SYSTEM AND METHOD OF DETECTING WHETHER A SOURCE OF A PACKET FLOW TRANSMITS PACKETS WHICH BYPASS AN OPERATING SYSTEM STACK
First Claim
1. A method comprising:
- capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data;
capturing second data associated with a second packet flow originating from the first host using a second capture agent deployed at a second host to yield second flow data, wherein the first capturing agent is deployed in a first layer of a network and the second capturing agent is deployed in a second layer of the network;
comparing the first flow data and the second flow data to yield a difference; and
when the difference is above a threshold value, determining that the second packet flow was transmitted by a component that bypassed one of an operating stack of the first host and a packet capture agent on the first host, to yield a determination.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent at the device to yield a determination, detecting that hidden network traffic exists, and predicting a malware issue with the first host based on the determination.
125 Citations
20 Claims
-
1. A method comprising:
-
capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host using a second capture agent deployed at a second host to yield second flow data, wherein the first capturing agent is deployed in a first layer of a network and the second capturing agent is deployed in a second layer of the network; comparing the first flow data and the second flow data to yield a difference; and when the difference is above a threshold value, determining that the second packet flow was transmitted by a component that bypassed one of an operating stack of the first host and a packet capture agent on the first host, to yield a determination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
A processor; and a computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising; capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host using a second capture agent deployed at a second host to yield second flow data, wherein the first capturing agent is deployed in a first layer of a network and the second capturing agent is deployed in a second layer of the network ; comparing the first flow data and the second flow data to yield a difference; and when the difference is above a threshold value, determining that the second packet flow was transmitted by a component that bypassed one of an operating stack of the first host and a packet capture agent on the first host, to yield a determination. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification