Detecting attacks using passive network monitoring

US 9,756,061 B1
Filed: 11/18/2016
Issued: 09/05/2017
Est. Priority Date: 11/18/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting one or more attacks in a network, wherein one or more processors in one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:

instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and

responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including;

instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium;

instantiating an attack detection engine to perform actions, including;

executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and

providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and

responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including;

capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;

storing one or more read packet portions of the one or more read packets in one or more memory buffers;

extracting one or more portions of file data from the one or more stored read packet portions;

providing one or more files based on the one or more extracted portions of file data; and

providing one or more reports of one or more attacks based on the one or more exceeded threshold values.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to detecting one or more attacks in a network. One or more network flows may be monitored using one or more network monitoring computers (NMCs). If one or more file write operations are detected based on information included in one or more packets of the one or more network flows, one or more detection rules may be executed to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations. One or more metrics may be provided based on the one or more detection rules and one or more of the file information, the one or more file write operations, or the like. If one or more metrics exceed one or more threshold values, one or more reports of one or more attacks may be provided.

68 Citations

View as Search Results

26 Claims

1. A method for detecting one or more attacks in a network, wherein one or more processors in one or more network monitoring computers (NMCs) execute instructions to perform actions, comprising:
- instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and
  
  responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
  
  instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium;
  
  instantiating an attack detection engine to perform actions, including;
  
  executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and
  
  providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and
  
  responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including;
  
  capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
  
  storing one or more read packet portions of the one or more read packets in one or more memory buffers;
  
  extracting one or more portions of file data from the one or more stored read packet portions;
  
  providing one or more files based on the one or more extracted portions of file data; and
  
  providing one or more reports of one or more attacks based on the one or more exceeded threshold values.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein providing the one or more metrics based on the one or more detection rules and one or more of the file information or the one or more file write command operations, further comprises:
    - comparing one or more portions of the file information to information included in one or more blacklists; and
      
      responsive to one or more affirmative results of the comparison, incrementing one or more of the one or more metrics.
  - 3. The method of claim 1, wherein providing the one or more metrics based on the one or more detections rules and one or more of the file information or the one or more file write command operations, further comprises:
    - comparing one or more portions of the file information to information included in one or more whitelists; and
      
      responsive to one or more negative results of the comparison, incrementing one or more of the one or more metrics.
  - 4. The method of claim 1, wherein the one or more attacks include one or more of Ransomware, man-in-the-middle, worm, Trojan, denial of service, spoofing, ARP (address resolution protocol) poison, Ping flood, Ping of death, Smurf, wiretapping, Port scan, Idle scan, buffer overflow, heap overflow, stack overflow, or format string attack.
  - 5. The method of claim 1, further comprising:
    - capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
      
      storing one or more read packet portions of the one or more read packets in one or more memory buffers; and
      
      responsive to the one or more of the one or more metrics exceeding the one or more threshold values, performing further actions, including;
      
      extracting one or more portions of file data from the one or more stored read packet portions; and
      
      providing one or more files based on the one or more extracted portions of file data.
  - 6. The method of claim 1, further comprising:
    - continuously capturing network traffic that is associated with the one or more network flows; and
      
      storing the captured network traffic in a data store.
  - 7. The method of claim 1, wherein detecting the one or more file write operations, further comprises, comparing one or more other portions of the one or more packets to one or more values associated with one or more network file protocols.

