DETECTING ATTACKS USING PASSIVE NETWORK MONITORING
First Claim
1. A method for detecting one or more attacks in a network, wherein one or more processors in one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
- passively monitoring one or more network flows using the one or more NMCs; and
responsive to detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations;
providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations; and
responsive to one or more of the one or more metrics exceeding one or more threshold values, providing one or more reports of one or more attacks based on the one or more exceeded threshold values.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to detecting one or more attacks in a network. One or more network flows may be monitored using one or more network monitoring computers (NMCs). If one or more file write operations are detected based on information included in one or more packets of the one or more network flows, one or more detection rules may be executed to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations. One or more metrics may be provided based on the one or more detection rules and one or more of the file information, the one or more file write operations, or the like. If one or more metrics exceed one or more threshold values, one or more reports of one or more attacks may be provided.
65 Citations
1 Claim
-
1. A method for detecting one or more attacks in a network, wherein one or more processors in one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
-
passively monitoring one or more network flows using the one or more NMCs; and responsive to detecting one or more file write operations based on information included in one or more packets of the one or more network flows, performing further actions, including; executing one or more detection rules to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations; providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write operations; and responsive to one or more of the one or more metrics exceeding one or more threshold values, providing one or more reports of one or more attacks based on the one or more exceeded threshold values.
-
Specification
-
- Resources
-
Current AssigneeExtraHop Networks, Incorporated
-
Original AssigneeExtraHop Networks, Incorporated
-
InventorsRoeh, Thomas Lawrence, Clernent, Samuel Kanen, Kiefer, John Augustus
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current
-
CPC Class CodesH04L 43/062 related to network trafficH04L 43/12 Network monitoring probesH04L 43/16 Threshold monitoringH04L 49/9047 including multiple buffers,...H04L 63/0245 Filtering by information in...H04L 63/1408 by monitoring network traff...H04L 63/1416 Event detection, e.g. attac...H04L 63/1425 Traffic logging, e.g. anoma...H04L 63/20 for managing network securi...
