IDENTIFYING STEALTH PACKETS IN NETWORK COMMUNICATIONS THROUGH USE OF PACKET HEADERS

US 20160021131A1
Filed: 07/21/2014
Published: 01/21/2016
Est. Priority Date: 07/21/2014
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting stealth network traffic comprising:

receiving at a server a known network traffic report corresponding to a host computer system,wherein said host computer system and said server are separate physical machines, andwherein said known network traffic report comprises information about all network traffic known to an operating system of said host computer system;

receiving a network capture report,wherein said network capture report comprises information about actual network traffic corresponding to said host computer system; and

comparing individual packet header information from said known network traffic report to individual packet header information from said network capture report to identify stealth network traffic,wherein said stealth network traffic is actual network traffic corresponding to said host computer system which was not known to said operating system running on said host computer system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host computer system contains a software module that monitors and records network communications that flow through the legitimate network channels provided by the operating system and reports this information to a central processing server. A computer system acting as a central processing server compares network communications data received from the host computer system with the overall network traffic. Network traffic that is not reported from the host computer system is likely the result of stealth network traffic produced by advanced malware that has hidden its communications by circumventing the legitimate network channels provided by the OS. Detection of this stealth network traffic can be accomplished by using just the packet header information so the data payload does not need to be recorded, thereby reducing the memory requirements and reducing the need to save any potentially sensitive information.

157 Citations

20 Claims

1. A computer implemented method for detecting stealth network traffic comprising:
- receiving at a server a known network traffic report corresponding to a host computer system,wherein said host computer system and said server are separate physical machines, andwherein said known network traffic report comprises information about all network traffic known to an operating system of said host computer system;
  
  receiving a network capture report,wherein said network capture report comprises information about actual network traffic corresponding to said host computer system; and
  
  comparing individual packet header information from said known network traffic report to individual packet header information from said network capture report to identify stealth network traffic,wherein said stealth network traffic is actual network traffic corresponding to said host computer system which was not known to said operating system running on said host computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18, 19, 20)
- - 2. The computer implemented method of claim 1 further comprising sending an alert to a user, indicating said suspicious network traffic has been identified.
  - 3. The computer implemented method of claim 2 wherein said alert includes detailed information about said suspicious network activity.
  - 4. The computer implemented method of claim 1 wherein said network capture report is compiled from information gathered by a plurality of network capture devices.
  - 5. The computer implemented method of claim 1 wherein said network capture report comes from a network capture device on the same physical system as said server.
  - 6. The computer implemented method of claim 1 wherein said known network traffic report is received by encrypted communications.
  - 7. The computer implemented method of claim 1 wherein said server comprises a software module running on a general purpose computer system.
  - 8. The computer implemented method of claim 1 wherein said server comprises hardware and firmware designed and primarily dedicated to performing the function of said server.
  - 18. The computer implemented method of claim 1 further comprising sending an alert to a user, indicating said suspicious network traffic has been identified.
  - 19. The computer implemented method of claim 2 wherein said alert includes detailed information about said suspicious network activity.
  - 20. The computer implemented method of claim 1 wherein said known network traffic report is received by encrypted communications.

9. A computer-based system for detecting stealth network traffic comprising:
- a server module configured to;
  
  receive a known network traffic report corresponding to a host computer system on a separate physical machine from said server module, andreceive a network capture report,wherein said known network traffic report comprises information about all network traffic known to an operating system of said host computer system,wherein said network capture report comprises information about actual network traffic corresponding to said host computer system; and
  
  A calculation module configured to compare individual packet headers from said known network traffic report to individual packet headers from said network capture report to identify stealth network traffic,wherein said stealth network traffic is actual network traffic corresponding to said host computer system which was not known to said operating system running on said host computer system.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-based system of claim 9 further comprising an alert module configured to send an alert a user, indicating that said suspicious network traffic has been detected.
  - 11. The computer based system of claim 10 wherein said alert includes detailed information about said suspicious network traffic.
  - 12. The computer-based system of claim 9 further comprising one or more network capture devices for capturing the network traffic necessary to produce said network traffic report.
  - 13. The computer-based system of claim 12 wherein said network capture device is incorporated into the same physical system as said server module.
  - 14. The computer-based system of claim 9 wherein said known network traffic report is received by encrypted communications.
  - 15. The computer-based system of claim 9 wherein said server module comprises a software module running on a general purpose computer system.
  - 16. The computer-based system of claim 9 wherein said server module comprises hardware and firmware designed and primarily dedicated to performing the functions of said server.

17. A computer implemented method for detecting stealth network traffic comprising:
- receiving a known network traffic report corresponding to a host computer system,wherein said known network traffic report comprises information about all network traffic known to an operating system of said host computer system;
  
  receiving a network capture report from one or more network capture devices on a separate physical machine from said host computer system,wherein said network capture report comprises information about actual network traffic corresponding to said host computer system; and
  
  comparing individual packet header information from said known network traffic report to individual packet header information from said network capture report to identify stealth network traffic,wherein said stealth network traffic is actual network traffic corresponding to said host computer system which was not known to said operating system running on said host computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
David Paul Heilig
Original Assignee
David Paul Heilig
Inventors
Heilig, David Paul

Granted Patent

US 10,659,478 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1425 Traffic logging, e.g. anoma...

IDENTIFYING STEALTH PACKETS IN NETWORK COMMUNICATIONS THROUGH USE OF PACKET HEADERS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

157 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING STEALTH PACKETS IN NETWORK COMMUNICATIONS THROUGH USE OF PACKET HEADERS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links