8. A system for detecting one or more attacks in a network, comprising:
- a network computer, comprising;
  
  one or more transceivers that communicate over a network;
  
  one or more memories that store at least one or more instructions; and
  
  one or more processors that execute the one or more instructions to perform actions, including;
  
  instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and
  
  responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
  
  instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium;
  
  instantiating an attack detection engine to perform actions, including;
  
  executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and
  
  providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and
  
  responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including;
  
  capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
  
  storing one or more read packet portions of the one or more read packets in one or more memory buffers;
  
  extracting one or more portions of file data from the one or more stored read packet portions;
  
  providing one or more files based on the one or more extracted portions of file data; and
  
  providing one or more reports of one or more attacks based on the one or more exceeded threshold values; and
  
  a client computer, comprising;
  
  one or more transceivers that communicate over the network;
  
  one or more memories that store at least one or more instructions; and
  
  one or more processors that execute the one or more instructions to perform actions, including;
  
  providing one or more portions of the one or more network flows.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein providing the one or more metrics based on the one or more detection rules and one or more of the file information or the one or more file write command operations, further comprises:
    - comparing one or more portions of the file information to information included in one or more blacklists; and
      
      responsive to one or more affirmative results of the comparison, incrementing one or more of the one or more metrics.
  - 10. The system of claim 8, wherein providing the one or more metrics based on the one or more detections rules and one or more of the file information or the one or more file write command operations, further comprises:
    - comparing one or more portions of the file information to information included in one or more whitelists; and
      
      responsive to one or more negative results of the comparison, incrementing one or more of the one or more metrics.
  - 11. The system of claim 8, wherein the one or more attacks include one or more of Ransomware, man-in-the-middle, worm, Trojan, denial of service, spoofing, ARP (address resolution protocol) poison, Ping flood, Ping of death, Smurf, wiretapping, Port scan, Idle scan, buffer overflow, heap overflow, stack overflow, or format string attack.
  - 12. The system of claim 8, wherein the one or more processors of the network computer execute the one or more instructions to perform further actions, including:
    - capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
      
      storing one or more read packet portions of the one or more read packets in one or more memory buffers; and
      
      responsive to the one or more of the one or more metrics exceeding the one or more threshold values, performing further actions, including;
      
      extracting one or more portions of file data from the one or more stored read packet portions; and
      
      providing one or more files based on the one or more extracted portions of file data.
  - 13. The system of claim 8, wherein the one or more processors of the network computer execute the one or more instructions to perform actions, further comprising:
    - continuously capturing network traffic that is associated with the one or more network flows; and
      
      storing the captured network traffic in a data store.
  - 14. The system of claim 8, wherein detecting the one or more file write operations, further comprises, comparing one or more other portions of the one or more packets to one or more values associated with one or more network file protocols.

15. A processor readable non-transitory storage media that includes instructions for detecting one or more attacks in a network, wherein execution of the instructions by one or more processors performs actions, comprising:
- instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and
  
  responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
  
  instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium;
  
  instantiating an attack detection engine to perform actions, including;
  
  executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and
  
  providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and
  
  responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including;
  
  capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
  
  storing one or more read packet portions of the one or more read packets in one or more memory buffers;
  
  extracting one or more portions of file data from the one or more stored read packet portions;
  
  providing one or more files based on the one or more extracted portions of file data; and
  
  providing one or more reports of one or more attacks based on the one or more exceeded threshold values.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The media of claim 15, wherein providing the one or more metrics based on the one or more detection rules and one or more of the file information or the one or more file write command operations, further comprises:
    - comparing one or more portions of the file information to information included in one or more blacklists; and
      
      responsive to one or more affirmative results of the comparison, incrementing one or more of the one or more metrics.
  - 17. The media of claim 15, wherein providing the one or more metrics based on the one or more detections rules and one or more of the file information or the one or more file write command operations, further comprises:
    - comparing one or more portions of the file information to information included in one or more whitelists; and
      
      responsive to one or more negative results of the comparison, incrementing one or more of the one or more metrics.
  - 18. The media of claim 15, wherein the one or more attacks include one or more of Ransomware, man-in-the-middle, worm, Trojan, denial of service, spoofing, ARP (address resolution protocol) poison, Ping flood, Ping of death, Smurf, wiretapping, Port scan, Idle scan, buffer overflow, heap overflow, stack overflow, or format string attack.
  - 19. The media of claim 15, wherein the actions further comprise:
    - capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
      
      storing one or more read packet portions of the one or more read packets in one or more memory buffers; and
      
      responsive to the one or more of the one or more metrics exceeding the one or more threshold values, performing further actions, including;
      
      extracting one or more portions of file data from the one or more stored read packet portions; and
      
      providing one or more files based on the one or more extracted portions of file data.
  - 20. The media of claim 15, further comprising:
    - continuously capturing network traffic that is associated with the one or more network flows; and
      
      storing the captured network traffic in a data store.

