Using Trust Profiles for Network Breach Detection
First Claim
1. A system comprising:
- a network monitor analyzing data packets transmitted through a network;
a trust profile module in communication with the network monitor that includes a trust profile, the trust profile module configured for determining permissible use that includes at least one of;
whether the at least one port transmitting the data packets matches a permissible port identified in the trust profile; and
whether the at least one protocol generating the data packets matches a permissible protocol identified in the trust profile.
2 Assignments
0 Petitions
Accused Products
Abstract
Actions of servers and other network devices within a network are monitored to detect whether the servers and network devices are performing tasks, using protocols, and communicating through ports that are consistent with legitimate (or “permissible”) purposes. That is, rather than attempting to belatedly identify malware signatures and screen all traffic into and out of a network for these signatures, embodiments of the present invention scrutinize devices (such as servers and other network infrastructure elements) for malware behavior that is inconsistent with an identified set of actions known to be consistent with legitimate tasks performed by the network device.
-
Citations
21 Claims
-
1. A system comprising:
-
a network monitor analyzing data packets transmitted through a network; a trust profile module in communication with the network monitor that includes a trust profile, the trust profile module configured for determining permissible use that includes at least one of; whether the at least one port transmitting the data packets matches a permissible port identified in the trust profile; and whether the at least one protocol generating the data packets matches a permissible protocol identified in the trust profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method comprising:
-
receiving a trust profile corresponding to a first network device, the trust profile identifying at least one of (1) a permissible port and (2) a permissible protocol for transceiving legitimate network traffic by the first network device; storing the trust profile at a second network device that monitors network traffic corresponding to the first network device; identifying, by the second network device, at least one of (1) an actual port used to transceive network traffic by the first network device and (2) an actual protocol used to generate network traffic by the first network device; and determining, by the second network device, whether the at least one of (1) the actual port and (2) the actual protocol matches the at least one of (1) the permissible port and (2) the permissible protocol of the trust profile. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer-implemented method comprising:
-
storing a trust profile at a network monitor, the trust profile identifying legitimate traffic by at least one of (1) a permissible port and (2) a permissible protocol; identifying, by the network monitor, at least one of (1) an actual port used to transceive network traffic and (2) an actual protocol used to generate network traffic; and determining, by the network monitor, whether the at least one of (1) the actual port and (2) the actual protocol matches the at least one of (1) the permissible port and (2) the permissible protocol of the trust profile.
-
Specification