Method and system for detecting suspicious administrative activity
First Claim
Patent Images
1. A method for detecting network threats, comprising:
- collecting network traffic corresponding to communications within a network over a first time period;
analyzing metadata for the network traffic to identify an administrative realm comprising an administrator host that performs administrative activity and an administered host that is administered by the administrator host;
collecting additional network traffic corresponding to additional communications within the network over a second time period after the first time period and corresponding to two or more protocols;
determining whether respective communications of the additional communications correspond to anomalous activity on a protocol by protocol and a communication by communication basis, at least by processing each communication individually, processing at least comprising;
selecting a first communication corresponding to the additional network traffic and a first protocol;
determining whether the first communication is to be identified as anomalous using the administrative realm and a first heuristic based on a first type of the first protocol;
generating a first alert to identify suspicious activity pertaining to the first communication using the first protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the first heuristic;
selecting a second communication corresponding to the additional network traffic and a second protocol;
determining whether the second communication is to be identified as anomalous using the administrative realm and a second heuristic based on a second type of the second protocol; and
generating a second alert to identify suspicious activity pertaining to the second communication using the second protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the second heuristic.
4 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.
23 Citations
24 Claims
-
1. A method for detecting network threats, comprising:
-
collecting network traffic corresponding to communications within a network over a first time period; analyzing metadata for the network traffic to identify an administrative realm comprising an administrator host that performs administrative activity and an administered host that is administered by the administrator host; collecting additional network traffic corresponding to additional communications within the network over a second time period after the first time period and corresponding to two or more protocols; determining whether respective communications of the additional communications correspond to anomalous activity on a protocol by protocol and a communication by communication basis, at least by processing each communication individually, processing at least comprising; selecting a first communication corresponding to the additional network traffic and a first protocol; determining whether the first communication is to be identified as anomalous using the administrative realm and a first heuristic based on a first type of the first protocol; generating a first alert to identify suspicious activity pertaining to the first communication using the first protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the first heuristic; selecting a second communication corresponding to the additional network traffic and a second protocol; determining whether the second communication is to be identified as anomalous using the administrative realm and a second heuristic based on a second type of the second protocol; and generating a second alert to identify suspicious activity pertaining to the second communication using the second protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the second heuristic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for detecting network threats, comprising:
-
a memory for holding a sequence of instructions; and a processor that executes the sequence of instructions to perform a set of acts comprising; collecting network traffic corresponding to communications within a network over a first time period; analyzing metadata for the network traffic to identify an administrative realm comprising an administrator host that performs administrative activity and an administered host that is administered by the administrator host; collecting additional network traffic corresponding to additional communications within the network over a second time period after the first time period and corresponding to two or more protocols; determining whether respective communications of the additional communications correspond to anomalous activity on a protocol by protocol and a communication by communication basis, at least by processing each communication individually, processing at least comprising; selecting a first communication corresponding to the additional network traffic and a first protocol; determining whether the first communication is to be identified as anomalous using the administrative realm and a first heuristic based on a first type of the first protocol; generating a first alert to identify suspicious activity pertaining to the first communication using the first protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the first heuristic; selecting a second communication corresponding to the additional network traffic and a second protocol; determining whether the second communication is to be identified as anomalous using the administrative realm and a second heuristic based on a second type of the second protocol; and generating a second alert to identify suspicious activity pertaining to the second communication using the second protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the second heuristic. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product embodied on a non-transitory computer readable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor, performs a set of acts for detecting network threats, the set of acts comprising:
-
collecting network traffic corresponding to communications within a network over a first time period; analyzing metadata for the network traffic to identify an administrative realm comprising an administrator host that performs administrative activity and an administered host that is administered by the administrator host; collecting additional network traffic corresponding to additional communications within the network over a second time period after the first time period and corresponding to two or more protocols; determining whether respective communications of the additional communications correspond to anomalous activity on a protocol by protocol and a communication by communication basis, at least by processing each communication individually, processing at least comprising; selecting a first communication corresponding to the additional network traffic and a first protocol; determining whether the first communication is to be identified as anomalous using the administrative realm and a first heuristic based on a first type of the first protocol; generating a first alert to identify suspicious activity pertaining to the first communication using the first protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the first heuristic; selecting a second communication corresponding to the additional network traffic and a second protocol; determining whether the second communication is to be identified as anomalous using the administrative realm and a second heuristic based on a second type of the second protocol; and generating a second alert to identify suspicious activity pertaining to the second communication using the second protocol when the respective communication is determined to be identified as anomalous using the administrative realm and the second heuristic. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification