System and method for detecting and monitoring network communication
First Claim
Patent Images
1. A method of monitoring network connections for malicious activity, comprising:
- tracking network flows based on netflow identifications;
comparing the netflow identifications to netflow identifications in a table;
in response to a first netflow identification not matching the netflow identifications in the table, adding a new network flow associated with the first netflow identification to the table;
identifying a new network connection;
resolving a hostname and an address for a remote system of the new network connection;
logging the new network connection, the hostname, and the address;
evaluating, by a processor, the connection and the hostname,wherein the evaluating of the hostname results in a hostname resolution;
tracking, by the processor, the new connection and the hostname resolution together to correctly resolve a dynamically changing hostname resolution;
performing a rule check on the connection and a host of the connection, wherein the rule check includes comparing attributes of the host to attributes of both known good hosts and known bad hosts, and comparing attributes of the connection to both known good connections and known bad connections;
redirecting or ending, by the processor, the connection when the rule check identifies the connection or the host as not allowed;
tagging new flows and new hostnames as not having been sent to a cloud service;
sending all tagged new flows and new hostnames to the cloud service; and
clearing tags associated with the sent tagged new flows and new hostnames to update the sent tagged connections to indicate that the sent tagged connections have be sent to the cloud service.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.
68 Citations
17 Claims
-
1. A method of monitoring network connections for malicious activity, comprising:
-
tracking network flows based on netflow identifications; comparing the netflow identifications to netflow identifications in a table; in response to a first netflow identification not matching the netflow identifications in the table, adding a new network flow associated with the first netflow identification to the table; identifying a new network connection; resolving a hostname and an address for a remote system of the new network connection; logging the new network connection, the hostname, and the address; evaluating, by a processor, the connection and the hostname, wherein the evaluating of the hostname results in a hostname resolution; tracking, by the processor, the new connection and the hostname resolution together to correctly resolve a dynamically changing hostname resolution; performing a rule check on the connection and a host of the connection, wherein the rule check includes comparing attributes of the host to attributes of both known good hosts and known bad hosts, and comparing attributes of the connection to both known good connections and known bad connections; redirecting or ending, by the processor, the connection when the rule check identifies the connection or the host as not allowed; tagging new flows and new hostnames as not having been sent to a cloud service; sending all tagged new flows and new hostnames to the cloud service; and clearing tags associated with the sent tagged new flows and new hostnames to update the sent tagged connections to indicate that the sent tagged connections have be sent to the cloud service. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An endpoint agent for monitoring network connections for malicious activity, comprising:
-
hardware communications engine circuitry configured to; receive a set of rules from a cloud service; and send network flow and hostname data to the cloud service for a new network connection; hardware network monitor circuitry configured to; track network flows based on netflow identifications; if the netflow identifications do not match netflow identifications in a table, then add a new network flow associated with the first netflow identification to the table; identify the new network connection; resolve a hostname and address for a remote system of the new network connection; log the new network connection, the hostname, and the address; tag new flows and new hostnames as not having been sent to a cloud service, wherein the communications engine is configured to send network flow and hostname data to the cloud service by sending all tagged connections and hostnames to the cloud service; and clear tags associated with the sent tagged connection to update the sent tagged connections to indicate that the sent tagged connections have be sent to the cloud service; and hardware inspector circuitry configured to; evaluate the new network connection and hostname, wherein the evaluation of the hostname results in a hostname resolution; track the new connection and the hostname resolution together to correctly resolve a dynamically changing hostname resolution; perform a rule check on the connection and a host of the connection, wherein the rule check includes comparing attributes of the host to attributes of both known good hosts and known bad hosts, and comparing attributes of the connection to both known good connections and known bad connections; based on the performance of the rule check, determine if the new network connection is allowable; and redirect or terminate the new network connection if the connection is not allowable. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A non-transitory computer-readable medium including code that when executed by a processor causes the processor to perform a method, the method comprising:
-
tracking network flows based on netflow identifications; comparing the netflow identifications to netflow identifications in a table; in response to a first netflow identification not matching the netflow identifications in the table, adding a new network flow associated with the first netflow identification to the table; identifying a new network connection; resolving a hostname and address for a remote system of the new network connection; logging the new network connection and the hostname; evaluating the new network connection and the hostname, wherein the evaluating of the hostname results in a hostname resolution; tracking the new connection and the hostname resolution together to correctly resolve a dynamically changing hostname resolution; performing a rule check on the connection and a host of the connection, wherein the rule check includes comparing attributes of the host to attributes of both known good hosts and known bad hosts, and comparing attributes of the connection to both known good connections and known bad connections; redirecting or ending the new network connection when the rule check identifies the new network connection or the host as not allowed; tagging new flows and new hostnames as not having been sent to a cloud service; sending all tagged connections to the cloud service; and clearing tags associated with the sent tagged connection to update the sent tagged connections to indicate that the sent tagged connections have be sent to the cloud service. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification