Identifying anomalous messages
First Claim
Patent Images
1. A method for computer system forensics, comprising:
- monitoring traffic passing through network switching elements in a computer network comprising multiple host computers;
identifying an anomalous message in the monitored traffic passing through network switching elements;
defining a filter responsive to the identified anomalous message;
transmitting the filter to respective monitoring programs running on the multiple host computers;
monitoring messages transmitted by the multiple host computers, by the respective monitoring programs, so as to detect messages matching the defined filter;
detecting, by the respective monitoring programs on the multiple host computers, for each message matching the defined filter, a respective process that initiated the message;
sampling by a forensic analyzer of the computer network from the multiple host computers, lists of messages matching the defined filter and corresponding processes that initiated the message;
responsively to the sampled lists from the multiple host computers, extracting a forensic indicator characteristic of the respective processes that initiated the matching messages; and
applying preventive actions to processes matching the extracted forensic indicator, on the multiple host computers.
3 Assignments
0 Petitions
Accused Products
Abstract
A method for computer system forensics includes receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers. Messages transmitted by the host computers are monitored so as to detect, for each monitored message, a respective process that initiated the message. Responsively to the identification, a forensic indicator is extracted of the respective process that initiated the anomalous message.
112 Citations
15 Claims
-
1. A method for computer system forensics, comprising:
-
monitoring traffic passing through network switching elements in a computer network comprising multiple host computers; identifying an anomalous message in the monitored traffic passing through network switching elements; defining a filter responsive to the identified anomalous message; transmitting the filter to respective monitoring programs running on the multiple host computers; monitoring messages transmitted by the multiple host computers, by the respective monitoring programs, so as to detect messages matching the defined filter; detecting, by the respective monitoring programs on the multiple host computers, for each message matching the defined filter, a respective process that initiated the message; sampling by a forensic analyzer of the computer network from the multiple host computers, lists of messages matching the defined filter and corresponding processes that initiated the message; responsively to the sampled lists from the multiple host computers, extracting a forensic indicator characteristic of the respective processes that initiated the matching messages; and applying preventive actions to processes matching the extracted forensic indicator, on the multiple host computers. - View Dependent Claims (2, 3, 4, 5)
-
-
6. Apparatus for computer system forensics, comprising:
-
an interface, which is configured to receive an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers; and a hardware processor, which is coupled to cause the multiple host computers to monitor messages transmitted by the host computers so as to detect, for each monitored message matching the received identification, a respective process that initiated the message, and which is configured to sample from the multiple host computers, lists of messages matching the received identification and corresponding processes that initiated the message, to extract, responsively to the sampled lists, a forensic indicator characteristic of the respective process that initiated the matching message, and to apply preventive actions to processes matching the extracted forensic indicator, on the multiple host computers. - View Dependent Claims (7, 8, 9, 10)
-
- 11. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers, to cause the multiple host computers to monitor messages transmitted by the host computers so as to detect, for each monitored message matching the received identification, a respective process that initiated the message, to sample from the multiple host computers, lists of messages matching the received identification and corresponding processes that initiated the message, to extract, responsively to the sampled lists, a forensic indicator characteristic of the respective process that initiated the matching message, and to apply preventive actions to processes matching the extracted forensic indicator, on the multiple host computers.
Specification