Privilege inference and monitoring based on network behavior
US-10277618-B1 · Apr 30, 2019 · US
Detection of network sniffing activity
US10951650B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10951650-B2 |
| Application number | US-201715638556-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 30, 2017 |
| Priority date | Jun 30, 2017 |
| Publication date | Mar 16, 2021 |
| Grant date | Mar 16, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods and systems for detecting passive malicious network-mapping software on a computer network are disclosed. An expected location within a computer system for storing a received data packet may be determined. An actual storage location of the received data packet may be identified and compared to the expected storage location. In the event that the expected location does not match the actual storage location of the received data packet on the computer system, the presence of passive malicious network-mapping software such as a sniffer may be detected.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer system, comprising: a network interface card (NIC); at least one processor; and a non-transitory, computer-readable medium having instructions stored thereon that are executable by the at least one processor to cause the computer system to perform operations, the operations comprising: receiving first data via the NIC; determining, based on a type of the first data, an expected storage location, of the computer system, for storing the first data, wherein the first data includes at least one of the following types of data: address resolution protocol (ARP) data; domain name system (DNS) data; host name data; or web resource data; identifying an actual storage location, of the computer system, in which the first data is stored; comparing the expected storage location for the first data to the actual storage location for the first data; based on the comparing, determining that the actual storage location for the first data does not match the expected storage location for the first data; and in response to the determining that the actual storage location does not match the expected storage location, generating a notification indicating a security risk. 2. The computer system of claim 1 , wherein the first data includes ARP data; and wherein the expected storage location for the ARP data is an ARP cache. 3. The computer system of claim 2 , wherein the determining includes determining that the ARP data is stored by a portion of the computer system other than the ARP cache. 4. The computer system of claim 1 , wherein the expected storage location for the first data is a system memory of the computer system. 5. The computer system of claim 1 , wherein the first data includes DNS data; and wherein the expected storage location for the DNS data is a DNS cache. 6. The computer system of claim 5 , wherein the determining includes determining that the DNS data is stored by a portion of the computer system other than the DNS cache. 7. A method, comprising: receiving, by a computer system, first data; determining, by the computer system based on a type of the first data, an expected storage location for storing the first data, wherein the first data includes at least one of the following types of data: ARP data; DNS data; host name data; or web resource data; identifying, by the computer system, an actual storage location in which the first data is stored; comparing, by the computer system, the expected storage location for the first data to the actual storage location for the first data; based on the comparing, determining, by the computer system, that the actual storage location for the first data does not match the expected storage location for the first data; and in response to the determining that the actual storage location does not match the expected storage location, generating, by the computer system, a notification indicating a security risk. 8. The method of claim 7 , wherein the first data includes ARP data, and wherein the expected storage location for the ARP data is an ARP cache. 9. The method of claim 8 , wherein the determining includes determining that the ARP data is stored by a portion of the computer system other than the ARP cache. 10. The method of claim 7 , wherein the expected storage location for the first data is a system memory of the computer system. 11. The method of claim 7 , wherein the first data includes DNS data, and wherein the expected storage location for the DNS data is a DNS cache. 12. The method of claim 11 , wherein the determining includes determining that the DNS data is stored by a portion of the computer system other than the DNS cache. 13. A non-transitory, computer-readable medium having instructions stored thereon that are executable by a computer system to perform operations comprising: receiving first data via a NIC; determining, based on a type of the first data, an expected storage location, of the computer system, for storing the first data, wherein the first data includes at least one of the following types of data: ARP data; DNS data; host name data; or web resource data; identifying an actual storage location, of the computer system, in which the first data is stored; comparing the expected storage location for the first data to the actual storage location for the first data; based on the comparing, determining that the actual storage location for the first data does not match the expected storage location for the first data; and in response to the determining that the actual storage location does not match the expected storage location, generating a notification indicating a security risk. 14. The non-transitory, computer-readable medium of claim 13 , wherein the first data includes ARP data, and wherein the expected storage location for the ARP data is an ARP cache. 15. The non-transitory, computer-readable medium of claim 14 , wherein the determining includes determining that the ARP data is stored by a portion of the computer system other than the ARP cache. 16. The non-transitory, computer-readable medium of claim 13 , wherein the expected storage location for the first data is a system memory of the computer system. 17. The non-transitory, computer-readable medium of claim 13 , wherein the first data includes DNS data, and wherein the expected storage location for the DNS data is a DNS cache.
Assignees
Inventors
Classifications
Layer-2 addresses, e.g. medium access control [MAC] addresses · CPC title
Caching of addresses or names · CPC title
using domain name system [DNS] · CPC title
across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP] · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10951650B2 cover?
- Methods and systems for detecting passive malicious network-mapping software on a computer network are disclosed. An expected location within a computer system for storing a received data packet may be determined. An actual storage location of the received data packet may be identified and compared to the expected storage location. In the event that the expected location does not match the actu…
- Who is the assignee on this patent?
- Paypal Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1475. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 16 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).