System and method for detecting and monitoring network communication

US 10,713,360 B2
Filed: 02/17/2017
Issued: 07/14/2020
Est. Priority Date: 02/19/2016
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring network connections for malicious activity, comprising:

tracking network flows based on netflow identifications;

comparing the netflow identifications to netflow identifications in a table;

in response to a first netflow identification not matching the netflow identifications in the table, adding a new network flow associated with the first netflow identification to the table;

identifying a new network connection;

resolving a hostname and an address for a remote system of the new network connection;

logging the new network connection, the hostname, and the address;

evaluating, by a processor, the connection and the hostname,wherein the evaluating of the hostname results in a hostname resolution;

tracking, by the processor, the new connection and the hostname resolution together to correctly resolve a dynamically changing hostname resolution;

performing a rule check on the connection and a host of the connection, wherein the rule check includes comparing attributes of the host to attributes of both known good hosts and known bad hosts, and comparing attributes of the connection to both known good connections and known bad connections;

redirecting or ending, by the processor, the connection when the rule check identifies the connection or the host as not allowed;

tagging new flows and new hostnames as not having been sent to a cloud service;

sending all tagged new flows and new hostnames to the cloud service; and

clearing tags associated with the sent tagged new flows and new hostnames to update the sent tagged connections to indicate that the sent tagged connections have be sent to the cloud service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

68 Citations

17 Claims

1. A method of monitoring network connections for malicious activity, comprising:
- tracking network flows based on netflow identifications;
  
  comparing the netflow identifications to netflow identifications in a table;
  
  in response to a first netflow identification not matching the netflow identifications in the table, adding a new network flow associated with the first netflow identification to the table;
  
  identifying a new network connection;
  
  resolving a hostname and an address for a remote system of the new network connection;
  
  logging the new network connection, the hostname, and the address;
  
  evaluating, by a processor, the connection and the hostname,wherein the evaluating of the hostname results in a hostname resolution;
  
  tracking, by the processor, the new connection and the hostname resolution together to correctly resolve a dynamically changing hostname resolution;
  
  performing a rule check on the connection and a host of the connection, wherein the rule check includes comparing attributes of the host to attributes of both known good hosts and known bad hosts, and comparing attributes of the connection to both known good connections and known bad connections;
  
  redirecting or ending, by the processor, the connection when the rule check identifies the connection or the host as not allowed;
  
  tagging new flows and new hostnames as not having been sent to a cloud service;
  
  sending all tagged new flows and new hostnames to the cloud service; and
  
  clearing tags associated with the sent tagged new flows and new hostnames to update the sent tagged connections to indicate that the sent tagged connections have be sent to the cloud service.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein identifying the new network connection includes identifying a network flow and matching the network flow against a list of existing network flows.
  - 3. The method of claim 1, wherein resolving the hostname and address for the remote system includes performing a reverse lookup based on the IP address of the remote system to obtain the hostname for the remote system.
  - 4. The method of claim 1, wherein resolving the hostname and address for the remote system includes performing a Domain Name Service query based on the hostname of the remote system to obtain the IP address for the remote system.
  - 5. The method of claim 1, further comprising receiving an updated set of rules from the cloud service.
  - 6. The method of claim 1, wherein logging the hostname and the address includes recording the hostname and the address along with a timestamp so changes in hostname resolution can be tracked over time.

7. An endpoint agent for monitoring network connections for malicious activity, comprising:
- hardware communications engine circuitry configured to;
  
  receive a set of rules from a cloud service; and
  
  send network flow and hostname data to the cloud service for a new network connection;
  
  hardware network monitor circuitry configured to;
  
  track network flows based on netflow identifications;
  
  if the netflow identifications do not match netflow identifications in a table, then add a new network flow associated with the first netflow identification to the table;
  
  identify the new network connection;
  
  resolve a hostname and address for a remote system of the new network connection;
  
  log the new network connection, the hostname, and the address;
  
  tag new flows and new hostnames as not having been sent to a cloud service, wherein the communications engine is configured to send network flow and hostname data to the cloud service by sending all tagged connections and hostnames to the cloud service; and
  
  clear tags associated with the sent tagged connection to update the sent tagged connections to indicate that the sent tagged connections have be sent to the cloud service; and
  
