Network traffic analysis for malware detection and performance reporting

US 10,440,049 B2
Filed: 01/19/2017
Issued: 10/08/2019
Est. Priority Date: 01/19/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a computer system from an endpoint agent corresponding to a first endpoint node on a network, first packet information regarding a first plurality of data packets transmitted by the first endpoint node during a first time period;

generating, by the computer system, an operating system fingerprint corresponding to a first operating system of the first endpoint node based on the first packet information;

receiving, by the computer system from a switch agent corresponding to a data switch on the network, second packet information regarding a second plurality of data packets routed through the data switch and transmitted by the first endpoint node during a second time period;

analyzing, by the computer system, the second packet information with respect to the operating system fingerprint to determine that the second plurality of data packets is associated with a second operating system different from the first operating system;

based on the analyzing and the second time period occurring within a threshold amount of time from the first time period, determining, by the computer system, that a network discrepancy exists involving the first endpoint node, the network discrepancy being indicated by a change in operating systems in the first endpoint node; and

creating, by the computer system, reporting information corresponding to the network discrepancy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer networks, particularly larger networks, may have various issues and vulnerabilities. By collecting network traffic data from a network in multiple different locations, then analyzing correlations in this data, performance issues and security risks can be uncovered. Techniques disclosed herein can help mitigate risks posed by malware, mitigate network performance issues, and also help provide a detailed network map of devices, services, and/or operating systems that are present on a network.

Citations

20 Claims

1. A method, comprising:
- receiving, by a computer system from an endpoint agent corresponding to a first endpoint node on a network, first packet information regarding a first plurality of data packets transmitted by the first endpoint node during a first time period;
  
  generating, by the computer system, an operating system fingerprint corresponding to a first operating system of the first endpoint node based on the first packet information;
  
  receiving, by the computer system from a switch agent corresponding to a data switch on the network, second packet information regarding a second plurality of data packets routed through the data switch and transmitted by the first endpoint node during a second time period;
  
  analyzing, by the computer system, the second packet information with respect to the operating system fingerprint to determine that the second plurality of data packets is associated with a second operating system different from the first operating system;
  
  based on the analyzing and the second time period occurring within a threshold amount of time from the first time period, determining, by the computer system, that a network discrepancy exists involving the first endpoint node, the network discrepancy being indicated by a change in operating systems in the first endpoint node; and
  
  creating, by the computer system, reporting information corresponding to the network discrepancy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1,wherein the network discrepancy is a first network discrepancy,wherein the method further comprises analyzing the first and second packet information to determine a second network discrepancy indicating that at least a first packet that was transmitted by the first endpoint node was not detected by the first endpoint agent.
  - 3. The method of claim 1,wherein the reporting information includes an indication, based on the determined network discrepancy, that unauthorized software may be executing on the first endpoint node.
  - 4. The method of claim 1, wherein the network discrepancy is a first network discrepancy, and wherein the method further comprises determining a second network discrepancy involving the first endpoint node by:
    - receiving third packet information regarding a third plurality of data packets transmitted by the first endpoint node during the second time period;
      
      determining that the second packet information indicates that at least a first packet was transmitted from a particular port of the first endpoint node during the second time period; and
      
      determining that the third packet information indicates that no packets were transmitted from the particular port of the first endpoint node during the second time period.
  - 5. The method of claim 4, further comprising determining that the first packet was transmitted to a known port number allowed as outbound traffic by a firewall of the network.
  - 6. The method of claim 1, further comprising detecting, based on analyzing the first packet information and the second packet information, that two different network addresses correspond to the first plurality of packets and the second plurality of packets, respectively.
  - 7. The method of claim 6, further comprising determining, based on analyzing the two different network addresses, that the two different network addresses correspond to different operating systems or different operation system versions.
  - 8. The method of claim 1, wherein the change in operating systems comprises a change in versions of an operating system.
  - 9. The method of claim 1, wherein the network discrepancy is a first network discrepancy, wherein the method further comprises:
    - deriving first packet content corresponding to a first packet transmitted by the first endpoint node based on the first packet information;
      
      deriving second packet content corresponding to the first packet transmitted by the first endpoint node based on the second packet information; and
      
      determining a second network discrepancy based on a difference between the first packet content and the second packet content.

10. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
- receiving, from an endpoint agent corresponding to a first endpoint node on a network, first packet information regarding a first plurality of data packets transmitted by the first endpoint node during a first time period;
  
  generating an operating system fingerprint corresponding to a first operating system of the first endpoint node based on the first packet information;
  
  receiving, from a switch agent corresponding to a data switch on the network, second packet information regarding a second plurality of data packets routed through the data switch and transmitted by the first endpoint node during a second time period;
  
  analyzing the second packet information with respect to the operating system fingerprint to determine that the second plurality of data packets is associated with a second operating system different from the first operating system;
  
  based on the analyzing and the second time period occurring within a threshold amount of time from the first time period, determining that a network discrepancy exists involving the first endpoint node, the network discrepancy being indicated by a change of operating systems in the first endpoint node; and
  
  creating reporting information corresponding to the network discrepancy.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory machine-readable medium of claim 10, wherein the network discrepancy is a first network discrepancy, and wherein the operations further comprise:
    - receiving, from the switch agent, third packet information regarding a third plurality of data packets routed through the data switch and transmitted by the first endpoint node during the first time period; and
      
      analyzing the first and third packet information to determine a second network discrepancy indicating that at least a first packet was transmitted by the first endpoint node was not detected by the switch agent.
  - 12. The non-transitory machine-readable medium of claim 10, wherein the operations further comprise analyzing the first and second packet information to determine that a TCP slow start performance involving the first endpoint node is below a predetermined threshold.
  - 13. The non-transitory machine-readable medium of claim 12, wherein the analyzing of the first and second packet information provides an indication that a physical network interface of the first endpoint node is likely defective, and wherein the reporting information includes the indication.
  - 14. The non-transitory machine-readable medium of claim 10, wherein the operations further comprise transmitting the reporting information to an administrator corresponding to the network.
  - 15. The method non-transitory machine-readable medium of claim 10, wherein the analyzing comprises extracting a source network address associated with the second plurality of data packets, and wherein the source network address indicates a second operating system different from the first operating system.

16. A system, comprising:
- a non-transitory memory; and
  
  one or more hardware processors coupled with the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;
  
  receiving, from an endpoint agent corresponding to the endpoint node on a network, first packet information regarding a first plurality of data packets transmitted by the first endpoint node during a first time period;
  
  generating an operating system fingerprint corresponding to a first operating system of the first endpoint node based on the first packet information;
  
  receiving, from a switch agent corresponding to a data switch on the network, second packet information regarding a second plurality of data packets routed through the data switch and transmitted by the first endpoint node during a second time period;
  
  analyzing the second packet information with respect to the operating system fingerprint to determine device attributes of the first endpoint node and that the second plurality of data packets is associated with a second operating system different from the first operating system;
  
  based on the analyzing and the second time period occurring within a threshold amount of time from the first time period, determining that a network discrepancy exists involving the first endpoint node, the network discrepancy being indicated by an inconsistency between the device attributes and the generated fingerprint and a change in operating systems in the first endpoint node; and
  
  transmitting an alert message indicative of the network discrepancy.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the first packet information is generated by performing an application layer analysis on packet content of the first plurality of data packets.
  - 18. The system of claim 16, wherein the operations further comprise identifying, for the first endpoint node based on analyzing the first and second packet information, a plurality of other endpoint nodes with which the first endpoint node has communicated.
  - 19. The system of claim 16, wherein the analyzing comprises extracting a source network address associated with the second plurality of data packets, and wherein the source network address indicates a second operating system different from the first operating system.
  - 20. The system of claim 16, wherein the second plurality of data packets comprises at least one packet having a destination address within the network and at least one packet having a destination address outside the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Inventors
Boutnaru, Shlomi, Ben Simon, Eyal, Strajnik, Eli, Toledano, Matan
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
Choy, Ka Shan

Application Number

US15/410,256
Publication Number

US 20180205746A1
Time in Patent Office

992 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/062   related to network traffic

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

Network traffic analysis for malware detection and performance reporting

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network traffic analysis for malware detection and performance reporting

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links