21. A network computer for detecting one or more attacks in a network, comprising:
- one or more transceivers that communicate over a network;
  
  one or more memories that store at least one or more instructions; and
  
  one or more processors that execute the one or more instructions to perform actions, including;
  
  instantiating one or more network monitoring engines to passively monitoring one or more network flows using the one or more NMCs; and
  
  responsive to the one or more network monitoring engines detecting one or more file write command operations based on information included in one or more packets of the one or more network flows, performing further actions, including;
  
  instantiating a packet capture engine to selectively store captured portions of the one or more packets in a non-transitory storage medium;
  
  instantiating an attack detection engine to perform actions, including;
  
  executing one or more detection rules to analyze one or more portions of the one or more stored packets to identify file information that is associated with the one or more file write command operations; and
  
  providing one or more metrics based on the one or more detection rules and a comparison of the one or more of the file information or the one or more file write command operations; and
  
  responsive to one or more of the one or more metrics exceeding one or more threshold values, performing actions including;
  
  capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
  
  storing one or more read packet portions of the one or more read packets in one or more memory buffers;
  
  extracting one or more portions of file data from the one or more stored read packet portions;
  
  providing one or more files based on the one or more extracted portions of file data; and
  
  providing one or more reports of one or more attacks based on the one or more exceeded threshold values.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The network computer of claim 21, wherein providing the one or more metrics based on the one or more detection rules and one or more of the file information or the one or more file write command operations, further comprises:
    - comparing one or more portions of the file information to information included in one or more blacklists; and
      
      responsive to one or more affirmative results of the comparison, incrementing one or more of the one or more metrics.
  - 23. The network computer of claim 21, wherein providing the one or more metrics based on the one or more detections rules and one or more of the file information or the one or more file write command operations, further comprises:
    - comparing one or more portions of the file information to information included in one or more whitelists; and
      
      responsive to one or more negative results of the comparison, incrementing one or more of the one or more metrics.
  - 24. The network computer of claim 21, wherein the one or more processors execute the one or more instructions to perform actions, further comprising:
    - continuously capturing network traffic that is associated with the one or more network flows; and
      
      storing the captured network traffic in a data store.
  - 25. The network computer of claim 21, wherein the one or more processors execute the one or more instructions to perform further actions, including:
    - capturing one or more read packets, wherein the one or more read packets are associated with one or more file read operations;
      
      storing one or more read packet portions of the one or more read packets in one or more memory buffers; and
      
      responsive to the one or more of the one or more metrics exceeding the one or more threshold values, performing further actions, including;
      
      extracting one or more portions of file data from the one or more stored read packet portions; and
      
      providing one or more files based on the one or more extracted portions of file data.
  - 26. The network computer of claim 21, wherein the one or more attacks include one or more of Ransomware, man-in-the-middle, worm, Trojan, denial of service, spoofing, ARP (address resolution protocol) poison, Ping flood, Ping of death, Smurf, wiretapping, Port scan, Idle scan, buffer overflow, heap overflow, stack overflow, or format string attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Roeh, Thomas Lawrence, Clement, Samuel Kanen, Kiefer, John Augustus
Primary Examiner(s)
Sholeman, Abu

Application Number

US15/356,381
Time in Patent Office

291 Days
Field of Search

726 1, 726 22, 726 25, 726 26
US Class Current
CPC Class Codes

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 49/9047   including multiple buffers,...

H04L 63/0245   Filtering by information in...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Detecting attacks using passive network monitoring

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting attacks using passive network monitoring

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links