DETECTING MALICIOUS BEHAVIOUR ON A NETWORK
First Claim
1. A method of detecting malicious behaviour on a local network, the method comprising:
- identifying incoming service requests destined for a target device forming part of the local network as either harmless or potentially suspicious and, in respect of each incoming service request identified as being potentially suspicious,monitoring the behaviour of the target device for a predetermined time for behaviour indicative of the target device operating as a proxy server, and, in the event that the monitored behaviour is indicative of the device acting as a proxy server, andgenerating a notification indicative of the observed behaviour.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection device (61) for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices. The intrusion detection device has an interface arrangement (61, 10) comprising one or more interfaces (6110) for receiving inward bound traffic destined for the one or more target devices and outward bound traffic originating from the one or more target devices. The intrusion detection device (61) also includes categorisation means (6140) for categorising incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious; monitoring means (6150) operable, in respect of each incoming service request identified as being potentially suspicious, to monitor the behaviour of the associated target device for behaviour indicative of the target device operating as a proxy server; and a notifier (6160) for generating a notification in the event that the monitored behaviour is indicative of the device acting as a proxy server.
64 Citations
14 Claims
-
1. A method of detecting malicious behaviour on a local network, the method comprising:
-
identifying incoming service requests destined for a target device forming part of the local network as either harmless or potentially suspicious and, in respect of each incoming service request identified as being potentially suspicious, monitoring the behaviour of the target device for a predetermined time for behaviour indicative of the target device operating as a proxy server, and, in the event that the monitored behaviour is indicative of the device acting as a proxy server, and generating a notification indicative of the observed behaviour. - View Dependent Claims (2, 3, 4, 6, 7)
-
-
5. An intrusion detection device for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices, the intrusion detection device having:
-
at least one interface arrangement comprising one or more interfaces suitable, in operation, for receiving inward bound traffic destined for the one or more target devices and outward bound traffic originating from the one or more target devices; a categoriser configured to categorize incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious; a monitor configured to, in respect of each incoming service request identified as being potentially suspicious, monitor the behaviour of the associated target device for behaviour indicative of the target device operating as a proxy server; and a notifier configured to generate a notification in the event that the monitored behaviour is indicative of the device acting as a proxy server. - View Dependent Claims (8, 9, 10)
-
-
11. An intrusion detection device for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices, the intrusion detection device having:
-
at least one interface arrangement comprising one or more interfaces suitable, in operation, for receiving inward bound traffic destined for the one or more target devices and outward bound traffic originating from the one or more target devices; and a processing system, having at least one processor, configured to; categorize incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious; monitor, in respect of each incoming service request identified as being potentially suspicious, the behaviour of the associated target device for behaviour indicative of the target device operating as a proxy server; and generate a notification in the event that the monitored behaviour is indicative of the device acting as a proxy server. - View Dependent Claims (12, 13, 14)
-
Specification