APPARATUS AND METHOD FOR CONDUCTING ENDPOINT-NETWORK-MONITORING PACKET TAGGING

US 20180307833A1
Filed: 04/20/2018
Published: 10/25/2018
Est. Priority Date: 04/20/2017
Status: Active Grant

First Claim

Patent Images

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:

instantiating, with one or more processors, a networking-stack, intrusion-detection kernel driver in kernel space of an operating system of a host computing device connected to a network, where the networking-stack, intrusion-detection kernel driver is configured to;

obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious,determine that a network packet is resident in a networking stack of the operating system of the host computing device,access at least part of the network packet,apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious,associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, andreport the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent; and

instantiating, with one or more processors, the intrusion-detection agent in userspace of the operating system of the host computing device, wherein the intrusion-detection agent is configured to;

obtain threat-classification criteria indicative of which reports of network packets identify potential attacks;

access the report of the network packet from the networking-stack, intrusion-detection kernel driver;

identify the application from the report of the network packet;

access a forensic record associated with the application in memory by the operating system;

apply the threat-classification criteria to the report of the network packet and the forensic record and, based on applying the threat-classification criteria, classify the network packet as malicious; and

in response to classifying the network packet as malicious, recording an indication of the classification in memory.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

60 Citations

25 Claims

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- instantiating, with one or more processors, a networking-stack, intrusion-detection kernel driver in kernel space of an operating system of a host computing device connected to a network, where the networking-stack, intrusion-detection kernel driver is configured to;
  
  obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious,determine that a network packet is resident in a networking stack of the operating system of the host computing device,access at least part of the network packet,apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious,associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, andreport the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent; and
  
  instantiating, with one or more processors, the intrusion-detection agent in userspace of the operating system of the host computing device, wherein the intrusion-detection agent is configured to;
  
  obtain threat-classification criteria indicative of which reports of network packets identify potential attacks;
  
  access the report of the network packet from the networking-stack, intrusion-detection kernel driver;
  
  identify the application from the report of the network packet;
  
  access a forensic record associated with the application in memory by the operating system;
  
  apply the threat-classification criteria to the report of the network packet and the forensic record and, based on applying the threat-classification criteria, classify the network packet as malicious; and
  
  in response to classifying the network packet as malicious, recording an indication of the classification in memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The medium of claim 1, wherein:
    - the intrusion-detection agent is configured to report the classification to a security event processing system via a network; and
      
      the operations comprise instantiating the security event processing system on one or more computing devices other than the host computing device, wherein the security event processing system is configured to;
      
      receive the report of the classification and reports of a plurality of other classifications from other instances of the intrusion-detection agent executing on other computing devices, anddetermine that an attack is occurring or is potentially occurring based on the report of the classification and reports of a plurality of other classifications from other instances of the intrusion-detection agent executing on other computing devices.
  - 3. The medium of claim 2, wherein:
    - the security event processing system is configured to;
      
      determine an adjustment to the threat-classification criteria in response to the determination that an attack is occurring or is potentially occurring, andinstruct the intrusion detection agent to adjust the threat-classification criteria to apply criteria that have a larger computational load than criteria applied before the adjustment; and
      
      the intrusion-detection agent is configured to adjust the threat-classification criteria and apply the adjusted thread-classification criteria in response to the instruction.
  - 4. The medium of claim 3, wherein:
    - the intrusion-detection agent is configured to;
      
      determine to adjust the kernel-filter criteria in response to instruction from the security event processing system.
  - 5. The medium of claim 1, wherein:
    - the intrusion-detection agent is configured to;
      
      determine to adjust the kernel-filter criteria in response to classifying the network packet as malicious, andinstruct the networking-stack, intrusion-detection kernel driver to apply adjusted kernel-filter criteria, wherein the adjusted kernel-filter criteria filter out less information reported to the intrusion-detection agent after the adjustment than before the adjustment.
  - 6. The medium of claim 1, wherein:
    - the kernel-filter criteria comprise rules white listing or black listing network addresses or ports.
  - 7. The medium of claim 1, wherein:
    - the kernel-filter criteria comprise a rule specifying a maximum amount or rate of communication to, from, or through a network host or set of network hosts.
  - 8. The medium of claim 1, wherein:
    - the kernel-filter criteria comprise a rule specifying a transport-layer protocol, a port, and a set of network addresses for which packets are to be deemed malicious or non-malicious.
  - 9. The medium of claim 1, wherein:
    - the kernel-filter criteria comprise;
      
