Identifying anomalous messages

US 20170026398A1
Filed: 10/06/2016
Published: 01/26/2017
Est. Priority Date: 01/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method for computer system forensics, comprising:

receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers;

monitoring messages transmitted by the host computers so as to detect, for each monitored message, a respective process that initiated the message; and

responsively to the identification, extracting a forensic indicator of the respective process that initiated the anomalous message.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for computer system forensics includes receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers. Messages transmitted by the host computers are monitored so as to detect, for each monitored message, a respective process that initiated the message. Responsively to the identification, a forensic indicator is extracted of the respective process that initiated the anomalous message.

28 Citations

View as Search Results

18 Claims

1. A method for computer system forensics, comprising:
- receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers;
  
  monitoring messages transmitted by the host computers so as to detect, for each monitored message, a respective process that initiated the message; and
  
  responsively to the identification, extracting a forensic indicator of the respective process that initiated the anomalous message.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein receiving the identification comprises determining that the anomalous message is associated with a specified destination.
  - 3. The method according to claim 2, wherein monitoring the messages comprises configuring a filter on the host computers to detect the respective process that initiates the messages that are associated with the specified destination.
  - 4. The method according to claim 1, wherein monitoring the messages comprises configuring a monitoring program running on the host computers to filter the messages transmitted by the host computers in accordance with a filtering criterion that is associated with the anomalous message, and to identify the respective process that initiated the messages that satisfy the filtering criterion.
  - 5. The method according to claim 1, wherein monitoring the messages comprises detecting calls to a specified application program interface (API).
  - 6. The method according to claim 1, wherein monitoring the messages comprises detecting Domain Name System (DNS) lookups.

7. Apparatus for computer system forensics, comprising:
- an interface, which is configured to receive an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers; and
  
  a processor, which is coupled to cause the host computers to monitor messages transmitted by the host computers so as to detect, for each monitored message, a respective process that initiated the message, and which is configured to extract, responsively to the identification, a forensic indicator of the respective process that initiated the anomalous message.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus according to claim 7, wherein the identification indicates that the anomalous message is associated with a specified destination.
  - 9. The apparatus according to claim 8, wherein the processor is coupled to configure a filter on the host computers to detect the respective process that initiates the messages that are associated with the specified destination.
  - 10. The apparatus according to claim 7, wherein the processor is coupled to configure a monitoring program running on the host computers to filter the messages transmitted by the host computers in accordance with a filtering criterion that is associated with the anomalous message, and to identify the respective process that initiated the messages that satisfy the filtering criterion.
  - 11. The apparatus according to claim 7, wherein the processor is configured to cause the host computers to monitor the messages by detecting calls to a specified application program interface (API).
  - 12. The apparatus according to claim 7, wherein the processor is configured to cause the host computers to monitor the messages by detecting Domain Name System (DNS) lookups.

13. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers, to cause the host computers to monitor messages transmitted by the host computers so as to detect, for each monitored message, a respective process that initiated the message, and to extract, responsively to the identification, a forensic indicator of the respective process that initiated the anomalous message.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The product according to claim 13, wherein the identification indicates that the anomalous message is associated with a specified destination.
  - 15. The product according to claim 14, wherein the instructions cause the computer to configure a filter on the host computers to detect the respective process that initiates the messages that are associated with the specified destination.
  - 16. The product according to claim 13, wherein the instructions cause the computer to configure a monitoring program running on the host computers to filter the messages transmitted by the host computers in accordance with a filtering criterion that is associated with the anomalous message, and to identify the respective process that initiated the messages that satisfy the filtering criterion.
  - 17. The product according to claim 13, wherein the instructions cause the computer to cause the host computers to monitor the messages by detecting calls to a specified application program interface (API).
  - 18. The product according to claim 13, wherein the instructions cause the computer to cause the host computers to monitor the messages by detecting Domain Name System (DNS) lookups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Light Cyber Ltd.
Inventors
Mumcuoglu, Michael, Engel, Giora, Firstenberg, Eyal

Granted Patent

US 9,979,742 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 2463/121   Timestamp cryptographic mec...

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Identifying anomalous messages

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying anomalous messages

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links