GB2570543A8 - Detecting triggering events for distributed denial of service attacks - Google Patents
Detecting triggering events for distributed denial of service attacks Download PDFInfo
- Publication number
- GB2570543A8 GB2570543A8 GB1817377.3A GB201817377A GB2570543A8 GB 2570543 A8 GB2570543 A8 GB 2570543A8 GB 201817377 A GB201817377 A GB 201817377A GB 2570543 A8 GB2570543 A8 GB 2570543A8
- Authority
- GB
- United Kingdom
- Prior art keywords
- remediation
- endpoints
- computer program
- proxies
- requests
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3055—Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method, computer program and device for malicious proxy detection. Outbound traffic is monitored 1502 (in a computer program implementation traffic to remote addresses outside of the enterprise network is monitored). Secure communication protocol requests (e.g. HTTPS, SSL, TLS) from endpoints are detected 1504 (in a computer program implementation, requests are from endpoints remote network addresses). Plaintext network addresses (e.g. URLs, alphanumeric address other than an IP address) within requests are identified 1506. Remediation is performed on potentially malicious local proxies on endpoints. In the computer program implementation remediation is initiated 1508. Monitoring may include monitoring outbound traffic at enterprise network gateways or looking up reputations for destinations of outbound communications. Remediation may include quarantining endpoints until potentially malicious local proxies can be removed. Remediation may include reversing malware identification for potentially malicious proxies by identifying non malicious sources for local proxies. Malware verification may be performed on potentially malicious proxies, which may include, identifying processes that initiate requests, determining reputations of processes and if process reputation is low or unknown confirming malware identification, and if process reputation is good, confirming malware identification only when a calling process for the process has a low or unknown reputation.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/136,762 US10938781B2 (en) | 2016-04-22 | 2016-04-22 | Secure labeling of network flows |
US15/136,687 US11277416B2 (en) | 2016-04-22 | 2016-04-22 | Labeling network flows according to source applications |
GB1816827.8A GB2564357B8 (en) | 2016-04-22 | 2016-06-29 | Detecting triggering events for distributed denial of service attacks |
Publications (5)
Publication Number | Publication Date |
---|---|
GB201817377D0 GB201817377D0 (en) | 2018-12-12 |
GB2570543A GB2570543A (en) | 2019-07-31 |
GB2570543B GB2570543B (en) | 2020-05-20 |
GB2570543A8 true GB2570543A8 (en) | 2020-09-30 |
GB2570543B8 GB2570543B8 (en) | 2021-12-08 |
Family
ID=60116990
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB1816827.8A Active GB2564357B8 (en) | 2016-04-22 | 2016-06-29 | Detecting triggering events for distributed denial of service attacks |
GB1817377.3A Active GB2570543B8 (en) | 2016-04-22 | 2016-06-29 | Detecting triggering events for distributed denial of service attacks |
GB1817376.5A Active GB2574283B8 (en) | 2016-04-22 | 2016-06-29 | Detecting triggering events for distributed denial of service attacks |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB1816827.8A Active GB2564357B8 (en) | 2016-04-22 | 2016-06-29 | Detecting triggering events for distributed denial of service attacks |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB1817376.5A Active GB2574283B8 (en) | 2016-04-22 | 2016-06-29 | Detecting triggering events for distributed denial of service attacks |
Country Status (2)
Country | Link |
---|---|
GB (3) | GB2564357B8 (en) |
WO (1) | WO2017184189A1 (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10986109B2 (en) | 2016-04-22 | 2021-04-20 | Sophos Limited | Local proxy detection |
US11277416B2 (en) | 2016-04-22 | 2022-03-15 | Sophos Limited | Labeling network flows according to source applications |
US10938781B2 (en) | 2016-04-22 | 2021-03-02 | Sophos Limited | Secure labeling of network flows |
US11102238B2 (en) | 2016-04-22 | 2021-08-24 | Sophos Limited | Detecting triggering events for distributed denial of service attacks |
US11165797B2 (en) | 2016-04-22 | 2021-11-02 | Sophos Limited | Detecting endpoint compromise based on network usage history |
RU2740027C1 (en) * | 2020-02-12 | 2020-12-30 | Варити Менеджмент Сервисез Лимитед | Method and system for preventing malicious automated attacks |
US11381594B2 (en) * | 2020-03-26 | 2022-07-05 | At&T Intellectual Property I, L.P. | Denial of service detection and mitigation in a multi-access edge computing environment |
US20220239634A1 (en) * | 2021-01-26 | 2022-07-28 | Proofpoint, Inc. | Systems and methods for sensor trustworthiness |
US20240007483A1 (en) * | 2022-07-01 | 2024-01-04 | Nozomi Networks Sagl | Method for automatic signatures generation from a plurality of sources |
CN115589307A (en) * | 2022-09-07 | 2023-01-10 | 支付宝(杭州)信息技术有限公司 | Risk monitoring method and device for distributed system |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7930740B2 (en) * | 2005-07-07 | 2011-04-19 | International Business Machines Corporation | System and method for detection and mitigation of distributed denial of service attacks |
