Detection of system compromise by per-process network modeling
First Claim
Patent Images
1. A method of protecting a system, comprising:
- for a given process, comparing first and second network activity;
determining whether a discrepancy exists between the first and second network activities; and
if a discrepancy exists between the first and second network activities, taking a given remedial action to protect the system.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer system protection method monitors and evaluates per process network communications activity to determine whether the process has been compromised. In one embodiment, a network modeling scheme gathers data to build a model and then compares networking activities to the model as they occur. In an alternate embodiment, modeling is not required and the comparison is done of network data collected at one layer of a communication system to network-related data collected at another layer. As a result of a comparison and an indication of compromise, a given remedial action is taken.
-
Citations
14 Claims
-
1. A method of protecting a system, comprising:
-
for a given process, comparing first and second network activity;
determining whether a discrepancy exists between the first and second network activities; and
if a discrepancy exists between the first and second network activities, taking a given remedial action to protect the system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of protecting a computer system, comprising:
-
detecting discrepancies between communications activity by the system as reported by instrumentation components of the system and prior communications activity of the system as reflected in a model of network behavior; and
taking a given action to protect the system in response to the detecting step. - View Dependent Claims (10, 11)
-
-
12. A method of protecting a system, comprising:
-
comparing local and remote observations of the system'"'"'s associated network communications behavior, wherein the local observation of the system'"'"'s associated network communications behavior is generated by instrumentation local to the system, and wherein the remote observation of the system'"'"'s associated network communications behavior is generated by instrumentation external to the system; and
based on the comparison, determining whether a given component in the system has been compromised. - View Dependent Claims (13, 14)
-
Specification