DATA MINING TO IDENTIFY MALICIOUS ACTIVITY

US 20140068763A1
Filed: 08/30/2013
Published: 03/06/2014
Est. Priority Date: 08/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring, with a monitoring system comprising a processor in communication with a network, network traffic to and/or from an asset associated with the network;

assessing, with the monitoring system, the network traffic to determine a source and/or destination for the network traffic and/or content of the network traffic;

determining, with the monitoring system, whether the network traffic is suspicious network traffic based on the assessed source and/or destination and/or content;

when the network traffic is determined to be suspicious network traffic, capturing, with the monitoring system, metadata associated with the suspicious network traffic and storing the metadata in a database in communication with the processor; and

when the network traffic is not determined to be suspicious network traffic, disregarding, with the monitoring system, metadata associated with the network traffic.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods may determine suspicious network traffic. A monitoring system comprising a processor in communication with a network may monitor network traffic to or from an asset associated with the network. The monitoring system may assess the network traffic to determine a source and/or destination for the network traffic anchor content of the network traffic. The monitoring system may determine whether the network traffic is suspicious network traffic based on the assessed source and/or destination and/or content. When the network traffic is determined to be suspicious network traffic, the monitoring system may capture metadata associated with the suspicious network traffic and store the metadata in a database in communication with the processor. When the network traffic is not determined to be suspicious network traffic, the monitoring system may disregard metadata associated with the network traffic.

40 Citations

View as Search Results

14 Claims

1. A method comprising:
- monitoring, with a monitoring system comprising a processor in communication with a network, network traffic to and/or from an asset associated with the network;
  
  assessing, with the monitoring system, the network traffic to determine a source and/or destination for the network traffic and/or content of the network traffic;
  
  determining, with the monitoring system, whether the network traffic is suspicious network traffic based on the assessed source and/or destination and/or content;
  
  when the network traffic is determined to be suspicious network traffic, capturing, with the monitoring system, metadata associated with the suspicious network traffic and storing the metadata in a database in communication with the processor; and
  
  when the network traffic is not determined to be suspicious network traffic, disregarding, with the monitoring system, metadata associated with the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the monitoring comprises monitoring a transport protocol of the network traffic, monitoring an application protocol of the network traffic, monitoring a source and/or destination of the network traffic, and/or monitoring content of the network traffic.
  - 3. The method of claim 1, wherein the determining whether the network traffic is suspicious network traffic is based on a low reputation score associated with the source and/or destination for the network traffic, a suspicious DGA cluster associated with the source and/or destination for the network traffic, a suspicious DGA cluster associated with the content of the network traffic, and/or a suspicious content element within the content of the network traffic.
  - 4. The method of claim 1, further comprising:
    - when the network traffic is determined to be suspicious network traffic, indexing, with the monitoring system, the metadata.
  - 5. The method of claim 1, wherein the metadata comprises a source port, a destination port, a transport protocol, an application protocol, a time stamp, a duration, a source identifier, a destination identifier, a bytes in count, a bytes out count, a connection success indicator, a connection status, a DNS RR set, HTTP data a file within the content of the network traffic, the content of the network traffic, and/or a subsequent communication.
  - 6. The method of claim 1, further comprising:
    - when the network traffic is determined to be suspicious network traffic, sending, with the monitoring system, a report indicating that the network traffic is determined to be suspicious network traffic to a display in communication with the monitoring system.
  - 7. The method of claim 1, wherein determining whether the network traffic is suspicious network traffic comprises determining that all traffic to and/or from the asset is suspicious network traffic when the asset is an asset with a potential malware infection.

8. A system comprising:
- a database; and
  
  a monitoring system comprising a processor in communication with a network and in communication with the database, the monitoring system being constructed and arranged to;
  
  monitor network traffic to and/or from an asset associated with the network;
  
  assess the network traffic to determine a source and/or destination for the network traffic and/or content of the network traffic;
  
  determine whether the network traffic is suspicious network traffic based on the assessed source and/or destination and/or content;
  
  when the network traffic is determined to be suspicious network traffic, capture metadata associated with the suspicious network traffic and store the metadata in the database; and
  
  when the network traffic is not determined to be suspicious network traffic, disregard metadata associated with the network traffic.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the monitoring comprises monitoring a transport protocol of the network traffic, monitoring an application protocol of the network traffic, monitoring source and/or destination of the network traffic, and/or monitoring content of the network traffic.
  - 10. The system of claim 8, wherein the determining whether the network traffic is suspicious network traffic is based on a low reputation score associated with the source and/or destination for the network traffic, a suspicious DGA cluster associated with the source and/or destination for the network traffic, a suspicious DGA cluster associated with the content of the network traffic, and/or a suspicious content element within the content of the network traffic.
  - 11. The system of claim 8, wherein the monitoring system is further constructed and arranged to:
    - when the network traffic is determined to be suspicious network traffic, index the metadata.
  - 12. The system of claim 8, wherein the metadata comprises a source port, a destination port, a transport protocol, an application protocol, a time stamp, a duration, a source identifier, a destination identifier, a bytes in count, a bytes out count, a connection success indicator, a connection status, a DNS RR set, HTTP data, a file within the content of the network traffic, the content of the network traffic, and/or a subsequent communication.
  - 13. The system of claim 8, wherein the monitoring system is further constructed and arranged to:
    - when the network traffic is determined to be suspicious network traffic, send a report indicating that the network traffic is determined to be suspicious network traffic to a display in communication with the monitoring system.
  - 14. The system of claim 8, wherein the monitoring system is constructed and arranged to determine whether the network traffic is suspicious network traffic with a method comprising determining that all traffic to and/or from the asset is suspicious network traffic when the asset is an asset with a potential malware infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Ward, Joseph, Hobson, Andrew

Granted Patent

US 9,894,088 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

DATA MINING TO IDENTIFY MALICIOUS ACTIVITY

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

DATA MINING TO IDENTIFY MALICIOUS ACTIVITY

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links