      a model configured to output a score indicative of whether a packet is anomalous, the model being trained on historical network communication of the computing device or other computing devices, anda rule specifying a threshold score that when satisfied indicates the network packet is malicious.
  - 10. The medium of claim 9, wherein:
    - output of the model is based on the following inputs to the model;
      
      a time of day of the packet;
      
      past packets in a session including the packet;
      
      a port number from which the packet is sent;
      
      a port number to which the packet is sent;
      
      a transport layer protocol of the packet or encapsulated payload of the packet; and
      
      an application name associated with the application identifier.
  - 11. The medium of claim 1, wherein:
    - determining that a network packet is resident in a networking stack of the operating system of the host computing device comprises receiving an interrupt indicating that an Internet Protocol packet is ready to be written to a buffer of a network interface.
  - 12. The medium of claim 1, wherein accessing at least part of the network packet comprises:
    - parsing a first header from the network packet;
      
      parsing sender network address from the first header of the network packet;
      
      parsing a receiving network address from the first header of the network packet;
      
      decapsulating an encapsulated packet from a payload of the network packet;
      
      parsing a second header from the encapsulated packet;
      
      parsing a sender port from the second header;
      
      parsing a receiver port from the second header; and
      
      determining a transport layer protocol of the encapsulated packet.
  - 13. The medium of claim 1, wherein:
    - associating the network packet with the identifier of the application executing in userspace of the operating system and to which or from which the network packet is sent comprises associating the network packet with a process identifier assigned to the application by the operating system, the application being one of a plurality of applications executing in the operating system, each respective application being assigned a different process identifier by the operating system.
  - 14. The medium of claim 1, wherein:
    - the threat-classification criteria comprise;
      
      an anomaly detection model;
      
      a pattern that specifies both features of the report of the network packet and features of the forensic record; and
      
      a policy specifying permitted or prohibited behavior by network traffic and permitted or prohibited forensic state of an application executing on the operating system.
  - 15. The medium of claim 1, wherein:
    - the forensic record associated with the application in memory of the operating system includes at least three of the following;
      
      memory usage of the application, file state of files read or written by the application, registry state of or accessed by the application, configuration state of the application, process state of the application, user accounts interfacing with the application, network usage by the application, or system events caused by the application.
  - 16. The medium of claim 1, wherein:
    - the network packet is being sent by the application; and
      
      determining that the network packet is potentially malicious is executed before a network interface of the computing device transmits the network packet.
  - 17. The medium of claim 1, wherein:
    - the network packet is to be received by the application; and
      
      determining that the network packet is potentially malicious is executed before application-layer content of the network packet is provided to the application.
  - 18. The medium of claim 1, wherein:
    - classifying the network packet as malicious is executed in real time.
  - 19. The medium of claim 1, wherein:
    - the intrusion-detection agent is configured to cause the network packet or subsequent network packets to be blocked before fully traversing the networking stack.
  - 20. The medium of claim 1, wherein:
    - the intrusion-detection agent is configured to cause the network packet or subsequent network packets to be delayed for a configurable amount of time in response to classifying the network packet as malicious.
  - 21. The medium of claim 1, wherein:
    - the intrusion-detection agent is configured to cause the network packet or subsequent network packets to be sent to a different network address from that specified by a recipient header of the network packet in response to classifying the network packet as malicious.
  - 22. The medium of claim 1, wherein:
    - the intrusion-detection agent is configured to rate limit transmission or reception of subsequent network packets in response to classifying the network packet as malicious.
  - 23. The medium of claim 1, wherein:
    - the intrusion-detection agent is configured to cause payloads of the network packet or subsequent network packets to be modified in response to classifying the network packet as malicious.
  - 24. The medium of claim 1, wherein the operations comprise:
    - steps for detecting intrusions.
  - 25. The medium of claim 1, wherein associating the network packet with the identifier of the application comprises associating the network packet with a value by which the intrusion-detection agent determines a process identifier of the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huntress Labs, Inc.
Original Assignee
Level Effect LLC
Inventors
Noeth, Robert Julian, Ake, Ernest Gregory

Granted Patent

US 10,762,201 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/567   using dedicated hardware

H04L 43/028   by filtering

H04L 43/062   related to network traffic

H04L 43/0876   Network utilisation, e.g. v...

H04L 47/10   Flow control; Congestion co...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 69/22   Parsing or analysis of headers

APPARATUS AND METHOD FOR CONDUCTING ENDPOINT-NETWORK-MONITORING PACKET TAGGING

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

APPARATUS AND METHOD FOR CONDUCTING ENDPOINT-NETWORK-MONITORING PACKET TAGGING

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others