Identifying anomalous messages

US 9,979,742 B2
Filed: 10/06/2016
Issued: 05/22/2018
Est. Priority Date: 01/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method for computer system forensics, comprising:

monitoring traffic passing through network switching elements in a computer network comprising multiple host computers;

identifying an anomalous message in the monitored traffic passing through network switching elements;

defining a filter responsive to the identified anomalous message;

transmitting the filter to respective monitoring programs running on the multiple host computers;

monitoring messages transmitted by the multiple host computers, by the respective monitoring programs, so as to detect messages matching the defined filter;

detecting, by the respective monitoring programs on the multiple host computers, for each message matching the defined filter, a respective process that initiated the message;

sampling by a forensic analyzer of the computer network from the multiple host computers, lists of messages matching the defined filter and corresponding processes that initiated the message;

responsively to the sampled lists from the multiple host computers, extracting a forensic indicator characteristic of the respective processes that initiated the matching messages; and

applying preventive actions to processes matching the extracted forensic indicator, on the multiple host computers.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for computer system forensics includes receiving an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers. Messages transmitted by the host computers are monitored so as to detect, for each monitored message, a respective process that initiated the message. Responsively to the identification, a forensic indicator is extracted of the respective process that initiated the anomalous message.

112 Citations

View as Search Results

15 Claims

1. A method for computer system forensics, comprising:
- monitoring traffic passing through network switching elements in a computer network comprising multiple host computers;
  
  identifying an anomalous message in the monitored traffic passing through network switching elements;
  
  defining a filter responsive to the identified anomalous message;
  
  transmitting the filter to respective monitoring programs running on the multiple host computers;
  
  monitoring messages transmitted by the multiple host computers, by the respective monitoring programs, so as to detect messages matching the defined filter;
  
  detecting, by the respective monitoring programs on the multiple host computers, for each message matching the defined filter, a respective process that initiated the message;
  
  sampling by a forensic analyzer of the computer network from the multiple host computers, lists of messages matching the defined filter and corresponding processes that initiated the message;
  
  responsively to the sampled lists from the multiple host computers, extracting a forensic indicator characteristic of the respective processes that initiated the matching messages; and
  
  applying preventive actions to processes matching the extracted forensic indicator, on the multiple host computers.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein identifying the anomalous message comprises determining that the anomalous message is associated with a specified destination.
  - 3. The method according to claim 2, wherein detecting a respective process that initiated the message comprises configuring a filter on the host computers to detect the respective process that initiates the messages that are associated with the specified destination.
  - 4. The method according to claim 1, wherein detecting a respective process that initiated the message comprises detecting calls to a specified application program interface (API).
  - 5. The method according to claim 1, wherein detecting a respective process that initiated the message comprises detecting Domain Name System (DNS) lookups.

6. Apparatus for computer system forensics, comprising:
- an interface, which is configured to receive an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers; and
  
  a hardware processor, which is coupled to cause the multiple host computers to monitor messages transmitted by the host computers so as to detect, for each monitored message matching the received identification, a respective process that initiated the message, and which is configured to sample from the multiple host computers, lists of messages matching the received identification and corresponding processes that initiated the message, to extract, responsively to the sampled lists, a forensic indicator characteristic of the respective process that initiated the matching message, and to apply preventive actions to processes matching the extracted forensic indicator, on the multiple host computers.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus according to claim 6, wherein the identification indicates that the anomalous message is associated with a specified destination.
  - 8. The apparatus according to claim 7, wherein the processor is coupled to configure a filter on the host computers to detect the respective process that initiates the messages that are associated with the specified destination.
  - 9. The apparatus according to claim 6, wherein the processor is configured to cause the host computers to monitor the messages by detecting calls to a specified application program interface (API).
  - 10. The apparatus according to claim 6, wherein the processor is configured to cause the host computers to monitor the messages by detecting Domain Name System (DNS) lookups.

11. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification of an anomalous message transmitted by a host computer in a computer network comprising multiple host computers, to cause the multiple host computers to monitor messages transmitted by the host computers so as to detect, for each monitored message matching the received identification, a respective process that initiated the message, to sample from the multiple host computers, lists of messages matching the received identification and corresponding processes that initiated the message, to extract, responsively to the sampled lists, a forensic indicator characteristic of the respective process that initiated the matching message, and to apply preventive actions to processes matching the extracted forensic indicator, on the multiple host computers.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The product according to claim 11, wherein the identification indicates that the anomalous message is associated with a specified destination.
  - 13. The product according to claim 12, wherein the instructions cause the computer to configure a filter on the host computers to detect the respective process that initiates the messages that are associated with the specified destination.
  - 14. The product according to claim 11, wherein the instructions cause the computer to cause the host computers to monitor the messages by detecting calls to a specified application program interface (API).
  - 15. The product according to claim 11, wherein the instructions cause the computer to cause the host computers to monitor the messages by detecting Domain Name System (DNS) lookups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Original Assignee
Palo Alto Networks (UK) Ltd. (Palo Alto Networks Incorporated)
Inventors
Mumcuoglu, Michael, Engel, Giora, Firstenberg, Eyal
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US15/286,643
Publication Number

US 20170026398A1
Time in Patent Office

593 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 2463/121   Timestamp cryptographic mec...

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Identifying anomalous messages

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Identifying anomalous messages

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others