Large Scale Malicious Process Detection
US-2016269424-A1 · Sep 15, 2016 · US
Intra-datacenter attack detection
US2016359877A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016359877-A1 |
| Application number | US-201615145630-A |
| Country | US |
| Kind code | A1 |
| Filing date | May 3, 2016 |
| Priority date | Jun 5, 2015 |
| Publication date | Dec 8, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An example method can include receiving a traffic report from a sensor and using the traffic report to detect intra-datacenter flows. These intra-datacenter flows can then be compared with a description of historical flows. The description of historical flows can identify characteristics of normal and malicious flows. Based on the comparison, the flows can be classified and tagged as normal, malicious, or anomalous. If the flows are tagged as malicious or anomalous, corrective action can be taken with respect to the flows. A description of the flows can then be added to the description of historical flows.
First claim
Opening claim text (preview).
1 . A computer-implemented method, comprising: capturing, by a datacenter analytics module that analyzes intra-datacenter flows and extra-datacenter flows, a subset of the intra-datacenter flows; obtaining, by the datacenter analytics module, a comparison of the subset of the intra-datacenter-data flows and historical flows; determining, by the datacenter analytics module, that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison; and analyzing, by the datacenter analytics module, the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to malicious traffic. 2 . The computer-implemented method of claim 1 , wherein obtaining the comparison includes: determining a number of the subset of the intra-datacenter flows that include unique source hosts communicating with a common destination host. 3 . The computer-implemented method of claim 1 , wherein obtaining the comparison includes: determining a number of the subset of the intra-datacenter flows that include unique ports. 4 . The computer-implemented method of claim 1 , wherein the subset of the intra-datacenter flows and the historical flows are limited to flows between one source host and one destination host. 5 . The computer-implemented method of claim 1 , further comprising: determining that the subset of the intra-datacenter flows corresponds to a particular service. 6 . The computer-implemented method of claim 5 , wherein the particular service is run on at least two hosts. 7 . The computer-implemented method of claim 1 , further comprising: modifying an access control list to block at least one of the subset of the intra-datacenter flows. 8 . The computer-implemented method of claim 1 , wherein determining that the subset of the intra-datacenter flows corresponds to anomalous traffic includes: determining a reputation score associated with a host corresponding to one of the subset of the intra-datacenter flows. 9 . The computer-implemented method of claim 1 , capturing the subset of the a intra-datacenter flows includes: receiving a traffic report that includes flow data from a first sensor installed on a host, a second sensor installed on a hypervisor, and a third sensor installed on a switch, wherein each of the first sensor, the second sensor, and the third sensor respectively report on packets sent from or through the host, the hypervisor, and the switch. 10 . The computer-implemented method of claim 1 , further comprising: capturing a subset of the extra-datacenter flows; determining that the subset of the intra-datacenter flows originates from one or more attacking hosts; determining, based on the subset of the extra-datacenter flows, that each of the one or more attacking hosts received a respective extra-datacenter flow of the subset of the extra-datacenter flows from a common host before initiating a respective intra-datacenter flow; and identifying the common host as an extra-datacenter flow control host by correlating each of the respective extra-datacenter flow with the common host. 11 . A non-transitory computer-readable medium comprising instructions stored thereon, the instructions, when executed, cause a computing device, which analyzes intra-datacenter flows and extra-datacenter flows, to: capture a subset of the intra-datacenter flows; obtain a comparison of the subset of the intra-datacenter-data-flows and historical flows; determine that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison; and analyze the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to malicious traffic. 12 . The non-transitory computer-readable medium of claim 11 , wherein the instructions, when executed to cause the computing device to obtain the comparison, include causing the computing device to: determine a number of the subset of the intra-datacenter flows that include unique source hosts communicating to a common destination host. 13 . The non-transitory computer-readable medium of claim 11 , wherein the instructions, when executed to cause the computing device to obtain the comparison, include causing the computing device to: determine a number of the subset of the intra-datacenter flows that include unique ports. 14 . The non-transitory computer-readable medium of claim 11 , wherein the subset of the intra-datacenter flows and the historical flows are limited to flows between one source host and one destination host. 15 . The non-transitory computer-readable medium of claim 11 , wherein the instructions when executed further cause the computing device to: determine that the subset of the intra-datacenter flows corresponds to a particular service. 16 . The non-transitory computer-readable medium of claim 15 , wherein the particular service is run on at least two hosts. 17 . The non-transitory computer-readable medium of claim 11 , wherein the instructions when executed further cause the computing device to: modify an access control list to block at least one of the subset of the intra-datacenter flows. 18 . The non-transitory computer-readable medium of claim 11 , wherein the instructions, when executed to cause the computing device to determine that the subset of the intra-datacenter flow corresponds to anomalous traffic, include causing the computing device to: determine a reputation score associated with a host corresponding to one of the subset of the intra-datacenter flows. 19 . The non-transitory computer-readable medium of claim 11 , wherein the instructions, when executed to cause the computing device to capture the subset of the intra-datacenter flows, include causing the computing device to: receive a traffic report that includes flow data from a first sensor installed on a host, a second sensor installed on a hypervisor, and a third sensor installed on a switch, wherein each of the first sensor, the second sensor, and the third sensor respectively report on packets sent from or through the host, the hypervisor, and the switch. 20 . The non-transitory computer-readable medium of claim 11 , wherein the instructions when executed further cause the computing device to: capture a subset of the extra-datacenter flows; determine that the subset of the intra-datacenter flows originates from one or more attacking hosts; determine, based on the subset of the extra-datacenter flows, that each of the one or more attacking hosts received a respective extra-datacenter flow of the subset of the extra-datacenter flows from a common host before initiating a respective intra-datacenter flow; and identify the common host as an extra-datacenter flow control host by correlating each of the respective extra-datacenter flow with the common host.
Assignees
Inventors
Classifications
Drawing of charts or graphs · CPC title
based on quality criteria · CPC title
Policy-based network configuration management · CPC title
involving identification of individual flows · CPC title
Third party · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016359877A1 cover?
- An example method can include receiving a traffic report from a sensor and using the traffic report to detect intra-datacenter flows. These intra-datacenter flows can then be compared with a description of historical flows. The description of historical flows can identify characteristics of normal and malicious flows. Based on the comparison, the flows can be classified and tagged as normal, ma…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Dec 08 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).