Cyber Behavior Analysis and Detection Method, System and Architecture
First Claim
Patent Images
1. A method for analyzing network, transport and application protocols in a computer network to identify a predetermined network behavior comprising the steps of:
- monitoring and logging a port usage in a first host in a computer network,monitoring and logging a set of first host information,monitoring and logging a set of data activities in the network for a predetermined change in the first host information and in a first host data flow, and,generating an alert to a user based on a correlation between the logged port usage, the logged first host information and the logged first host data flow.
7 Assignments
0 Petitions
Accused Products
Abstract
A scalable cyber-security system, method and architecture for the identification of malware and malicious behavior in a computer network. Host flow, host port usage, host information and network data at the application, transport and network layers are aggregated from within the network and correlated to identify a network behavior such as the presence of malicious code.
238 Citations
12 Claims
-
1. A method for analyzing network, transport and application protocols in a computer network to identify a predetermined network behavior comprising the steps of:
-
monitoring and logging a port usage in a first host in a computer network, monitoring and logging a set of first host information, monitoring and logging a set of data activities in the network for a predetermined change in the first host information and in a first host data flow, and, generating an alert to a user based on a correlation between the logged port usage, the logged first host information and the logged first host data flow. - View Dependent Claims (2, 3)
-
-
4. A device for analyzing network, transport and application protocols in a computer network to identify a predetermined activity comprising:
-
a sensor platform comprising at least one sensor configured to collect and export a predetermined data structure from within the firewall of the network comprising aggregated data about a network host, flow and address block, and comprising a sensor control processor, a correlator server configured to support at least one sensor control processor, an optical I/O module, an SRAM processing module, and, a DRAM processing module. - View Dependent Claims (5, 6, 7, 8, 9, 10, 12)
-
-
11. The device of 8 wherein the TCP flow rectifier is configured to output TCP payload streams in interleaved blocks for multiple flows simultaneously.
Specification