Techniques for detecting compromises of enterprise end stations utilizing noisy tokens

US 10,469,523 B2
Filed: 11/07/2016
Issued: 11/05/2019
Est. Priority Date: 02/24/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a device, cause the device to implement a module for detecting malicious activity within an enterprise network by performing operations comprising:

monitoring network traffic originated by one or more enterprise end stations that is destined to one or more servers, wherein the network traffic comprises a first set of one or more request messages originated by the one or more enterprise end stations responsive to non-malicious activity occurring at the one or more enterprise end stations that triggered one or more noisy tokens placed upon those one or more enterprise end stations, wherein the one or more noisy tokens were placed at file system locations or operating system locations of the one or more enterprise end stations to cause the one or more enterprise end stations to generate the network traffic when one or more processes of the one or more enterprise end stations access the one or more noisy tokens;

generating one or more normal activity patterns characterizing the network traffic based upon the first set of request messages, wherein each of the one or more normal activity patterns identifies one or more characteristics of the network traffic resulting from the non-malicious activity;

monitoring, for a period of time, additional network traffic originated by the one or more enterprise end stations that is destined to the one or more servers, wherein the additional network traffic comprises a second set of one or more request messages; and

causing an alert to be generated in response to an analysis of the additional network traffic with regard to the one or more normal activity patterns resulting in a detection of one or more anomalies within the additional network traffic relative to the one or more normal activity patterns.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Noisy tokens can be placed in locations of client end stations such that local operations performed upon the noisy tokens generate network traffic. A traffic monitoring module (TMM) can determine normal activity patterns of network traffic resulting from one or more of the placed noisy tokens being activated by one or more non-malicious operations, and identify that other network traffic resulting from one or more of the noisy tokens being activated does not meet the one or more normal activity patterns. In response, the TMM can cause an alert to be generated.

15 Citations

View as Search Results

22 Claims

1. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a device, cause the device to implement a module for detecting malicious activity within an enterprise network by performing operations comprising:
- monitoring network traffic originated by one or more enterprise end stations that is destined to one or more servers, wherein the network traffic comprises a first set of one or more request messages originated by the one or more enterprise end stations responsive to non-malicious activity occurring at the one or more enterprise end stations that triggered one or more noisy tokens placed upon those one or more enterprise end stations, wherein the one or more noisy tokens were placed at file system locations or operating system locations of the one or more enterprise end stations to cause the one or more enterprise end stations to generate the network traffic when one or more processes of the one or more enterprise end stations access the one or more noisy tokens;
  
  generating one or more normal activity patterns characterizing the network traffic based upon the first set of request messages, wherein each of the one or more normal activity patterns identifies one or more characteristics of the network traffic resulting from the non-malicious activity;
  
  monitoring, for a period of time, additional network traffic originated by the one or more enterprise end stations that is destined to the one or more servers, wherein the additional network traffic comprises a second set of one or more request messages; and
  
  causing an alert to be generated in response to an analysis of the additional network traffic with regard to the one or more normal activity patterns resulting in a detection of one or more anomalies within the additional network traffic relative to the one or more normal activity patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein a first of the one or more characteristics of a first of the one or more normal activity patterns comprises a pattern characteristic identifying one or more types of request messages that must be received for the pattern characteristic to be matched.
  - 3. The non-transitory computer-readable storage medium of claim 2, wherein said analysis resulting in the one or more anomalies being detected comprises:
    - determining that a first of the second set of request messages does not satisfy, individually or together with others of the second set of request messages, the identified one or more types of request messages of any of the one or more normal activity patterns.
  - 4. The non-transitory computer-readable storage medium of claim 2, wherein a second of the one or more characteristics of the first normal activity pattern comprises a time characteristic that can be utilized to determine a window of time in which the pattern characteristic must be matched.
  - 5. The non-transitory computer-readable storage medium of claim 4, wherein:
    - the first normal activity pattern is configured to cause an anomaly to be detected when the one or more characteristics of the first normal activity pattern are not matched at least an existence threshold number of times within the window of time;
      
      said window of time lies within the monitored period of time; and
      
      said analysis resulting in the one or more anomalies being detected comprises determining that the one or more characteristics of the first normal activity pattern have not been matched the existence threshold number of times within the window of time.
  - 6. The non-transitory computer-readable storage medium of claim 4, wherein:
    - the first normal activity pattern is configured to cause an anomaly to be detected when the one or more characteristics of the first normal activity pattern are matched more than a frequency threshold number of times within the window of time;
      
      said window of time lies within the monitored period of time; and
      
      said analysis resulting in the one or more anomalies being detected comprises determining that the one or more characteristics of the first normal activity pattern have been matched more than the frequency threshold number of times within the window of time.
  - 7. The non-transitory computer-readable storage medium of claim 2, wherein:
    - the one or more types of request messages identified by the pattern characteristic of the first normal activity pattern comprise a plurality of types of request messages;
      
      the pattern characteristic further identifies a required order in which the plurality of types of request messages are to be received; and
      
      said analysis resulting in the one or more anomalies being detected comprises determining that an actual order in which a plurality of request messages of the second set of request messages are received does not match required order identified by the pattern characteristic of the first normal activity pattern.
  - 8. The non-transitory computer-readable storage medium of claim 2, wherein:
    - a second of the one or more characteristics of the first normal activity pattern comprises a source characteristic, wherein the source characteristic identifies one or more source identifiers corresponding to one or more expected sources of the one or more types of request messages identified by the pattern characteristic of the first normal activity pattern; and
      
      said analysis resulting in the one or more anomalies being detected comprises determining that one or more actual source identifiers of one or more request messages of the second set of request messages do not match the source characteristic despite the one or more request messages matching the pattern characteristic.
  - 9. The non-transitory computer-readable storage medium of claim 1, wherein the additional network traffic was caused to be originated by the one or more enterprise end stations due to non-malicious activity but still allows the module to detect the existence of the malicious activity within the enterprise network.
  - 10. The non-transitory computer-readable storage medium of claim 1, wherein at least one of the one or more noisy tokens comprises:
    - a symbolic link;
      
      a shortcut;
      
      an icon;
      
      a logon token;
      
      ora Most Recently Used (MRU) entry.
  - 11. The non-transitory computer-readable storage medium of claim 1, wherein the analysis of the additional network traffic with regard to the one or more normal activity patterns resulting in the one or more anomalies being detected comprises:
    - obtaining access to a plurality of access records corresponding to the additional network traffic;
      
      attempting to match the plurality of access records against pattern characteristics of the one or more normal activity patterns; and
      
      determining that one of the plurality of access records is an anomaly based upon the one access record not being part of a valid pattern prefix of a pattern characteristic of any of the one or more normal activity patterns.

12. A device, comprising:
- one or more processors; and
  
  a non-transitory computer-readable storage medium having instructions which, when executed by the one or more processors, cause the device to implement a module for detecting malicious activity within an enterprise network by being adapted to;
  
  monitor network traffic originated by one or more enterprise end stations that is destined to one or more servers, wherein the network traffic comprises a first set of one or more request messages originated by the one or more enterprise end stations responsive to non-malicious activity occurring at the one or more enterprise end stations that triggered one or more noisy tokens placed upon those one or more enterprise end stations, wherein the one or more noisy tokens were placed at file system locations or operating system locations of the one or more enterprise end stations to cause the one or more enterprise end stations to generate the network traffic when one or more processes of the one or more enterprise end stations access the one or more noisy tokens;
  
  generate one or more normal activity patterns characterizing the network traffic based upon the first set of request messages, wherein each of the one or more normal activity patterns identifies one or more characteristics of the network traffic resulting from the non-malicious activity;
  
  monitor, for a period of time, additional network traffic originated by the one or more enterprise end stations that is destined to the one or more servers, wherein the additional network traffic comprises a second set of one or more request messages; and
  
