Detecting attacks using passive network monitoring
First Claim
1. A method for detecting one or more attacks in a network, wherein one or more processors in one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
- instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and
responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium;
instantiating an attack detection engine to perform actions, including;
executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and
providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and
responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including;
capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
storing one or more read packet portions of the one or more read packets in one or more memory buffers;
extracting one or more portions of file data from the one or more stored read packet portions;
providing one or more files based on the one or more extracted portions of file data; and
providing one or more reports of one or more attacks based on the one or more exceeded threshold values.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to detecting one or more attacks in a network. One or more network flows may be monitored using one or more network monitoring computers (NMCs). If one or more file write operations are detected based on information included in one or more packets of the one or more network flows, one or more detection rules may be executed to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations. One or more metrics may be provided based on the one or more detection rules and one or more of the file information, the one or more file write operations, or the like. If one or more metrics exceed one or more threshold values, one or more reports of one or more attacks may be provided.
68 Citations
26 Claims
-
1. A method for detecting one or more attacks in a network, wherein one or more processors in one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
-
instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including; instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium; instantiating an attack detection engine to perform actions, including; executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including; capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations; storing one or more read packet portions of the one or more read packets in one or more memory buffers; extracting one or more portions of file data from the one or more stored read packet portions; providing one or more files based on the one or more extracted portions of file data; and providing one or more reports of one or more attacks based on the one or more exceeded threshold values. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting one or more attacks in a network, comprising:
-
a network computer, comprising; one or more transceivers that communicate over a network; one or more memories that store at least one or more instructions; and one or more processors that execute the one or more instructions to perform actions, including; instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including; instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium; instantiating an attack detection engine to perform actions, including; executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including; capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations; storing one or more read packet portions of the one or more read packets in one or more memory buffers; extracting one or more portions of file data from the one or more stored read packet portions; providing one or more files based on the one or more extracted portions of file data; and providing one or more reports of one or more attacks based on the one or more exceeded threshold values; and a client computer, comprising; one or more transceivers that communicate over the network; one or more memories that store at least one or more instructions; and one or more processors that execute the one or more instructions to perform actions, including; providing one or more portions of the one or more network flows. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A processor readable non-transitory storage media that includes instructions for detecting one or more attacks in a network, wherein execution of the instructions by one or more processors performs actions, comprising:
-
instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including; instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium; instantiating an attack detection engine to perform actions, including; executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including; capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations; storing one or more read packet portions of the one or more read packets in one or more memory buffers; extracting one or more portions of file data from the one or more stored read packet portions; providing one or more files based on the one or more extracted portions of file data; and providing one or more reports of one or more attacks based on the one or more exceeded threshold values. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A network computer for detecting one or more attacks in a network, comprising:
-
one or more transceivers that communicate over a network; one or more memories that store at least one or more instructions; and one or more processors that execute the one or more instructions to perform actions, including; instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including; instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium; instantiating an attack detection engine to perform actions, including; executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including; capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations; storing one or more read packet portions of the one or more read packets in one or more memory buffers; extracting one or more portions of file data from the one or more stored read packet portions; providing one or more files based on the one or more extracted portions of file data; and providing one or more reports of one or more attacks based on the one or more exceeded threshold values. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification