Techniques for detecting compromises of enterprise end stations utilizing noisy tokens
First Claim
1. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a device, cause the device to implement a module for detecting malicious activity within an enterprise network by performing operations comprising:
- monitoring network traffic originated by one or more enterprise end stations that is destined to one or more servers, wherein the network traffic comprises a first set of one or more request messages originated by the one or more enterprise end stations responsive to non-malicious activity occurring at the one or more enterprise end stations that triggered one or more noisy tokens placed upon those one or more enterprise end stations, wherein the one or more noisy tokens were placed at file system locations or operating system locations of the one or more enterprise end stations to cause the one or more enterprise end stations to generate the network traffic when one or more processes of the one or more enterprise end stations access the one or more noisy tokens;
generating one or more normal activity patterns characterizing the network traffic based upon the first set of request messages, wherein each of the one or more normal activity patterns identifies one or more characteristics of the network traffic resulting from the non-malicious activity;
monitoring, for a period of time, additional network traffic originated by the one or more enterprise end stations that is destined to the one or more servers, wherein the additional network traffic comprises a second set of one or more request messages; and
causing an alert to be generated in response to an analysis of the additional network traffic with regard to the one or more normal activity patterns resulting in a detection of one or more anomalies within the additional network traffic relative to the one or more normal activity patterns.
5 Assignments
0 Petitions
Accused Products
Abstract
Noisy tokens can be placed in locations of client end stations such that local operations performed upon the noisy tokens generate network traffic. A traffic monitoring module (TMM) can determine normal activity patterns of network traffic resulting from one or more of the placed noisy tokens being activated by one or more non-malicious operations, and identify that other network traffic resulting from one or more of the noisy tokens being activated does not meet the one or more normal activity patterns. In response, the TMM can cause an alert to be generated.
15 Citations
22 Claims
-
1. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a device, cause the device to implement a module for detecting malicious activity within an enterprise network by performing operations comprising:
-
monitoring network traffic originated by one or more enterprise end stations that is destined to one or more servers, wherein the network traffic comprises a first set of one or more request messages originated by the one or more enterprise end stations responsive to non-malicious activity occurring at the one or more enterprise end stations that triggered one or more noisy tokens placed upon those one or more enterprise end stations, wherein the one or more noisy tokens were placed at file system locations or operating system locations of the one or more enterprise end stations to cause the one or more enterprise end stations to generate the network traffic when one or more processes of the one or more enterprise end stations access the one or more noisy tokens; generating one or more normal activity patterns characterizing the network traffic based upon the first set of request messages, wherein each of the one or more normal activity patterns identifies one or more characteristics of the network traffic resulting from the non-malicious activity; monitoring, for a period of time, additional network traffic originated by the one or more enterprise end stations that is destined to the one or more servers, wherein the additional network traffic comprises a second set of one or more request messages; and causing an alert to be generated in response to an analysis of the additional network traffic with regard to the one or more normal activity patterns resulting in a detection of one or more anomalies within the additional network traffic relative to the one or more normal activity patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A device, comprising:
-
one or more processors; and a non-transitory computer-readable storage medium having instructions which, when executed by the one or more processors, cause the device to implement a module for detecting malicious activity within an enterprise network by being adapted to; monitor network traffic originated by one or more enterprise end stations that is destined to one or more servers, wherein the network traffic comprises a first set of one or more request messages originated by the one or more enterprise end stations responsive to non-malicious activity occurring at the one or more enterprise end stations that triggered one or more noisy tokens placed upon those one or more enterprise end stations, wherein the one or more noisy tokens were placed at file system locations or operating system locations of the one or more enterprise end stations to cause the one or more enterprise end stations to generate the network traffic when one or more processes of the one or more enterprise end stations access the one or more noisy tokens; generate one or more normal activity patterns characterizing the network traffic based upon the first set of request messages, wherein each of the one or more normal activity patterns identifies one or more characteristics of the network traffic resulting from the non-malicious activity; monitor, for a period of time, additional network traffic originated by the one or more enterprise end stations that is destined to the one or more servers, wherein the additional network traffic comprises a second set of one or more request messages; and cause an alert to be generated in response to an analysis of the additional network traffic with regard to the one or more normal activity patterns resulting in a detection of one or more anomalies within the additional network traffic relative to the one or more normal activity patterns. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification