VECTRA NETWORKS, INC. Patent applications |
Patent application number | Title | Published |
20150312211 | METHOD AND SYSTEM FOR GENERATING DURABLE HOST IDENTIFIERS USING NETWORK ARTIFACTS - A host identification engine receives network traffic from a network and uses one or more artifact extractors to extract artifact data items that can identify a host. The artifact data items can be stored in a host signature database. Network addresses to which the hosts correspond can be stored in a network address database. A mapping table can be implemented to match the data in the signature database and network database to generate durable host identification data that can accurately track hosts as they use different identification data and/or move between hosts. | 10-29-2015 |
20150264083 | MALICIOUS RELAY DETECTION ON NETWORKS - A system and method for detecting malicious relay communications is disclosed. Network communications can be received and analyzed using such network components as a network switch. The received traffic can be parsed into sessions. Relay metadata can be extracted from the sessions and further be used to categorize the sessions into one or more types of relay metadata behaviors. Once a significant amount of sessions are detected an alarm may be triggered and/or alarm data may be generated for analysis by network security administrators. | 09-17-2015 |
20150264078 | DETECTING NETWORK RECONNAISSANCE BY TRACKING INTRANET DARK-NET COMMUNICATIONS - A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance. | 09-17-2015 |
20150264073 | SYSTEM AND METHOD FOR DETECTING INTRUSIONS THROUGH REAL-TIME PROCESSING OF TRAFFIC WITH EXTENSIVE HISTORICAL PERSPECTIVE - A real-time perspective engine that can detect network intrusions by accepting network packets as input, organizing the packets, and processing them through a series of detection schemes to identify potentially malicious network behavior. The detection system can implement stateless detection that detects network threats in real-time. The detection system can implement state-full detection that detects network threats which in small amounts may appear innocuous but over time evidence a network attack or malicious activity. | 09-17-2015 |
20150264070 | METHOD AND SYSTEM FOR DETECTING ALGORITHM-GENERATED DOMAINS - A method and system for detecting algorithm-generated domains (AGDs) is disclosed wherein domain names requested by an internal host are categorized or classified using curated data sets, active services (e.g. Internet services), and certainty scores to match domain names to domain names or IP addresses used by command and control servers. | 09-17-2015 |
20150264069 | METHOD AND SYSTEM FOR DETECTING EXTERNAL CONTROL OF COMPROMISED HOSTS - A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway. | 09-17-2015 |
20150264068 | METHOD AND SYSTEM FOR DETECTING BOT BEHAVIOR - A bot detection engine to determine whether hosts in an organization's network are performing bot-related activities is disclosed. is A bot detection engine can receive network traffic between hosts in a network, and/or between hosts across several networks. The bot engine may parse the network traffic into session datasets and discard the session datasets that were not initiated by hosts in a given network. The session datasets may be analyzed and state data may be accumulated. The state data may correspond to actions performed by the hosts, such as requesting a website or clicking ads, or requesting content within the website (e.g. clicking on a image which forms a HTTP request/response transaction for the image file). | 09-17-2015 |
20150264061 | SYSTEM AND METHOD FOR DETECTING NETWORK INTRUSIONS USING LAYERED HOST SCORING - Approaches for detecting network intrusions, such as malware infection, Trojans, worms, or bot net mining activities includes: identifying one or more threat detections in session datasets, the session datasets corresponding to network traffic from a plurality of hosts; determining a layered detection score, the layered detection score corresponding to a certainty score and threat score; determining a layered host score, the layered host score corresponding to a certainty score and threat score; and generating alarm data comprising the layered detection score and the layered host score. In some embodiments, the network traffic may be received passively through a network switch; for example, by “tapping” the switch. Other additional objects, features, and advantages of the invention are described in the detailed description, figures and claims. | 09-17-2015 |
20150082433 | SYSTEMS AND METHODS FOR CAPTURING, REPLAYING, OR ANALYZING TIME-SERIES DATA - Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert. | 03-19-2015 |