packet information;
receiving, by the computer system from a switch agent corresponding to a data switch on the network, second packet information regarding a second plurality of data packets routed through the data switch and transmitted by the first endpoint node during a second time period;
analyzing, by the computer system, the second packet information with respect to the operating system fingerprint to determine that the second plurality of data packets is associated with a second operating system different from the first operating system;
based on the analyzing and the second time period occurring within a threshold amount of time from the first time period, determining, by the computer system, that a network discrepancy exists involving the first endpoint node, the network discrepancy being indicated by a change in operating systems in the first endpoint node; and
creating, by the computer system, reporting information corresponding to the network discrepancy.
1 Assignment
0 Petitions
Accused Products
Abstract
Computer networks, particularly larger networks, may have various issues and vulnerabilities. By collecting network traffic data from a network in multiple different locations, then analyzing correlations in this data, performance issues and security risks can be uncovered. Techniques disclosed herein can help mitigate risks posed by malware, mitigate network performance issues, and also help provide a detailed network map of devices, services, and/or operating systems that are present on a network.
-
Citations
20 Claims
-
1. A method, comprising:
-
receiving, by a computer system from an endpoint agent corresponding to a first endpoint node on a network, first packet information regarding a first plurality of data packets transmitted by the first endpoint node during a first time period; generating, by the computer system, an operating system fingerprint corresponding to a first operating system of the first endpoint node based on the first packet information; receiving, by the computer system from a switch agent corresponding to a data switch on the network, second packet information regarding a second plurality of data packets routed through the data switch and transmitted by the first endpoint node during a second time period; analyzing, by the computer system, the second packet information with respect to the operating system fingerprint to determine that the second plurality of data packets is associated with a second operating system different from the first operating system; based on the analyzing and the second time period occurring within a threshold amount of time from the first time period, determining, by the computer system, that a network discrepancy exists involving the first endpoint node, the network discrepancy being indicated by a change in operating systems in the first endpoint node; and creating, by the computer system, reporting information corresponding to the network discrepancy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
-
receiving, from an endpoint agent corresponding to a first endpoint node on a network, first packet information regarding a first plurality of data packets transmitted by the first endpoint node during a first time period; generating an operating system fingerprint corresponding to a first operating system of the first endpoint node based on the first packet information; receiving, from a switch agent corresponding to a data switch on the network, second packet information regarding a second plurality of data packets routed through the data switch and transmitted by the first endpoint node during a second time period; analyzing the second packet information with respect to the operating system fingerprint to determine that the second plurality of data packets is associated with a second operating system different from the first operating system; based on the analyzing and the second time period occurring within a threshold amount of time from the first time period, determining that a network discrepancy exists involving the first endpoint node, the network discrepancy being indicated by a change of operating systems in the first endpoint node; and creating reporting information corresponding to the network discrepancy. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system, comprising:
-
a non-transitory memory; and one or more hardware processors coupled with the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising; receiving, from an endpoint agent corresponding to the endpoint node on a network, first packet information regarding a first plurality of data packets transmitted by the first endpoint node during a first time period; generating an operating system fingerprint corresponding to a first operating system of the first endpoint node based on the first packet information; receiving, from a switch agent corresponding to a data switch on the network, second packet information regarding a second plurality of data packets routed through the data switch and transmitted by the first endpoint node during a second time period; analyzing the second packet information with respect to the operating system fingerprint to determine device attributes of the first endpoint node and that the second plurality of data packets is associated with a second operating system different from the first operating system; based on the analyzing and the second time period occurring within a threshold amount of time from the first time period, determining that a network discrepancy exists involving the first endpoint node, the network discrepancy being indicated by an inconsistency between the device attributes and the generated fingerprint and a change in operating systems in the first endpoint node; and transmitting an alert message indicative of the network discrepancy. - View Dependent Claims (17, 18, 19, 20)
-
Specification