Stealth Network Attack Monitoring
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for stealth attack monitoring. In one aspect, a method includes monitoring a network for failed connection attempts in the network, wherein each failed internal connection attempt is initiated by a source asset and is an attempt to connect to a destination asset; and only in response to detecting a failed connection attempt initiated by a source asset, instantiating a source asset tracking instance in a computer memory, and for each source asset tracking instance in the computer memory: monitoring the corresponding source asset for a threshold number of failed connection attempts to destination assets during a time period; and in response to detecting the threshold number of failed connection attempts from the source asset during the time period for the source asset tracking instance, designating the source asset as a security risk.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method performed by data processing apparatus, the method comprising:
monitoring a network for failed connection attempts in the network, wherein:
the network is an internet protocol based network having a private address range and the network is monitored for failed connection attempts in the private address range; and
each failed internal connection attempt is initiated by a source asset in the network and is an attempt to connect to a destination asset in the network; and
only in response to detecting a failed connection attempt initiated by a source asset:
instantiating a source asset tracking instance in a computer memory, the source asset tracking instant identifying the source asset and being associated with the source asset;
for each source asset tracking instance in the computer memory:
monitoring the source asset identified by the source asset tracking instance for a threshold number of failed, low frequency connection attempts to destination assets in the network during a time period for the source asset tracking instance; and
in response to detecting the threshold number of failed connection attempts from the source asset during the time period for the source asset tracking instance, designating the source asset as a security risk.
2 . The method of claim 1 , further comprising, for each source asset tracking instance in computer memory:
in response to not detecting the threshold number of failed connection attempts from the source asset by an expiration of the time period, purging the source asset tracking instance from the computer memory.
3 . The method of claim 2 , wherein instantiating a source asset tracking instance in a computer memory comprises:
determining if an amount of computer memory currently being used to store data for source asset tracking instances meets a maximum allocation threshold; and instantiating the source asset tracking instance only if the amount of computer memory currently being used does not meet the maximum allocation threshold.
4 . The method of claim 2 , wherein instantiating a source asset tracking instance in a computer memory comprises:
determining if an number of instantiated source asset tracking instances meets a maximum instantiation threshold; and instantiating the source asset tracking instance only if the number of instantiated source asset tracking instances does not meet the maximum instantiation threshold.
5 . The method of claim 2 , wherein monitoring a network for failed connection attempts in the network comprises ignoring failed port connection attempts to ports that are designated as trusted ports.
6 . The method of claim 5 , wherein the trusted ports are ports that are scanned according to a trusted process that has been determined to not be a suspect or unknown process.
7 . The method of claim 6 , wherein the trusted ports include an internet printing port.
8 . The method of claim 2 , wherein monitoring a network for failed connection attempts in the network comprises monitoring only failed port connection attempts to ports that are designated as suspect ports.
9 . The method of claim 8 , wherein the suspect ports are ports that are determined to be commonly scanned by suspect or unknown processes.
10 . The method of claim 8 , wherein the suspect ports in include one or more of an SSH port, HTTP port, telnet port, and SMTP port.
11 . The method of claim 2 , wherein the time period for the source asset tracking instance is a period of time measured from a first failed connection attempt for the source tracking instance.
12 . (canceled)
13 . The method of claim 1 , wherein an IP address in the private address range is in the range of one of 172.16.X.X, 192.168.X.X, or 10.X.X.X, wherein each value of X ranges from 0-255.
14 . The method of claim 1 , wherein an IP address in the private address range is in a range determined by a system administrator.
15 . The method of claim 2 , wherein monitoring a network for failed connection attempts in the network comprises ignoring failed port connection attempts for source assets that are designated as trusted assets.
16 . The method of claim 2 , wherein monitoring a network for failed connection attempts in the network comprises ignoring failed port connection attempts for source assets that are designated as a security risk by one or more other security processes.
17 . A system, comprising:
a data processing apparatus; and software stored in a computer readable medium and comprising instructions executable by the data processing apparatus and that upon such execution cause the data processing apparatus to perform operations comprising:
monitoring a network for failed connection attempts in the network, wherein:
the network is an internet protocol based network having a private address range and the network is to be monitored for failed connection attempts in the private address range; and
each failed internal connection attempt is initiated by a source asset in the network and is an attempt to connect to a destination asset in the network; and
only in response to detecting a failed connection attempt initiated by a source asset:
instantiating a source asset tracking instance in a computer memory, the source asset tracking instant identifying the source asset and being associated with the source asset;
for each source asset tracking instance in the computer memory:
monitoring the source asset identified by the source asset tracking instance for a threshold number of failed, low frequency connection attempts to destination assets in the network during a time period for the source asset tracking instance; and
in response to detecting the threshold number of failed connection attempts from the source asset during the time period for the source asset tracking instance, designating the source asset as a security risk.
18 . The system of claim 17 , wherein the instructions cause the data processing apparatus to perform further operations comprising, for each source asset tracking instance in computer memory:
in response to not detecting the threshold number of failed connection attempts from the source asset by an expiration of the time period, purging the source asset tracking instance from the computer memory.
19 . The system of claim 18 , wherein instantiating a source asset tracking instance in a computer memory comprises:
determining if an amount of computer memory currently being used to store data for source asset tracking instances meets a maximum allocation threshold; and instantiating the source asset tracking instance only if the amount of computer memory currently being used does not meet the maximum allocation threshold.
20 . The system of claim 18 , wherein monitoring a network for failed connection attempts in the network comprises ignoring failed port connection attempts to ports that are designated as trusted ports.
21 . The system of claim 20 , wherein the trusted ports are ports that are scanned according to a trusted process that has been determined to not be a suspect or unknown process.
22 . The system of claim 18 , wherein monitoring a network for failed connection attempts in the network comprises monitoring only failed port connection attempts to ports that are designated as suspect ports.
23 . The system of claim 18 , wherein the time period for the source asset tracking instance is a period of time measured from a first failed connection attempt for the source tracking instance.
24 . (canceled)
25 . The system of claim 18 , wherein monitoring a network for failed connection attempts in the network comprises ignoring failed port connection attempts for source assets that are designated as trusted assets.
26 . The system of claim 18 , wherein monitoring a network for failed connection attempts in the network comprises ignoring failed port connection attempts for source assets that are designated as a security risk by one or more other security processes.
27 . Software stored in a computer readable medium and comprising instructions executable by a data processing apparatus and that upon such execution cause the data processing apparatus to perform operations comprising:
monitoring a network for failed connection attempts in the network, wherein:
the network is an internet protocol based network having a private address range and the network is to be monitored for failed connection attempts in the private address range; and
each failed internal connection attempt is initiated by a source asset in the network and is an attempt to connect to a destination asset in the network; and
only in response to detecting a failed connection attempt initiated by a source asset:
instantiating a source asset tracking instance in a computer memory, the source asset tracking instant identifying the source asset and being associated with the source asset;
for each source asset tracking instance in the computer memory:
monitoring the source asset identified by the source asset tracking instance for a threshold number of failed, low frequency connection attempts to destination assets in the network during a time period for the source asset tracking instance; and
in response to detecting the threshold number of failed connection attempts from the source asset during the time period for the source asset tracking instance, designating the source asset as a security risk.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.