Remediating computer security threats using distributed sensor computers
First Claim
1. A data processing system comprising:
- a plurality of sensor computers, each of which is coupled to a different corresponding compromised computer among a plurality of compromised computers in geographically distributed locations, each of the compromised computers comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computers are logically between one or more attacker computers and the one or more enterprise networks or enterprise computers, wherein each sensor computer of the plurality of sensor computers is configured as a network tap that intercepts communications directed towards or emitted from the corresponding compromised computer, but is distinct from the corresponding compromised computer;
a security control computer that is coupled to the sensor computers;
one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform;
using the security control computer receiving, at the security control computer from an advertising exchange network computer, advertising presentation data indicating presentations of advertisements to particular browsers that have browsed to particular websites;
determining, based upon the detection data, whether the particular websites are associated with network attacks or malware;
in response to the determining, storing transit data specifying computers that have visited the particular websites and using the transit data to determine a plurality of particular web pages to inspect for threats;
based on a hierarchical structure of the particular web pages and without consideration of content of the particular web pages, identifying one or more features, of links in the particular web page or files referenced in the particular web pages, that indicate one or more security threats in the web pages;
determining remediation measures to remediate security threats that are identified in one of the particular web pages;
obtaining, from the sensor computers via the network tap, detection data relating to network messages that the compromised computers emit, as the compromised computers emit the network messages;
using the detection data, identifying one or more security threats that are indicated by the network messages;
determining a specified one of the remediation measures to remediate one or more of the security threats;
providing the specified one of the remediation measures to one or more of the compromised computer, the sensor computer and an enterprise computer.
5 Assignments
0 Petitions
Accused Products
Abstract
A data processing system comprises a security control computer performing operations comprising: receiving, an advertising exchange network computer, advertising presentation data indicating presentations of advertisements to particular browsers that have browsed to particular websites; determining, based upon detection data, whether the particular websites are associated with network attacks or malware; in response, storing transit data specifying computers that have visited the particular web sites and using the transit data to determine a plurality of particular web pages to inspect for threats; based on a hierarchical structure of the particular web pages and without consideration of content of the particular web pages, identifying one or more features, of links in the particular web page or files referenced in the particular web pages, that indicate one or more security threats in the web pages; and determining remediation measures to remediate security threats that are identified in one of the particular web pages.
-
Citations
21 Claims
-
1. A data processing system comprising:
-
a plurality of sensor computers, each of which is coupled to a different corresponding compromised computer among a plurality of compromised computers in geographically distributed locations, each of the compromised computers comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computers are logically between one or more attacker computers and the one or more enterprise networks or enterprise computers, wherein each sensor computer of the plurality of sensor computers is configured as a network tap that intercepts communications directed towards or emitted from the corresponding compromised computer, but is distinct from the corresponding compromised computer; a security control computer that is coupled to the sensor computers; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform; using the security control computer receiving, at the security control computer from an advertising exchange network computer, advertising presentation data indicating presentations of advertisements to particular browsers that have browsed to particular websites;
determining, based upon the detection data, whether the particular websites are associated with network attacks or malware;
in response to the determining, storing transit data specifying computers that have visited the particular websites and using the transit data to determine a plurality of particular web pages to inspect for threats;
based on a hierarchical structure of the particular web pages and without consideration of content of the particular web pages, identifying one or more features, of links in the particular web page or files referenced in the particular web pages, that indicate one or more security threats in the web pages;
determining remediation measures to remediate security threats that are identified in one of the particular web pages;obtaining, from the sensor computers via the network tap, detection data relating to network messages that the compromised computers emit, as the compromised computers emit the network messages; using the detection data, identifying one or more security threats that are indicated by the network messages; determining a specified one of the remediation measures to remediate one or more of the security threats; providing the specified one of the remediation measures to one or more of the compromised computer, the sensor computer and an enterprise computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A data processing system comprising:
-
a plurality of sensor computers, each of which is coupled to a different corresponding compromised computer among a plurality of compromised computers in geographically distributed locations, each of the compromised computers comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computers are logically between one or more attacker computers and the one or more enterprise networks or enterprise computers wherein each sensor computer of the plurality of sensor computers is configured as a network tap that intercepts communications directed towards or emitted from the corresponding compromised computer, but is distinct from the corresponding compromised computer; a security control computer that is coupled to the sensor computers; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform; using the security control computer receiving, at the security control computer from an advertising exchange network computer, advertising presentation data indicating presentations of advertisements to particular browsers that have browsed to particular websites;
determining, based upon the detection data, whether the particular websites are associated with network attacks or malware;
in response to the determining, storing transit data specifying computers that have visited the particular websites and using the transit data to determine a plurality of particular web pages to inspect for threats;
based on a hierarchical structure of the particular web pages and without consideration of content of the particular web pages, identifying one or more features, of links in the particular web page or files referenced in the particular web pages, that indicate one or more security threats in the web pages;
determining remediation measures to remediate security threats that are identified in one of the particular web pages;obtaining, from the sensor computers via the network tap, detection data relating to network messages that the compromised computers emit, as the compromised computers emit the network messages; using the detection data, identifying one or more security threats that are indicated by the network messages; determining a specified one of the remediation measures to remediate one or more of the security threats, wherein the specified one of the remediation measures comprises one or more of;
causing dropping packets associated with the compromised computer;
causing disrupting establishment of a TCP connection or UDP connection that is partway through handshake negotiation using the compromised computer;
causing disrupting an existing connection session in one or more of TCP/IP or an application layer protocol;configuring one or more of the compromised computer, the sensor computer and an enterprise computer to perform the specified one of the remediation measures. - View Dependent Claims (20, 21)
-
Specification