Detecting suspicious web traffic from an enterprise network
First Claim
1. A method comprising:
- generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time, and wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network;
removing a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time;
processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time, and wherein said processing comprises;
applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections;
identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and
folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; and
analyzing said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database;
wherein said generating, said removing, said processing, and said analyzing are carried out by at least one computing device.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus and articles of manufacture for detecting suspicious web traffic are provided herein. A method includes generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time; processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time; and analyzing said filtered connections against the database to identify a connection to a destination external to the enterprise network that is not included in the information in the database.
42 Citations
18 Claims
-
1. A method comprising:
-
generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time, and wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network; removing a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time; processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time, and wherein said processing comprises; applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections; identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; and analyzing said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database; wherein said generating, said removing, said processing, and said analyzing are carried out by at least one computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry steps comprising:
-
generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time, and wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network; removing a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time; processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time, and wherein said processing comprises; applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections; identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; and analyzing said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database.
-
-
14. An apparatus comprising:
-
a memory; and at least one processor coupled to the memory and configured to; generate a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time, and wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network; remove a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time; process multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time, and wherein said processing comprises; applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections; identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; and analyze said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database.
-
-
15. A method comprising:
-
examining, over a specified period of time, each of multiple connections between (i) one or more destinations external to an enterprise network and (ii) one or more hosts within the enterprise network; generating a database comprising information corresponding to each of said multiple connections, wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network; removing a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time; processing multiple additional connections between (i) one or more destinations external to the enterprise network and (ii) one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said processing comprises; applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections; identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; analyzing said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database; and outputting an alert corresponding to said identified instance. - View Dependent Claims (16, 17, 18)
-
Specification