Detection of system compromise by per-process network modeling

US 20070169192A1
Filed: 12/22/2006
Published: 07/19/2007
Est. Priority Date: 12/23/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of protecting a system, comprising:

for a given process, comparing first and second network activity;

determining whether a discrepancy exists between the first and second network activities; and

if a discrepancy exists between the first and second network activities, taking a given remedial action to protect the system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system protection method monitors and evaluates per process network communications activity to determine whether the process has been compromised. In one embodiment, a network modeling scheme gathers data to build a model and then compares networking activities to the model as they occur. In an alternate embodiment, modeling is not required and the comparison is done of network data collected at one layer of a communication system to network-related data collected at another layer. As a result of a comparison and an indication of compromise, a given remedial action is taken.

Citations

14 Claims

1. A method of protecting a system, comprising:
- for a given process, comparing first and second network activity;
  
  determining whether a discrepancy exists between the first and second network activities; and
  
  if a discrepancy exists between the first and second network activities, taking a given remedial action to protect the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein the first network activity is a model of network communication behavior associated with the given process that is derived by intercepting network communications within an operating system kernel or other application.
  - 3. The method as described in claim 2 wherein the second network activity is data indicative of network communication behavior that is derived by monitoring network communications associated with the given process.
  - 4. The method as described claim 1 wherein the first network activity is derived from network communication data collected at a first layer of a communications system.
  - 5. The method as described in claim 4 wherein the second network activity is derived from network communication data collected at a second layer of the communications system.
  - 6. The method as described in claim 5 wherein the first layer is a and the second network activity is network communication data collected and the comparison is done of network data collected at one layer of a communication system to network-related data collected at another layer.
  - 7. The method as described in claim 1 wherein the given remedial action is one of:
    - replacing a component that has been compromised with a known good copy of the component, isolating the computer system to prevent spread of the compromise to other systems, restricting access to the component that has been compromised, issuing a given notification, performing further detection or analysis, and isolating the component that has been compromised.
  - 8. The method as described in claim 1 wherein the discrepancy is used to provide a forensic analysis of a prior attack on the system.

9. A method of protecting a computer system, comprising:
- detecting discrepancies between communications activity by the system as reported by instrumentation components of the system and prior communications activity of the system as reflected in a model of network behavior; and
  
  taking a given action to protect the system in response to the detecting step.
- View Dependent Claims (10, 11)
- - 10. The method as described in claim 9 wherein the given action is one of:
    - replacing a component that has been compromised with a known good copy of the component, isolating the computer system to prevent spread of the compromise to other systems, restricting access to the component that has been compromised, issuing a given notification, performing further detection or analysis, and isolating the component that has been compromised.
  - 11. The method as described in claim 9 further including updating the model on a periodic basis.

12. A method of protecting a system, comprising:
- comparing local and remote observations of the system'"'"'s associated network communications behavior, wherein the local observation of the system'"'"'s associated network communications behavior is generated by instrumentation local to the system, and wherein the remote observation of the system'"'"'s associated network communications behavior is generated by instrumentation external to the system; and
  
  based on the comparison, determining whether a given component in the system has been compromised.
- View Dependent Claims (13, 14)
- - 13. The method as described in claim 12 wherein the remote observation is carried out in a device external to the system.
  - 14. The method as described in claim 13 wherein the device is one of a firewall, a NAT device, a router, and a computer system other than the system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
StrataCloud, Inc. (Exitlag LLC)
Original Assignee
Reflex Security, Inc. (Exitlag LLC)
Inventors
Ward, Jean, Main, Ian

Application Number

US11/644,103
Publication Number

US 20070169192A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

Detection of system compromise by per-process network modeling

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of system compromise by per-process network modeling

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links