System and method of determining malicious processes
First Claim
Patent Images
1. A method comprising:
- capturing data from a first capturing agent at a physical layer within a network, a second capturing agent at a hypervisor layer of the network and a third capturing agent at a virtual layer of the network;
developing, the data, a lineage for a process associated with network activity;
analyzing the lineage, for any anomaly within the network; and
identifying an anomaly in the network in response to the analyzing revealing at least one of the following conditions;
the process was triggered by an external command;
the process was triggered by a hidden command that was not accidental;
the lineage does not follow an expected pattern;
wherein the lineage is a sequence of commands and/or processes that triggered the process associated with network activity.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. A method includes determining a lineage for a process within the network and then evaluating, through knowledge of the lineage, the source of the command that initiated the process. The method includes capturing data from a plurality of capture agents at different layers of a network, each capture agent of the plurality of capture agents configured to observe network activity at a particular location in the network, developing, based on the data, a lineage for a process associated with the network activity and, based on the lineage, identifying an anomaly within the network.
661 Citations
3 Claims
-
1. A method comprising:
-
capturing data from a first capturing agent at a physical layer within a network, a second capturing agent at a hypervisor layer of the network and a third capturing agent at a virtual layer of the network; developing, the data, a lineage for a process associated with network activity; analyzing the lineage, for any anomaly within the network; and identifying an anomaly in the network in response to the analyzing revealing at least one of the following conditions; the process was triggered by an external command; the process was triggered by a hidden command that was not accidental; the lineage does not follow an expected pattern; wherein the lineage is a sequence of commands and/or processes that triggered the process associated with network activity.
-
-
2. A system comprising:
-
a processor; and a non-statutory computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising; capturing data from a first capturing agent at a physical layer within a network, a second capturing agent at a hypervisor layer of the network and a third capturing agent at a virtual layer of the network; developing, based on the data, a lineage for a process associated with network activity; and analyzing the lineage, for any anomaly within the network;
identifying an anomaly in the network in response to the analyzing revealing at least one of the following conditions;the process was triggered by an external command;
the process was triggered by a hidden command that was not accidental;the lineage does not follow an expected pattern; wherein the lineage is a sequence of commands and/or processes that triggered the process associated with network activity.
-
-
3. A computer-readable storage device storing instructions which, when executed by a processor, cause the processor to perform operations comprising:
-
capturing data from a first capturing agent at a physical layer within a network, a second capturing agent at a hypervisor layer of the network and a third capturing agent at a virtual layer of the network; developing, based on the data, a lineage for a process associated with network activity; and analyzing the lineage, for any anomaly within the network; and identifying an anomaly in the network in response to the analyzing revealing at least one of the following conditions; the process was triggered by an external command; the process was triggered by a hidden command that was not accidental; the lineage does not follow an expected pattern; wherein the lineage a sequence of commands and/or processes that triggered the process associated with network activity.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
Original AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
InventorsDeen, Khawar, Yadav, Navindra, Gupta, Anubhav, Gandham, Shashidhar, Prasad, Rohit Chandra, Singh, Abhishek Ranjan, Chang, Shih-Chun
-
Primary Examiner(s)Reza, Mohammad W
-
Application NumberUS15/171,707Publication NumberTime in Patent Office1,223 DaysField of Search726 23US Class CurrentCPC Class CodesG06F 16/122 using management policies b...G06F 16/137 Hash-based content-based in...G06F 16/162 Delete operations erasing i...G06F 16/17 Details of further file sys...G06F 16/173 Customisation support for f...G06F 16/174 Redundancy elimination perf...G06F 16/1744 using compression, e.g. spa...G06F 16/1748 De-duplication implemented ...G06F 16/2322 using timestampsG06F 16/235 Update request formulationG06F 16/2365 Ensuring data consistency a...G06F 16/24578 using rankingG06F 16/248 Presentation of query resultsG06F 16/285 Clustering or classificationG06F 16/288 Entity relationship modelsG06F 16/29 Geographical information da...G06F 16/9535 Search customisation based ...G06F 2009/4557 Distribution of virtual mac...G06F 2009/45587 Isolation or security of vi...G06F 2009/45591 Monitoring or debugging sup...View All
