Monitoring darknet access to identify malicious activity
First Claim
Patent Images
1. A computer-implemented method, comprising:
- identifying with a first server a list of darknet addresses utilizing a plurality of techniques and providing the list of darknet addresses to a second server, wherein the second server is unassociated with any internet protocol addresses on the list of darknet addresses;
continually monitoring with the second server all communications originating from or destined to a protected network external to a network edge of the protected network, wherein the first server and the second server cooperatively forming a distributed security system external to the protected network, and wherein the list of darknet addresses comprises addresses external to the protected network;
comparing with the second server destination or source addresses of the monitored communications originating from or destined to the protected network to the list of darknet addresses;
if a match is found between the destination or source addresses and the list of darknet addresses, providing notification of potential malicious activity originating from or destined to the protected network and blocking the potential malicious activity with the second server such that the potential malicious activity does not enter the protected network or leave the second server;
updating the list of darknet addresses at the first server or the second server using one or more of the plurality of techniques including proactively scanning addresses and passively monitoring addresses, and distributing updates between the first server and the second server;
wherein updating a list of darknet addresses comprises;
compiling a list of active addresses from autonomous systems communications originated by routers;
identifying potential darknet addresses based upon gaps identified in the list of active addresses;
attempting to connect to the identified potential darknet addresses; and
if the attempt to connect to the identified potential darknet addresses is unsuccessful, adding the potential darknet addresses to the list of darknet addresses.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and apparatus for a distributed security that monitors communications to identify access attempts to/from darknet addresses. Such attempts can be inferred to be associated with malicious activity and a notification or other corrective action can be provided identifying such potentially malicious activity.
69 Citations
15 Claims
-
1. A computer-implemented method, comprising:
-
identifying with a first server a list of darknet addresses utilizing a plurality of techniques and providing the list of darknet addresses to a second server, wherein the second server is unassociated with any internet protocol addresses on the list of darknet addresses; continually monitoring with the second server all communications originating from or destined to a protected network external to a network edge of the protected network, wherein the first server and the second server cooperatively forming a distributed security system external to the protected network, and wherein the list of darknet addresses comprises addresses external to the protected network; comparing with the second server destination or source addresses of the monitored communications originating from or destined to the protected network to the list of darknet addresses; if a match is found between the destination or source addresses and the list of darknet addresses, providing notification of potential malicious activity originating from or destined to the protected network and blocking the potential malicious activity with the second server such that the potential malicious activity does not enter the protected network or leave the second server; updating the list of darknet addresses at the first server or the second server using one or more of the plurality of techniques including proactively scanning addresses and passively monitoring addresses, and distributing updates between the first server and the second server; wherein updating a list of darknet addresses comprises; compiling a list of active addresses from autonomous systems communications originated by routers; identifying potential darknet addresses based upon gaps identified in the list of active addresses; attempting to connect to the identified potential darknet addresses; and if the attempt to connect to the identified potential darknet addresses is unsuccessful, adding the potential darknet addresses to the list of darknet addresses. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer readable media storing software comprising instructions executable by a processing device and upon such execution cause the processing device to perform operations comprising:
-
receiving, from a first server over a network, a list of darknet addresses identified utilizing a plurality of techniques, wherein the processing device is unassociated with any internet protocol addresses on the list of darknet addresses; continually monitoring all communications originating from or destined to a protected network external to a network edge of the protected network, wherein the first server and the processing device cooperatively forming a distributed security system external to the protected network, and wherein the list of darknet addresses comprises addresses external to the protected network; comparing destination addresses of the monitored communications originating from or destined to the protected network to the list of darknet addresses; if a match is found between the destination addresses and the list of darknet addresses, providing notification of potential malicious activity originating from the protected network and blocking the potential malicious activity with the processing device such that the potential malicious activity does not enter the protected network or leave the processing device; proactively scanning addresses and passively monitoring addresses to provide updates to the list of darknet addresses and providing the updates to the first server; wherein updating a list of darknet addresses comprises; compiling a list of active addresses from autonomous systems communications originated by routers; identifying potential darknet addresses based upon gaps identified in the list of active addresses; attempting to connect to the identified potential darknet addresses; and if the attempt to connect to connect to the identified potential darknet addresses is unsuccessful, adding the potential darknet addresses to the list of darknet addresses. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A distributed security system, comprising:
-
an authority node device comprising a darknet address list generator configured to generate and maintain a list of darknet addresses using a plurality of techniques; one or more processing node devices communicatively coupled to the authority node using a network, wherein the authority node device and the one or more processing node devices cooperatively form the distributed security system, wherein the one or more processing node devices are unassociated with any internet protocol addresses on the list of darknet addresses and each of the one or more processing node devices configured to; receive the list of darknet address from the authority node device; establish communications with a plurality of users; monitor all of the communications of the plurality of users with devices external to the one or more processing node devices and a protected network protected by the distributed security system, wherein the distributed security system is external to the protected network, and wherein the list of darknet addresses comprises addresses external to the protected network; detect addresses in the communications as being part of the list of darknet addresses; prevent malicious activity based on the detected addresses, wherein the malicious activity is prevented by blocking at the one or more processing node devices without the malicious activity entering the network protected by the distributed security system; proactively scan and passively monitor addresses to determine updates to the list of darknet addresses; and communicate the updates to the authority node device and receive additional updates to the list of darknet addresses from the authority node device; and wherein each of the one or more processing node devices comprises a darknet processor configured to identify darknet addresses for the list of darknet addresses using a local routing table monitor configured to monitor routing tables to identify unused nodes, a local address scanner configured to randomly select addresses or select suspicious addresses to attempt communication therewith, and a local passive monitor configured to detect sudden changes in a range of addresses. - View Dependent Claims (14, 15)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeZscaler Incorporated
-
Original AssigneeZscaler Incorporated
-
InventorsSutton, Michael
-
Primary Examiner(s)Najjar, Saleh
-
Assistant Examiner(s)NASH, LASHANYA RENEE
-
Application NumberUS12/176,912Time in Patent Office1,716 DaysField of Search726/3, 726/13, 726/22, 726/23, 726/26, 709/223, 709/224, 709/225US Class Current726/23CPC Class CodesG06F 21/85 interconnection devices, e....H04L 2463/144 Detection or countermeasure...H04L 63/0227 Filtering policies mail mes...H04L 63/1416 Event detection, e.g. attac...H04L 63/1441 Countermeasures against mal...
