Unauthorized communication detection method
First Claim
1. A method for controlling an apparatus for transferring data from a plurality of first devices to a second device via a network, said data being transferred by using a packet, the method comprising:
- obtaining a communication log recording packets received from at least one of a server, firewall, a proxy and a client;
identifying address ranges including a starting address and an ending address;
extracting HyperText Transfer Protocol messages from the packets stored in a memory of the apparatus based on information with regard to address ranges;
extracting uniform resource locator information and a User-Agent from each of the HyperText Transfer Protocol messages, the uniform resource locator information indicating destination information of the HyperText Transfer Protocol messages, the User-Agent indicating a type of software used by each of the first devices;
counting a number of User-Agents, extracted from the HyperText Transfer Protocol messages, for each uniform resource locator information extracted from the HyperText Transfer Protocol messages stored in the memory of the apparatus; and
for each uniform resource locator information, determining, by using the processor, a HyperText Transfer Protocol message is unauthorized communication when the number of the User-Agents for the uniform resource locator information is at least a predetermined number.
1 Assignment
0 Petitions
Accused Products
Abstract
According to an aspect of an embodiment, a method for controlling an apparatus for transferring data from a plurality of first devices to a second device via a network, the data being transferred by using a packet, comprises the steps of: extracting type information identifying type of software conveyed by a packet and destination information identifying destination of the packet transmitted from one of the first devices; counting the number of kinds of the type information extracted from packets associated with the same destination information, respectively; and determining an unauthorized communication when the number of kinds of the type information is less than a predetermined value.
-
Citations
2 Claims
-
1. A method for controlling an apparatus for transferring data from a plurality of first devices to a second device via a network, said data being transferred by using a packet, the method comprising:
-
obtaining a communication log recording packets received from at least one of a server, firewall, a proxy and a client; identifying address ranges including a starting address and an ending address; extracting HyperText Transfer Protocol messages from the packets stored in a memory of the apparatus based on information with regard to address ranges; extracting uniform resource locator information and a User-Agent from each of the HyperText Transfer Protocol messages, the uniform resource locator information indicating destination information of the HyperText Transfer Protocol messages, the User-Agent indicating a type of software used by each of the first devices; counting a number of User-Agents, extracted from the HyperText Transfer Protocol messages, for each uniform resource locator information extracted from the HyperText Transfer Protocol messages stored in the memory of the apparatus; and for each uniform resource locator information, determining, by using the processor, a HyperText Transfer Protocol message is unauthorized communication when the number of the User-Agents for the uniform resource locator information is at least a predetermined number.
-
-
2. An apparatus for transferring data from a plurality of first devices to a second device via a network, said data being transferred by using a packet, the apparatus comprising:
-
a hardware processor; and a memory storing packets and computer executable instructions that when executed by said hardware processor cause said hardware processor to perform operations including; obtaining a communication log recording packets received from at least one of a server, firewall, a proxy and a client; identifying address ranges including a starting address and an ending address; extracting HyperText Transport Protocol messages from the packets stored in said memory based on information with regard to address ranges; extracting uniform resource location information and a User-Agent from each of the HyperText Transfer Protocol messages, the uniform resource location information indicating destination information of one of the HyperText Transfer Protocol messages, and the User-Agent indicating a type of software used by one of the first devices; counting a number of User-Agents, extracted from the HyperText Transfer Protocol messages, for each uniform resource location information extracted from the HyperText Transfer Protocol messages stored in the memory of the apparatus; and for each uniform resource locator information, determining a HyperText Transport Protocol message related to unauthorized communication when the number of the User-Agents for the uniform resource location information is at least a predetermined number.
-
Specification