System and Method for Detecting and Monitoring Network Communication
First Claim
Patent Images
1. A method of monitoring network connections for malicious activity, comprising:
- identifying a new network connection;
resolving a hostname and an address for a remote system of the new network connection;
logging the new network connection, the hostname, and the address;
evaluating the connection and the hostname based on a set of rules; and
redirecting or ending the connection when the set of rules identifies the connection as not allowed.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for collection and analysis of forensic and event data comprising a server and an endpoint agent operating on a remote system. The server is configured to receive event data including process creation data, persistent process data, thread injection data, network connection data, memory pattern data, or any combination thereof, and analyze the event data to detect compromises of a remote system. The endpoint agent is configured to acquire event data, and communicate the event data to the server.
-
Citations
20 Claims
-
1. A method of monitoring network connections for malicious activity, comprising:
-
identifying a new network connection; resolving a hostname and an address for a remote system of the new network connection; logging the new network connection, the hostname, and the address; evaluating the connection and the hostname based on a set of rules; and redirecting or ending the connection when the set of rules identifies the connection as not allowed. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An endpoint agent for monitoring network connections for malicious activity, comprising:
-
a communications engine configured to; receive a set of rules from a cloud service; and send network flow and hostname data to the cloud service for a new network connection; a network monitor configured to; identify the new network connection; resolve a hostname and address for a remote system of the new network connection; and log the new network connection, the hostname, and the address; and an inspector configured to; compare the new network connection and hostname to a set of rules; determine if the new network connection is allowable; and redirect or terminate the new network connection if the connection is not allowable. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable medium including code that when executed by a processor causes the processor to perform a method, the method comprising:
-
identifying a new network connection; resolving a hostname and address for a remote system of the new network connection; logging the new network connection and the hostname; evaluating the new network connection and the hostname based on a set of rules; and redirecting or ending the new network connection when the set of rules identifies the new network connection as not allowed. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification