System and Method for Detecting and Monitoring Network Communication

US 20170244734A1
Filed: 02/17/2017
Published: 08/24/2017
Est. Priority Date: 02/19/2016
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring network connections for malicious activity, comprising:

identifying a new network connection;

resolving a hostname and an address for a remote system of the new network connection;

logging the new network connection, the hostname, and the address;

evaluating the connection and the hostname based on a set of rules; and

redirecting or ending the connection when the set of rules identifies the connection as not allowed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.

Citations

20 Claims

1. A method of monitoring network connections for malicious activity, comprising:
- identifying a new network connection;
  
  resolving a hostname and an address for a remote system of the new network connection;
  
  logging the new network connection, the hostname, and the address;
  
  evaluating the connection and the hostname based on a set of rules; and
  
  redirecting or ending the connection when the set of rules identifies the connection as not allowed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein identifying the new network connection includes identifying a network flow and matching the network flow against a list of existing network flows.
  - 3. The method of claim 1, wherein resolving the hostname and address for the remote system includes performing a reverse lookup based on the IP address of the remote system to obtain the hostname for the remote system.
  - 4. The method of claim 1, wherein resolving the hostname and address for the remote system includes performing a Domain Name Service query based on the hostname of the remote system to obtain the IP address for the remote system.
  - 5. The method of claim 1, further comprising tagging new flows and new hostnames as not having been sent to a cloud service, and sending all tagged connections to the cloud service.
  - 6. The method of claim 1, further comprising receiving an updated set of rules from the cloud service.
  - 7. The method of claim 1, wherein logging the hostname and the address includes recording the hostname and the address along with a timestamp so changes in hostname resolution can be tracked over time.

8. An endpoint agent for monitoring network connections for malicious activity, comprising:
- a communications engine configured to;
  
  receive a set of rules from a cloud service; and
  
  send network flow and hostname data to the cloud service for a new network connection;
  
  a network monitor configured to;
  
  identify the new network connection;
  
  resolve a hostname and address for a remote system of the new network connection; and
  
  log the new network connection, the hostname, and the address; and
  
  an inspector configured to;
  
  compare the new network connection and hostname to a set of rules;
  
  determine if the new network connection is allowable; and
  
  redirect or terminate the new network connection if the connection is not allowable.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The endpoint agent of claim 8, wherein the network monitor is configured to identify new connections by identifying a network flow and matching the network flow against a list of existing network flows.
  - 10. The endpoint agent of claim 8, wherein the network monitor is configured to resolve the hostname and address for the remote system by performing a reverse lookup based on the IP address of the remote system to obtain the hostname for the remote system.
  - 11. The endpoint agent of claim 8, wherein the network monitor is configured to resolve the hostname and address for the remote system by performing a Domain Name Service query based on the hostname of the remote system to obtain the IP address for the remote system.
  - 12. The endpoint agent of claim 8, wherein the network monitor is further configured to tag new flows and new hostnames as not having been sent to a cloud service, and the communications engine is configured to send network flow and hostname data to the cloud service by sending all tagged connections and hostnames to the cloud service.
  - 13. The endpoint agent of claim 8, wherein the network monitor is configured to log the hostname and the address by recording the hostname and the address along with a timestamp so changes in hostname resolution can be tracked over time.

14. A non-transitory computer-readable medium including code that when executed by a processor causes the processor to perform a method, the method comprising:
- identifying a new network connection;
  
  resolving a hostname and address for a remote system of the new network connection;
  
  logging the new network connection and the hostname;
  
  evaluating the new network connection and the hostname based on a set of rules; and
  
  redirecting or ending the new network connection when the set of rules identifies the new network connection as not allowed.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, wherein identifying a new network connection includes identifying a network flow and not finding a match when comparing the network flow against a list of existing network flows.
  - 16. The non-transitory computer-readable medium of claim 14, wherein resolving the hostname and address for the remote system includes performing a reverse lookup based on the IP address of the remote system to obtain the hostname for the remote system.
  - 17. The non-transitory computer-readable medium of claim 14, wherein resolving the hostname and address for the remote system includes performing a domain name service query based on the hostname of the remote system to obtain the IP address for the remote system.
  - 18. The non-transitory computer-readable medium of claim 14, further comprising tagging new flows and new hostnames as not having been sent to a cloud service, and sending all tagged connections to the cloud service.
  - 19. The non-transitory computer-readable medium of claim 14, further comprising receiving an updated set of rules from the cloud service.
  - 20. The non-transitory computer-readable medium of claim 14, wherein logging the hostname and the address includes recording the hostname and the address along with a timestamp so changes in hostname resolution can be tracked over time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Original Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Inventors
Kinder, Ross R., Hackworth, Aaron, Geiger, Matthew K., Moore, Kevin R., Vidas, Timothy M.

Granted Patent

US 10,713,360 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

G06F 2221/2115   Third party

G06F 9/4406   Loading of operating system

G06F 9/4843   by program, e.g. task dispa...

G06F 9/542   Event management; Broadcast...

H04L 41/069   using logs of notifications...

H04L 45/22   Alternate routing

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

H04L 63/308   retaining data, e.g. retain...

System and Method for Detecting and Monitoring Network Communication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Detecting and Monitoring Network Communication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links