Remediating computer security threats using distributed sensor computers
First Claim
1. A data processing system comprising:
- a sensor computer that is coupled to, co-located with, and on a same LAN segment as a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network, wherein the one or more enterprise networks or enterprise computers are coupled to the network through an enterprise firewall, and the compromised computer is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers;
a security control computer that is coupled to the sensor computer;
one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform;
causing selecting of one or more of network messages emitted from the compromised computer and directed toward the enterprise computer, wherein the selection comprises filtering the one or more network messages emitted from the compromised computer based upon one or more ports of interest;
causing queuing of the selected one or more of network messages in queues at the sensor computer;
obtaining, from the sensor computer, detection data relating to the network messages that the compromised computer emits, as the compromised computer emits the network messages;
using the detection data, identifying one or more security threats that are indicated by the network messages;
determining a specified remediation measure to remediate one or more of the security threats;
providing the specified remediation measure to one or more of the compromised computer, the sensor computer, the firewall, and an enterprise computer;
causing inspecting and modifying of the queued one or more of network messages to remove one or more security threats before forwarding the queued one or more of network messages to the enterprise computer.
4 Assignments
0 Petitions
Accused Products
Abstract
A data processing system comprising: a sensor computer that is coupled to and co-located with a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform: obtaining, from the sensor computer, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; using the detection data, identifying one or more security threats that are indicated by the network messages; determining a specified remediation measure to remediate one or more of the security threats; providing the specified remediation measure to one or more of the compromised computer, the sensor computer, the firewall, and an enterprise computer.
-
Citations
16 Claims
-
1. A data processing system comprising:
-
a sensor computer that is coupled to, co-located with, and on a same LAN segment as a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network, wherein the one or more enterprise networks or enterprise computers are coupled to the network through an enterprise firewall, and the compromised computer is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform; causing selecting of one or more of network messages emitted from the compromised computer and directed toward the enterprise computer, wherein the selection comprises filtering the one or more network messages emitted from the compromised computer based upon one or more ports of interest; causing queuing of the selected one or more of network messages in queues at the sensor computer; obtaining, from the sensor computer, detection data relating to the network messages that the compromised computer emits, as the compromised computer emits the network messages; using the detection data, identifying one or more security threats that are indicated by the network messages; determining a specified remediation measure to remediate one or more of the security threats; providing the specified remediation measure to one or more of the compromised computer, the sensor computer, the firewall, and an enterprise computer; causing inspecting and modifying of the queued one or more of network messages to remove one or more security threats before forwarding the queued one or more of network messages to the enterprise computer. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A data processing system comprising:
-
a sensor computer that is coupled to, co-located with, and on a same LAN segment as a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network, wherein the one or more enterprise networks or enterprise computers are coupled to the network through an enterprise firewall, and the compromised computer is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform; causing selecting of one or more of network messages emitted from the compromised computer and directed toward the enterprise computer, wherein the selection comprises selecting all network messages when a total message output or packet output of the compromised computer exceeds one or more specified thresholds; causing queuing of the selected one or more of network messages in queues at the sensor computer; obtaining, from the sensor computer, detection data relating to the network messages that the compromised computer emits, as the compromised computer emits the network messages; using the detection data, identifying one or more security threats that are indicated by the network messages; determining a specified remediation measure to remediate one or more of the security threats; providing the specified remediation measure to one or more of the compromised computer, the sensor computer, the firewall, and an enterprise computer; causing inspecting and modification of the queued one or more of network messages to remove one or more security threats before forwarding the queued one or more of network messages to the enterprise computer.
-
-
9. A data processing system comprising:
-
a sensor computer coupled to, co-located with, and on a same LAN segment as a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers and wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network, wherein the one or more enterprise networks or enterprise computers are coupled to the network through an enterprise firewall; a security control computer that is coupled to the sensor computer; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform; causing selection of one or more of network messages emitted from the compromised computers and directed toward the enterprise computer, wherein the selection comprises filtering the one or more network messages emitted from the compromised computers based upon one or more ports of interest; causing queuing of the selected of one or more of network messages in queues at the sensor computer; obtaining, from the sensor computer, detection data relating to the selected one or more of network messages that the compromised computers emit, as the compromised computers emit the network messages; using the detection data, identifying one or more security threats that are indicated by the network messages; determining a specified remediation measure to remediate one or more of the security threats, wherein the specified remediation measure comprises one or more of;
causing dropping packets associated with the compromised computer;
causing disrupting establishment of a TCP connection or UDP connection that is partway through handshake negotiation using the compromised computer;
causing disrupting an existing connection session in one or more of TCP/IP or an application layer protocol;configuring one or more of the compromised computer, the sensor computer, the firewall, and an enterprise computer to perform the specified remediation measure; causing inspecting and modifying of the queued one or more of network messages to remove one or more security threats before forwarding the queued one or more of network messages to the enterprise computer. - View Dependent Claims (10, 11)
-
-
12. A sensor computer that is coupled to, co-located with, and on a same LAN segment as a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network, wherein the one or more enterprise networks or enterprise computers are coupled to the network through an enterprise firewall, and the compromised computer is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers;
one or more non-transitory data storage media in the sensor computer storing one or more sequences of instructions which when executed cause the sensor computer to perform; selecting one or more of network messages emitted from the compromised computer and directed toward the enterprise computer, wherein the selecting comprises filtering the one or more network messages emitted from the compromised computer based upon one or more ports of interest; queuing the selected one or more of network messages in queues at the sensor computer; sending to a security control computer that is coupled to the sensor computer via a network, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; receiving a specified remediation measure from the security control computer which remediation measure has been determined using the detection data to identify one or more security threats that are indicated by the network messages; causing inspection and modification of the queued one or more of network messages to remove one or more security threats before forwarding the queued one or more of network messages to the enterprise computer. - View Dependent Claims (13, 14, 15)
-
16. A sensor computer that is coupled to, co-located with, and on a same LAN segment as a compromised computer, the compromised computer comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computer is coupled to a firewall that is configured to control ingress of packets to the compromised computer and the sensor computer from a network, wherein the one or more enterprise networks or enterprise computers are coupled to the network through an enterprise firewall, and the compromised computer is logically between one or more attacker computers and the one or more enterprise networks or enterprise computers;
one or more non-transitory data storage media in the sensor computer storing one or more sequences of instructions which when executed cause the sensor computer to perform; selecting one or more of network messages emitted from the compromised computer and directed toward the enterprise computer, wherein the selection comprises selecting all network messages when a total message output or packet output of the compromised computer exceeds one or more specified thresholds; queuing the selected one or more of network messages in queues at the sensor computer; sending to a security control computer that is coupled to the sensor computer via a network, detection data relating to network messages that the compromised computer emits, as the compromised computer emits the network messages; receiving a specified remediation measure from the security control computer which remediation measure has been determined using the detection data to identify one or more security threats that are indicated by the network messages; causing inspecting and modifying of the queued one or more of network messages to remove one or more security threats before forwarding the queued one or more of network messages to the enterprise computer.
Specification