Automated forensics of computer systems using behavioral intelligence
First Claim
1. A method for computer system forensics, comprising:
- collecting behavioral intelligence from sensors monitoring traffic passing through network switching elements in a computer network;
based on the collected behavioral intelligence, identifying a plurality of host computers on the network that exhibited an anomalous behavior;
assembling a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, by respective monitoring programs running on the host computers;
assembling a plurality of negative images using image information collected with respect to a plurality of host computers not currently exhibiting the anomalous behavior or collected with respect to the at least one host computer prior to the anomalous behavior;
making a comparison between the plurality of positive images and the plurality of negative images using the following criteria;
an exact match, an approximate match, or a probabilistic match;
wherein the match is between properties among the assembled positive images; and
a negative match which is between properties that exist in the assembled negative images and do not exist in the assembled positive images; and
based on the comparison, extracting from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for computer system forensics includes receiving an identification of at least one host computer (26) that has exhibited an anomalous behavior, in a computer network (24) comprising multiple host computers. Respective images (68) of the host computers in the network are assembled using image information collected with regard to the host computers. A comparison is made between at least one positive image of the at least one host computer, assembled using the image information collected following occurrence of the anomalous behavior, and one or more negative images assembled using the image information collected with respect to one or more of the host computers not exhibiting the anomalous behavior. Based on the comparison, a forensic indicator of the anomalous behavior is extracted from the positive and negative images.
151 Citations
17 Claims
-
1. A method for computer system forensics, comprising:
-
collecting behavioral intelligence from sensors monitoring traffic passing through network switching elements in a computer network; based on the collected behavioral intelligence, identifying a plurality of host computers on the network that exhibited an anomalous behavior; assembling a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, by respective monitoring programs running on the host computers; assembling a plurality of negative images using image information collected with respect to a plurality of host computers not currently exhibiting the anomalous behavior or collected with respect to the at least one host computer prior to the anomalous behavior; making a comparison between the plurality of positive images and the plurality of negative images using the following criteria; an exact match, an approximate match, or a probabilistic match;
wherein the match is between properties among the assembled positive images; anda negative match which is between properties that exist in the assembled negative images and do not exist in the assembled positive images; and based on the comparison, extracting from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. Apparatus for computer system forensics, comprising:
-
an interface, configured to receive an identification, based on behavioral intelligence collected from sensors monitoring traffic passing through network switching elements in a computer network, of a plurality of computers on the network that exhibited an anomalous behavior; and a hardware processor, which is configured to assemble a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, by respective monitoring programs running on the host computers, to assemble a plurality of negative images using image information collected with respect to a plurality of host computers not currently exhibiting the anomalous behavior or collected with respect to the at least one host computer prior to the anomalous behavior, to make a comparison between the plurality of positive images and the plurality of negative images using the following criteria;
an exact match, an approximate match, or a probabilistic match;
wherein the match is between properties among the assembled positive images; and
a negative match which is between properties that exist in the assembled negative images and do not exist in the assembled positive images, and based on the comparison, to extract from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior.
-
-
17. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification, based on behavioral intelligence collected from sensors monitoring traffic passing through network switching elements in a computer network, of a plurality of computers on the network that exhibited an anomalous behavior, to assemble a plurality of respective positive images of the identified plurality of host computers using image information collected with regard to a configuration of software components running on the host computers, by respective monitoring programs running on the host computers, to assemble a plurality of negative images using image information collected with respect to a plurality of host not currently exhibiting the anomalous behavior or collected with respect to the at least one host computer prior to the anomalous behavior, to make a comparison between the plurality of positive images, and the plurality of negative images using the following criteria:
- an exact match, an approximate match, or a probabilistic match;
wherein the match is between properties among the assembled positive images; and
a negative match which is between properties that exist in the assembled negative images and do not exist in the assembled positive images, and based on the comparison, to extract from the positive and negative images a feature of the configuration of the software components that distinguishes between the positive and negative images, to serve as a forensic indicator of the anomalous behavior.
- an exact match, an approximate match, or a probabilistic match;
Specification