System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack
First Claim
1. A method comprising:
- capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data;
capturing second data associated with a second packet flow originating from the first host using a second capture agent deployed at a second host to yield second flow data, wherein the first capturing agent is deployed in a first layer of a network and the second capturing agent is deployed in a second layer of the network;
comparing the first flow data and the second flow data to yield a difference; and
when the difference is above a threshold value, determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent on the first host, to yield a determination that hidden network traffic exists, and performing a correcting action comprising one or more of;
isolating a virtual machine, isolating a container, limiting packets to and from the first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent at the device to yield a determination, detecting that hidden network traffic exists, and predicting a malware issue with the first host based on the determination.
555 Citations
20 Claims
-
1. A method comprising:
-
capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host using a second capture agent deployed at a second host to yield second flow data, wherein the first capturing agent is deployed in a first layer of a network and the second capturing agent is deployed in a second layer of the network; comparing the first flow data and the second flow data to yield a difference; and when the difference is above a threshold value, determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent on the first host, to yield a determination that hidden network traffic exists, and performing a correcting action comprising one or more of;
isolating a virtual machine, isolating a container, limiting packets to and from the first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a processor; and a computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising; capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host using a second capture agent deployed at a second host to yield second flow data, wherein the first capturing agent is deployed in a first layer of a network and the second capturing agent is deployed in a second layer of the network; comparing the first flow data and the second flow data to yield a difference; and when the difference is above a threshold value, determining that the second packet flow was transmitted by a component that bypassed one of an operating stack of the first host and a packet capture agent on the first host, to yield a determination that hidden network traffic exists, and performing a correcting action comprising one or more of;
isolating a virtual machine, isolating a container, limiting packets to and from the first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification