Attack traffic signature generation using statistical pattern recognition
US-8997227-B1 · Mar 31, 2015 · US
System and method of detecting hidden processes by analyzing packet flows
US11601349B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11601349-B2 |
| Application number | US-202016846117-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 10, 2020 |
| Priority date | Jun 5, 2015 |
| Publication date | Mar 7, 2023 |
| Grant date | Mar 7, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed outside of the first host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that a hidden process exists and corrective action can be taken.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: capturing flow data associated with a plurality of packet flows originating from a host device, the flow data being captured via two or more agents at different network components, at least one of the one or more agents being at the host device; computing a difference in the flow data based on a differential analysis of the flow data captured using the two or more agents; when the difference is above a threshold value, determining a hidden process included in one of the plurality of packet flows; predicting a presence of a malicious entity based on the determining of the hidden process; and taking a corrective action with respect to the malicious entity. 2. The method of claim 1 , wherein the flow data includes metadata associated with a first packet flow and a second packet flow. 3. The method of claim 1 , wherein the flow data includes first packet content of a first packet flow and second packet content of a second packet flow. 4. The method of claim 1 , wherein the two or more agents are collectors. 5. The method of claim 1 , wherein, the flow data is received by each collector, and each collector is configured to yield the difference. 6. The method of claim 1 , further comprising: identifying a generator of the hidden process. 7. The method of claim 1 , wherein the flow data includes network data. 8. The method of claim 1 , wherein the corrective action is shutting down the host device. 9. The method of claim 1 , wherein the corrective action includes one or more of limiting packets to and from the host device, requiring all packets to and from the host device to flow through an operating stack of the host device, or notifying an administrator. 10. A system comprising: a processor; and a non-transitory computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to: capture flow data associated with a plurality of packet flows originating from a host device, the flow data being captured via two or more agents at different network components, at least one of the one or more agents being at the host device; compute a difference in the flow data based on a differential analysis of the flow data captured using the two or more agents; when the difference is above a threshold value, determine a hidden process included in one of the plurality of packet flows; predict a presence of a malicious entity based on the determining of the hidden process; and take a corrective action with respect to the malicious entity. 11. The system of claim 10 , wherein the flow data includes metadata associated with a first packet flow and a second packet flow. 12. The system of claim 10 , wherein the flow data includes first packet content of a first packet flow and second packet content of a second packet flow. 13. The system of claim 10 , wherein the two or more agents are collectors. 14. The system of claim 10 , wherein, the flow data is received by each collector, and each collector is configured to yield the difference. 15. The system of claim 10 , wherein the corrective action includes one of limiting packets to and from the host device, requiring all packets to and from the host device to flow through an operating stack of the host device, shutting down a host, or notifying an administrator. 16. A non-transitory computer-readable storage device that stores instructions which, when executed by a processor, cause the processor to: capture flow data associated with a plurality of packet flows originating from a host device, the flow data being captured via two or more agents at different network components, at least one of the one or more agents being at the host device; compute a difference in the flow data based on a differential analysis of the flow data captured using the two or more agents; when the difference is above a threshold value, determine a hidden process included in one of the plurality of packet flows; predict a presence of a malicious entity based on the determining of the hidden process; and take a corrective action with respect to the malicious entity. 17. The non-transitory computer-readable storage device of claim 16 , wherein the flow data includes metadata associated with a first packet flow and a second packet flow. 18. The non-transitory computer-readable storage device of claim 16 , wherein the two or more agents are collectors configured to yield the difference.
Assignees
Inventors
Classifications
Drawing of charts or graphs · CPC title
Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters · CPC title
Discovery or management of network topologies · CPC title
Assignment of logical groups to network elements · CPC title
Protocols · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11601349B2 cover?
- A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed outside of the first host to yield second flow data and comparing the first flow da…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L43/045. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 07 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).