Detecting suspicious web traffic from an enterprise network

US 9,503,468 B1
Filed: 04/28/2015
Issued: 11/22/2016
Est. Priority Date: 11/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time, and wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network;

removing a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time;

processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time, and wherein said processing comprises;

applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections;

identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and

folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; and

analyzing said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database;

wherein said generating, said removing, said processing, and said analyzing are carried out by at least one computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and articles of manufacture for detecting suspicious web traffic are provided herein. A method includes generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time; processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time; and analyzing said filtered connections against the database to identify a connection to a destination external to the enterprise network that is not included in the information in the database.

42 Citations

View as Search Results

18 Claims

1. A method comprising:
- generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time, and wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network;
  
  removing a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time;
  
  processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time, and wherein said processing comprises;
  
  applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections;
  
  identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and
  
  folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; and
  
  analyzing said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database;
  
  wherein said generating, said removing, said processing, and said analyzing are carried out by at least one computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein each of said one or more destinations comprises a domain name.
  - 3. The method of claim 1, wherein each of said one or more destinations comprises an internet protocol address.
  - 4. The method of claim 1, further comprising:
    - updating the database with one or more additional connections per a given temporal frequency.
  - 5. The method of claim 1, wherein said white-list is customized with respect to the enterprise network.
  - 6. The method of claim 1, wherein said white-list comprises one or more destinations that are not in violation of an enterprise policy.
  - 7. The method of claim 1, further comprising:
    - identifying, from said multiple additional connections, a connection wherein a host contacted a destination without a white-listed referrer as one of said one or more filtered connections.
  - 8. The method of claim 1, wherein said processing further comprises identifying each of said multiple additional connections associated with an unmodified internet protocol address to preclude form said one or more filtered connections.
  - 9. The method of claim 1, wherein said processing further comprises determining a domain age of each of said one or more destinations external to the enterprise network.
  - 10. The method of claim 1, wherein said processing further comprises normalizing log data associated with said multiple additional connections.
  - 11. The method of claim 10, wherein said normalizing comprises normalizing a timestamp associated with each item of said log data into a common time zone.
  - 12. The method of claim 10, wherein said normalizing comprises establishing a mapping between each internet protocol (IP) address associated with said log data and a unique identifier for each of said one or more hosts.

13. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry steps comprising:
- generating a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time, and wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network;
  
  removing a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time;
  
  processing multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time, and wherein said processing comprises;
  
  applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections;
  
  identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and
  
  folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; and
  
  analyzing said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database.

14. An apparatus comprising:
- a memory; and
  
  at least one processor coupled to the memory and configured to;
  
  generate a database comprising information corresponding to each of multiple connections between one or more destinations external to an enterprise network and one or more hosts within the enterprise network, wherein said multiple connections occur over a given period of time, and wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network;
  
  remove a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time;
  
  process multiple additional connections between one or more destinations external to the enterprise network and one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said multiple additional connections occur subsequent to said given period of time, and wherein said processing comprises;
  
  applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections;
  
  identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and
  
  folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections; and
  
  analyze said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database.

15. A method comprising:
- examining, over a specified period of time, each of multiple connections between (i) one or more destinations external to an enterprise network and (ii) one or more hosts within the enterprise network;
  
  generating a database comprising information corresponding to each of said multiple connections, wherein the information in the database comprises a timestamp corresponding to a respective connection between a destination external to the enterprise network and a host within the enterprise network;
  
  removing a given destination from the information in the database upon a determination that the given destination has not been contacted by a host within the enterprise network over a specified duration of time;
  
  processing multiple additional connections between (i) one or more destinations external to the enterprise network and (ii) one or more hosts within the enterprise network with one or more filtering operations to produce one or more filtered connections, wherein said processing comprises;
  
  applying a white-list of one or more destinations to said multiple additional connections to preclude one or more of said multiple additional connections associated with said white-list destinations from said filtered connections;
  
  identifying one or more of said multiple additional connections associated with a user bookmark to preclude from said filtered connections; and
  
  folding each of said destinations to a second-level sub-domain to filter one or more services employing a random string as a sub-domain, wherein said one or more services correspond to one or more of said multiple additional connections;
  
  analyzing said one or more filtered connections against the database to identify, from the one or more filtered connections, a connection to a destination external to the enterprise network that is not included in the information in the database; and
  
  outputting an alert corresponding to said identified instance.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, further comprising:
    - updating the database with one or more additional connections per a given temporal frequency.
  - 17. The method of claim 15, wherein each of said one or more destinations comprises at least one of a domain name and an internet protocol address.
  - 18. The method of claim 15, wherein said processing further comprises determining a domain age of each of said one or more destinations external to the enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EMC Corporation (Dell Technologies Inc.), Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Yen, Ting-Fang, Oprea, Alina, Onarlioglu, Kaan
Primary Examiner(s)
Ho, Dao

Application Number

US14/698,222
Time in Patent Office

574 Days
Field of Search

726/2, 726/12
US Class Current

1/1
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Detecting suspicious web traffic from an enterprise network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Detecting suspicious web traffic from an enterprise network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others