US8490190B1 (en) * | 2006-06-30 | 2013-07-16 | Symantec Corporation | Use of interactive messaging channels to verify endpoints |
US8156557B2 (en) * | 2007-01-04 | 2012-04-10 | Cisco Technology, Inc. | Protection against reflection distributed denial of service attacks |
US8782786B2 (en) * | 2007-03-30 | 2014-07-15 | Sophos Limited | Remedial action against malicious code at a client facility |
US8769702B2 (en) * | 2008-04-16 | 2014-07-01 | Micosoft Corporation | Application reputation service |
US8561181B1 (en) * | 2008-11-26 | 2013-10-15 | Symantec Corporation | Detecting man-in-the-middle attacks via security transitions |
AU2010223925A1 (en) * | 2009-03-13 | 2011-11-03 | Rutgers, The State University Of New Jersey | Systems and methods for the detection of malware |
KR100942456B1 (en) * | 2009-07-23 | 2010-02-12 | 주식회사 안철수연구소 | Method for detecting and protecting ddos attack by using cloud computing and server thereof |
US8832835B1 (en) * | 2010-10-28 | 2014-09-09 | Symantec Corporation | Detecting and remediating malware dropped by files |
US20120324568A1 (en) * | 2011-06-14 | 2012-12-20 | Lookout, Inc., A California Corporation | Mobile web protection |
CN104718721A (en) * | 2012-08-17 | 2015-06-17 | 诺基亚通信公司 | Data services in a computer system |
US9503324B2 (en) * | 2013-11-05 | 2016-11-22 | Harris Corporation | Systems and methods for enterprise mission management of a computer network |
US9967282B2 (en) * | 2014-09-14 | 2018-05-08 | Sophos Limited | Labeling computing objects for improved threat detection |
US20170091482A1 (en) * | 2015-09-30 | 2017-03-30 | Symantec Corporation | Methods for data loss prevention from malicious applications and targeted persistent threats |
-
2016
- 2016-06-29 GB GB1816827.8A patent/GB2564357B8/en active Active
- 2016-06-29 WO PCT/US2016/040094 patent/WO2017184189A1/en active Application Filing
- 2016-06-29 GB GB1817377.3A patent/GB2570543B8/en active Active
- 2016-06-29 GB GB1817376.5A patent/GB2574283B8/en active Active
Also Published As
Publication number | Publication date |
---|---|
GB2574283B (en) | 2020-05-20 |
GB2564357A (en) | 2019-01-09 |
GB2570543A (en) | 2019-07-31 |
WO2017184189A1 (en) | 2017-10-26 |
GB2564357B8 (en) | 2021-12-08 |
GB2574283A (en) | 2019-12-04 |
GB201816827D0 (en) | 2018-11-28 |
GB2564357B (en) | 2020-10-07 |
GB2570543B8 (en) | 2021-12-08 |
GB2574283B8 (en) | 2021-12-08 |
GB201817376D0 (en) | 2018-12-12 |
GB201817377D0 (en) | 2018-12-12 |
GB2570543B (en) | 2020-05-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
GB2570543A8 (en) | Detecting triggering events for distributed denial of service attacks | |
US9680795B2 (en) | Destination domain extraction for secure protocols | |
Durumeric et al. | An {Internet-Wide} view of {Internet-Wide} scanning | |
US9985981B2 (en) | Monitoring traffic in a computer network | |
US10104119B2 (en) | Short term certificate management during distributed denial of service attacks | |
US10313372B2 (en) | Identifying malware-infected network devices through traffic monitoring | |
KR101486307B1 (en) | Apparatus and method for security monitoring | |
US9407650B2 (en) | Unauthorised/malicious redirection | |
US9621544B2 (en) | Computer implemented method of analyzing X.509 certificates in SSL/TLS communications and the data-processing system | |
US11388188B2 (en) | Systems and methods for automated intrusion detection | |
EP3041190A1 (en) | Dynamic service handling using a honeypot | |
US11483339B1 (en) | Detecting attacks and quarantining malware infected devices | |
US10263975B2 (en) | Information processing device, method, and medium | |
US20170070518A1 (en) | Advanced persistent threat identification | |
CN108259473B (en) | Web server scanning protection method | |
US20170331853A1 (en) | Security system | |
WO2014062629A1 (en) | System and method for correlating security events with subscriber information in a mobile network environment | |
US10142360B2 (en) | System and method for iteratively updating network attack mitigation countermeasures | |
CN110061998B (en) | Attack defense method and device | |
Yamada et al. | Using abnormal TTL values to detect malicious IP packets | |
US10205738B2 (en) | Advanced persistent threat mitigation | |
US10079857B2 (en) | Method of slowing down a communication in a network | |
US10778708B1 (en) | Method and apparatus for detecting effectiveness of security controls | |
Malik et al. | LAN Based Intrusion Detection And Alerts | |
Jhala et al. | Dearth the Security of Smartphone Messaging Application: WhatsApp |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
S117 | Correction of errors in patents and applications (sect. 117/patents act 1977) |
Free format text: REQUEST FILED; REQUEST FOR CORRECTION UNDER SECTION 117 FILED ON 18 OCTOBER 2021 |
|
S117 | Correction of errors in patents and applications (sect. 117/patents act 1977) |
Free format text: CORRECTIONS ALLOWED; REQUEST FOR CORRECTION UNDER SECTION 117 FILED ON 18 OCTOBER 2021 ALLOWED ON 25 NOVEMBER 2021 |