Systems and methods for detecting a compromised network
First Claim
Patent Images
1. A method for detecting a compromised host in a network, comprising:
- identifying hosts on a network, identifying model session rules expected to be followed during sessions in which one or more host participates, monitoring data packet transmissions between hosts to identify violations of the model session rules, and identifying a compromise if at least one violation is identified in a session involving a host.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for monitoring data transmissions on a network and detecting compromised networks. The systems and methods monitor communications involving network hosts and analyze the communications in view of the business function of the hosts. In certain embodiments the analysis is performed by associating a set of rules of operation for the sessions, hosts, and/or environment, and analyzing data packet transmissions to ascertain violations of the rules.
-
Citations
31 Claims
-
1. A method for detecting a compromised host in a network, comprising:
-
identifying hosts on a network, identifying model session rules expected to be followed during sessions in which one or more host participates, monitoring data packet transmissions between hosts to identify violations of the model session rules, and identifying a compromise if at least one violation is identified in a session involving a host. - View Dependent Claims (2, 22, 23, 25, 26, 27)
-
-
3. A method for detecting a compromised host in a network, comprising:
-
identifying hosts on the network, identifying model host rules of expected operation for one or more hosts within the network, monitoring data packet transmissions involving a host to identify violations of the model host rules, and identifying a compromise if at least one violation of the model host rules is identified.
-
-
4. A method for detecting a compromised host in a network, comprising:
-
collecting data packet transmissions involving hosts on the network, identifying model session rules expected to be followed during sessions involving the hosts, for each host identifying model host rules of expected operation for the host and an environment rule for the host, using the data packet transmissions to identify violations of the model session rules, model host rules, and model environment rules, and identifying a compromise if the host is involved in at least one rule violation. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 24)
-
-
16. A method of reducing false positive results when identifying a network compromise, comprising:
-
monitoring data packet transmissions between hosts on a network, identifying model session rules expected to be followed during sessions involving the hosts, identifying model host rules of expected operation for the hosts, using the data packet transmissions to identify violations of the model session rules, using the data packet transmissions to identify violations of the model host rules, and identifying a compromise if a particular host is involved in at least one rule violation. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
28. A system for detecting a compromised network, comprising:
-
a data monitoring device adapted to collect data packet transmissions on a network, software programmed with model session rules expected to be followed during sessions involving hosts on the network and with rules for operation of a model host expected to be followed by one or more hosts on the network, and a data analysis engine operably connected to the data monitoring device and the software, and adapted to analyze the data packet transmissions to identify a network host participating in a session with one or more session rule violations. - View Dependent Claims (29, 30, 31)
-
Specification