| 发明名称 |
DETECTING NETWORK RECONNAISSANCE BY TRACKING INTRANET DARK-NET COMMUNICATIONS |
| 摘要 |
A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance. |
| 申请公布号 |
US2015264078(A1) |
申请公布日期 |
2015.09.17 |
| 申请号 |
US201514644182 |
申请日期 |
2015.03.10 |
| 申请人 |
VECTRA NETWORKS, INC. |
发明人 |
Beauchesne Nicolas;Yoon Sungwook |
| 分类号 |
H04L29/06;H04L29/08 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A system for detecting network reconnaissance in a network having a plurality of host entities, comprising:
a flow pre-processor engine having a parsing module that receives packets in an internal network and generates one or more flow datasets that correspond to one or more sessions; a learning module having a validation unit that generates asset data based at least in part on a successful reciprocal communication between host entities in the network; and, a detection module having a correlation unit that generates dark-net connection attempt data for the plurality of host entities and a reporting unit that generates report data if a number of attempts by one of the hosts to connect to dark-net objects surpasses a threshold. |
| 地址 |
San Jose CA US |
