Identifying anomalous messages
First Claim
Patent Images
1. A method for computer system forensics, comprising:
- receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers;
monitoring messages transmitted by the host computers so as to detect, for each monitored message, a respective process that initiated the message; and
responsively to the identification, extracting a forensic indicator of the respective process that initiated the anomalous message.
3 Assignments
0 Petitions
Accused Products
Abstract
A method for computer system forensics includes receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers. Messages transmitted by the host computers are monitored so as to detect, for each monitored message, a respective process that initiated the message. Responsively to the identification, a forensic indicator is extracted of the respective process that initiated the anomalous message.
-
Citations
18 Claims
-
1. A method for computer system forensics, comprising:
-
receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers; monitoring messages transmitted by the host computers so as to detect, for each monitored message, a respective process that initiated the message; and responsively to the identification, extracting a forensic indicator of the respective process that initiated the anomalous message. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Apparatus for computer system forensics, comprising:
-
an interface, which is configured to receive an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers; and a processor, which is coupled to cause the host computers to monitor messages transmitted by the host computers so as to detect, for each monitored message, a respective process that initiated the message, and which is configured to extract, responsively to the identification, a forensic indicator of the respective process that initiated the anomalous message. - View Dependent Claims (8, 9, 10, 11, 12)
-
- 13. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers, to cause the host computers to monitor messages transmitted by the host computers so as to detect, for each monitored message, a respective process that initiated the message, and to extract, responsively to the identification, a forensic indicator of the respective process that initiated the anomalous message.
Specification