IDENTIFYING STEALTH PACKETS IN NETWORK COMMUNICATIONS THROUGH USE OF PACKET HEADERS
First Claim
1. A computer implemented method for detecting stealth network traffic comprising:
- receiving at a server a known network traffic report corresponding to a host computer system,wherein said host computer system and said server are separate physical machines, andwherein said known network traffic report comprises information about all network traffic known to an operating system of said host computer system;
receiving a network capture report,wherein said network capture report comprises information about actual network traffic corresponding to said host computer system; and
comparing individual packet header information from said known network traffic report to individual packet header information from said network capture report to identify stealth network traffic,wherein said stealth network traffic is actual network traffic corresponding to said host computer system which was not known to said operating system running on said host computer system.
0 Assignments
0 Petitions
Accused Products
Abstract
A host computer system contains a software module that monitors and records network communications that flow through the legitimate network channels provided by the operating system and reports this information to a central processing server. A computer system acting as a central processing server compares network communications data received from the host computer system with the overall network traffic. Network traffic that is not reported from the host computer system is likely the result of stealth network traffic produced by advanced malware that has hidden its communications by circumventing the legitimate network channels provided by the OS. Detection of this stealth network traffic can be accomplished by using just the packet header information so the data payload does not need to be recorded, thereby reducing the memory requirements and reducing the need to save any potentially sensitive information.
157 Citations
20 Claims
-
1. A computer implemented method for detecting stealth network traffic comprising:
-
receiving at a server a known network traffic report corresponding to a host computer system, wherein said host computer system and said server are separate physical machines, and wherein said known network traffic report comprises information about all network traffic known to an operating system of said host computer system; receiving a network capture report, wherein said network capture report comprises information about actual network traffic corresponding to said host computer system; and comparing individual packet header information from said known network traffic report to individual packet header information from said network capture report to identify stealth network traffic, wherein said stealth network traffic is actual network traffic corresponding to said host computer system which was not known to said operating system running on said host computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18, 19, 20)
-
-
9. A computer-based system for detecting stealth network traffic comprising:
-
a server module configured to; receive a known network traffic report corresponding to a host computer system on a separate physical machine from said server module, and receive a network capture report, wherein said known network traffic report comprises information about all network traffic known to an operating system of said host computer system, wherein said network capture report comprises information about actual network traffic corresponding to said host computer system; and A calculation module configured to compare individual packet headers from said known network traffic report to individual packet headers from said network capture report to identify stealth network traffic, wherein said stealth network traffic is actual network traffic corresponding to said host computer system which was not known to said operating system running on said host computer system. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer implemented method for detecting stealth network traffic comprising:
-
receiving a known network traffic report corresponding to a host computer system, wherein said known network traffic report comprises information about all network traffic known to an operating system of said host computer system; receiving a network capture report from one or more network capture devices on a separate physical machine from said host computer system, wherein said network capture report comprises information about actual network traffic corresponding to said host computer system; and comparing individual packet header information from said known network traffic report to individual packet header information from said network capture report to identify stealth network traffic, wherein said stealth network traffic is actual network traffic corresponding to said host computer system which was not known to said operating system running on said host computer system.
-
Specification