  hardware inspector circuitry configured to;
  
  evaluate the new network connection and hostname, wherein the evaluation of the hostname results in a hostname resolution;
  
  track the new connection and the hostname resolution together to correctly resolve a dynamically changing hostname resolution;
  
  perform a rule check on the connection and a host of the connection, wherein the rule check includes comparing attributes of the host to attributes of both known good hosts and known bad hosts, and comparing attributes of the connection to both known good connections and known bad connections;
  
  based on the performance of the rule check, determine if the new network connection is allowable; and
  
  redirect or terminate the new network connection if the connection is not allowable.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The endpoint agent of claim 7, wherein the hardware network monitor circuitry is configured to identify new connections by identifying a network flow and matching the network flow against a list of existing network flows.
  - 9. The endpoint agent of claim 7, wherein the hardware network monitor circuitry is configured to resolve the hostname and address for the remote system by performing a reverse lookup based on the IP address of the remote system to obtain the hostname for the remote system.
  - 10. The endpoint agent of claim 7, wherein the hardware network monitor circuitry is configured to resolve the hostname and address for the remote system by performing a Domain Name Service query based on the hostname of the remote system to obtain the IP address for the remote system.
  - 11. The endpoint agent of claim 7, wherein the hardware network monitor circuitry is configured to log the hostname and the address by recording the hostname and the address along with a timestamp so changes in hostname resolution can be tracked over time.

12. A non-transitory computer-readable medium including code that when executed by a processor causes the processor to perform a method, the method comprising:
- tracking network flows based on netflow identifications;
  
  comparing the netflow identifications to netflow identifications in a table;
  
  in response to a first netflow identification not matching the netflow identifications in the table, adding a new network flow associated with the first netflow identification to the table;
  
  identifying a new network connection;
  
  resolving a hostname and address for a remote system of the new network connection;
  
  logging the new network connection and the hostname;
  
  evaluating the new network connection and the hostname, wherein the evaluating of the hostname results in a hostname resolution;
  
  tracking the new connection and the hostname resolution together to correctly resolve a dynamically changing hostname resolution;
  
  performing a rule check on the connection and a host of the connection, wherein the rule check includes comparing attributes of the host to attributes of both known good hosts and known bad hosts, and comparing attributes of the connection to both known good connections and known bad connections;
  
  redirecting or ending the new network connection when the rule check identifies the new network connection or the host as not allowed;
  
  tagging new flows and new hostnames as not having been sent to a cloud service;
  
  sending all tagged connections to the cloud service; and
  
  clearing tags associated with the sent tagged connection to update the sent tagged connections to indicate that the sent tagged connections have be sent to the cloud service.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The non-transitory computer-readable medium of claim 12, wherein identifying a new network connection includes identifying a network flow and not finding a match when comparing the network flow against a list of existing network flows.
  - 14. The non-transitory computer-readable medium of claim 12, wherein resolving the hostname and address for the remote system includes performing a reverse lookup based on the IP address of the remote system to obtain the hostname for the remote system.
  - 15. The non-transitory computer-readable medium of claim 12, wherein resolving the hostname and address for the remote system includes performing a domain name service query based on the hostname of the remote system to obtain the IP address for the remote system.
  - 16. The non-transitory computer-readable medium of claim 12, further comprising receiving an updated set of rules from the cloud service.
  - 17. The non-transitory computer-readable medium of claim 12, wherein logging the hostname and the address includes recording the hostname and the address along with a timestamp so changes in hostname resolution can be tracked over time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Original Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Inventors
Kinder, Ross R., Hackworth, Aaron, Geiger, Matthew K., Moore, Kevin R., Vidas, Timothy M.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Ahmed, Mahabub S

Application Number

US15/436,286
Publication Number

US 20170244734A1
Time in Patent Office

1,243 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

G06F 2221/2115   Third party

G06F 9/4406   Loading of operating system

G06F 9/4843   by program, e.g. task dispa...

G06F 9/542   Event management; Broadcast...

H04L 41/069   using logs of notifications...

H04L 45/22   Alternate routing

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

H04L 63/308   retaining data, e.g. retain...

System and method for detecting and monitoring network communication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting and monitoring network communication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links