DETECTING ATTACKS USING PASSIVE NETWORK MONITORING
First Claim
1. A method for detecting one or more attacks in a network, wherein one or more processors in one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
- passively monitoring one or more network flows using the one or more NMCs; and
responsive to detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations;
providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations; and
responsive to one or more of the one or more metrics exceeding one or more threshold values, providing one or more reports of one or more attacks based on the one or more exceeded threshold values.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to detecting one or more attacks in a network. One or more network flows may be monitored using one or more network monitoring computers (NMCs). If one or more file write operations are detected based on information included in one or more packets of the one or more network flows, one or more detection rules may be executed to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations. One or more metrics may be provided based on the one or more detection rules and one or more of the file information, the one or more file write operations, or the like. If one or more metrics exceed one or more threshold values, one or more reports of one or more attacks may be provided.
65 Citations
1 Claim
-
1. A method for detecting one or more attacks in a network, wherein one or more processors in one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
-
passively monitoring one or more network flows using the one or more NMCs; and responsive to detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including; executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations; providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations; and responsive to one or more of the one or more metrics exceeding one or more threshold values, providing one or more reports of one or more attacks based on the one or more exceeded threshold values.
-
Specification