主权项 |
1. A system for improved generation and distribution of security rules comprising:
a plurality of sensor computers, each of which is coupled to a different compromised computer among a plurality of compromised computers in geographically distributed locations, each of the compromised computers comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computers are logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; one or more non-transitory data storage media in each of the sensor computers storing security logic comprising one or more sequences of instructions which when executed cause the sensor computer to perform: using the sensor computer, detecting, from network messages that the compromised computers emit, a series of actions that the network messages cause the enterprise computer to perform that do not correspond to a first security threat that is represented in security threat information stored in memory; using the sensor computer, determining, based on stored detection data, that the series of actions indicates a second security threat; using the sensor computer, recording the series of actions; using the sensor computer, providing the recording of the series of actions to a rules logic or a second sensor computer of the plurality of sensor computers; using the sensor computer, receiving from the rules logic, a second rule comprising at least a portion of the recording of the series of actions as detection data and a second remediation measure; using the sensor computer, using the detection data included in the second rule, identifying the second security threat that is indicated by the network messages; using the sensor computer, in response to identifying the second security threat, performing the second remediation measure. |