SYSTEM AND METHOD OF DETECTING HIDDEN PROCESSES BY ANALYZING PACKET FLOWS
First Claim
Patent Images
1. A method comprising:
- capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data;
capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed at a second host to yield second flow data, wherein the first capture agent is deployed at a first layer of a network and the second capture agent is deployed at a second layer of the network, wherein the first layer and the second layer are different layers;
comparing the first flow data and the second flow data to yield a difference; and
when the difference is above a threshold value, determining that a hidden process exists to yield a determination.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed outside of the first host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that a hidden process exists and corrective action can be taken.
-
Citations
20 Claims
-
1. A method comprising:
-
capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed at a second host to yield second flow data, wherein the first capture agent is deployed at a first layer of a network and the second capture agent is deployed at a second layer of the network, wherein the first layer and the second layer are different layers; comparing the first flow data and the second flow data to yield a difference; and when the difference is above a threshold value, determining that a hidden process exists to yield a determination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a processor; and a computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising; capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data, wherein the first capture agent is deployed at a first layer of a network and the second capture agent is deployed at a second layer of the network, wherein the first layer and the second layer are different layers; comparing the first flow data and the second flow data to yield a difference; and when the difference is above a threshold value, determining that the second pack flow was transmitted by a component that bypassed an operating stack of the first host, to yield a determination; and taking a limiting action associated with a flow of packets to or from the first host based on the determination. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computer-readable storage device that stores instructions which, when executed by a processor, cause the processor to perform further operations comprising:
-
capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed at a second host to yield second flow data, wherein the first capture agent is deployed at a first layer of a network and the second capture agent is deployed at a second layer of the network, wherein the first layer and the second layer are different layers; comparing the first flow data and the second flow data to yield a difference; when the difference is above a threshold value, determining that the second pack flow was transmitted by a component that bypassed an operating stack of the first host, to yield a determination; and taking a limiting action associated with a flow of packets to or from the first host based on the determination. - View Dependent Claims (19, 20)
-
Specification