  cause an alert to be generated in response to an analysis of the additional network traffic with regard to the one or more normal activity patterns resulting in a detection of one or more anomalies within the additional network traffic relative to the one or more normal activity patterns.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The device of claim 12, wherein a first of the one or more characteristics of a first of the one or more normal activity patterns comprises a pattern characteristic identifying one or more types of request messages that must be received for the pattern characteristic to be matched.
  - 14. The device of claim 13, wherein said analysis resulting in the one or more anomalies being detected comprises:
    - a determination that a first of the second set of request messages does not satisfy, individually or together with others of the second set of request messages, the identified one or more types of request messages of any of the one or more normal activity patterns.
  - 15. The device of claim 13, wherein a second of the one or more characteristics of the first normal activity pattern comprises a time characteristic that can be utilized to determine a window of time in which the pattern characteristic must be matched.
  - 16. The device of claim 15, wherein:
    - the first normal activity pattern is configured to cause an anomaly to be detected when the one or more characteristics of the first normal activity pattern are not matched at least an existence threshold number of times within the window of time;
      
      said window of time lies within the monitored period of time; and
      
      said analysis resulting in the one or more anomalies being detected comprises a determination that the one or more characteristics of the first normal activity pattern have not been matched the existence threshold number of times within the window of time.
  - 17. The device of claim 15, wherein:
    - the first normal activity pattern is configured to cause an anomaly to be detected when the one or more characteristics of the first normal activity pattern are matched more than a frequency threshold number of times within the window of time;
      
      said window of time lies within the monitored period of time; and
      
      said analysis resulting in the one or more anomalies being detected comprises a determination that the one or more characteristics of the first normal activity pattern have been matched more than the frequency threshold number of times within the window of time.
  - 18. The device of claim 13, wherein:
    - the one or more types of request messages identified by the pattern characteristic of the first normal activity pattern comprise a plurality of types of request messages;
      
      the pattern characteristic further identifies a required order in which the plurality of types of request messages are to be received; and
      
      said analysis resulting in the one or more anomalies being detected comprises a determination that an actual order in which a plurality of request messages of the second set of request messages are received does not match required order identified by the pattern characteristic of the first normal activity pattern.
  - 19. The device of claim 13, wherein:
    - a second of the one or more characteristics of the first normal activity pattern comprises a source characteristic, wherein the source characteristic identifies one or more source identifiers corresponding to one or more expected sources of the one or more types of request messages identified by the pattern characteristic of the first normal activity pattern; and
      
      said analysis resulting in the one or more anomalies being detected comprises a determination that one or more actual source identifiers of one or more request messages of the second set of request messages do not match the source characteristic despite the one or more request messages matching the pattern characteristic.
  - 20. The device of claim 12, wherein the additional network traffic was caused to be originated by the one or more enterprise end stations due to non-malicious activity but still allows the module to detect the existence of the malicious activity within the enterprise network.
  - 21. The device of claim 12, wherein at least one of the one or more noisy tokens comprises:
    - a symbolic link;
      
      a shortcut;
      
      an icon;
      
      a logon token;
      
      ora Most Recently Used (MRU) entry.
  - 22. The device of claim 12, wherein the analysis of the additional network traffic with regard to the one or more normal activity patterns resulting in the one or more anomalies being detected occurs by the device being adapted to:
    - obtain access to a plurality of access records corresponding to the additional network traffic;
      
      attempt to match the plurality of access records against pattern characteristics of the one or more normal activity patterns; and
      
      determine that one of the plurality of access records is an anomaly based upon the one access record not being part of a valid pattern prefix of a pattern characteristic of any of the one or more normal activity patterns.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Dulce, Sagie
Primary Examiner(s)
Gee, Jason K
Assistant Examiner(s)
Holmes, Angela R

Application Number

US15/345,445
Publication Number

US 20170244749A1
Time in Patent Office

1,093 Days
Field of Search

726 11
US Class Current
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Techniques for detecting compromises of enterprise end stations utilizing noisy tokens

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for detecting compromises of enterprise end stations utilizing noisy tokens

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links