GB2594157A - Method and apparatus for detecting irregularities on device - Google Patents

Method and apparatus for detecting irregularities on device Download PDF

Info

Publication number
GB2594157A
GB2594157A GB2105359.0A GB202105359A GB2594157A GB 2594157 A GB2594157 A GB 2594157A GB 202105359 A GB202105359 A GB 202105359A GB 2594157 A GB2594157 A GB 2594157A
Authority
GB
United Kingdom
Prior art keywords
data items
computer device
data
network
monitoring program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB2105359.0A
Other versions
GB2594157B (en
GB202105359D0 (en
Inventor
Dodson Stephen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Elasticsearch Inc
Original Assignee
Elasticsearch Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Elasticsearch Inc filed Critical Elasticsearch Inc
Priority to GB2105359.0A priority Critical patent/GB2594157B/en
Priority claimed from GB1316319.1A external-priority patent/GB2519941B/en
Publication of GB202105359D0 publication Critical patent/GB202105359D0/en
Publication of GB2594157A publication Critical patent/GB2594157A/en
Application granted granted Critical
Publication of GB2594157B publication Critical patent/GB2594157B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Social Psychology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method of detecting irregularities, such as malware 50 or fraud, on a computer device 10 comprises continuously receiving, by a monitoring program 60, data items relating to an operation of the computer device within a network 100, the program and device being connected to the network. The data items may be proxy logs or headers of messages 70. Based on the data items, the program creates a plurality of user profiles 62, each associated with a different one of a plurality of users of the device, and compares the profiles to determine whether one of them deviates from the others. If it does, an alert 80 is generated by an alert module 67, which may indicate to an administrator of fraud officer that the user should be investigated. The deviation may include transferring unusual amounts of data, continually accessing an unusual website, connecting to an unexpected IP address, or using an infrequently used port.

Description

Title: Method and Apparatus for Detecting Irregularities on Device
Description
Cross-Reference to Related Applications
100011 This application is a divisional application of UK Patent Application No. 1316319.1, entitled "Method and Apparatus for Detecting Irregularities on Device", filed 13 September 2013, which is related to US patent application No. US 12/965,226 entitled "Apparatus and Method for Analyzing a Computer Structure", filed on 10 December 2010.
Field of the invention
100021 This application relates to an apparatus and a method for detection of irregularities on a device, such irregularities include but are not limited to malware or fraud.
Background to the invention
100031 The term malware" is short for "a malicious software and is software that is used or programmed to disrupt operation of an individual computer and/or computer network, to gather sensitive information or to gain access to private computer systems. The malware can appear in the form of code, scripts, active content, and other software. The malware includes, but is not limited to, computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, outware, rock security software. The majority of active malware threats are usually worms or Trojans, rather than viruses.
100041 As attacks by malware become more frequent, programs and methods have been developed specifically to combat the malware. One commonly used approach is to install a scanner onto a user's computer, which hooks deep into the operating system and functions in a manner similar to the way in which the malware itself would attempt to operate. The scanner, on attempted access of a file, checks if the accessed file is a legitimate file, or not.
The access operation would be stopped if the file is considered to be malware by the scanner and the file will be dealt with by the scanner in a pre-defined way. A user will generally be notified. This approach may considerably slow down speed of operation the operating system and depends on the effectiveness of the scanner.
100051 Another approach to combatting malware is to attempt to provide real-type protection against the installation of the malware on the user's computer. This approach scans the incoming network data for a malware and blocks any threats identified.
100061 Empty-malware software programs can be used for detection and removal of the ma1ware that has already been installed onto computer. This approach scans the contents of the operating system, registry, operating system files and installed computer programs on the user's computer and provides a list of any identified threats, allowing the user to choose which ones of the files to delete or keep, or to compare this list to a list of known malware and removing the related files.
100071 Typically, malware products detect the malware based on heuristics or on signatures Other malware products maintain a blacklist and/or a whitelist of files that are known to be related to the malware.
100081 Methods of detecting malware using a plurality of detection sources to detect potential attacks of malware are known. The use of more than one detection source enables a more reliable decision to be made about whether a computer network is under attack. For example, US patent application publication No. US 2006/0259967 (Thomas et al.) teaches a method for determining whether a network is under attack by sharing data from several event detection systems and passing the suspicious event data to a centralized location.tor analysis. The suspicious event data is generated in an event valuation computer including an evaluation component The evaluation component analyses the suspicious events observed in the network and quantifies the likelihood that the network is infected or under attack by malware. The evaluation component can, in one aspect of the disclosure, determine whether-the number of suspicious events in a given timeframe is higher than a predetermined threshold. The evaluation component may also analyze metadata generated by the event detection systems and thereby calculate a suspicious score representing the probability that the network is infected or under attack.
100091 US patent application publication No. 2008/0141371 (Bradicich et al.) discloses a method and system for heuristic malware detection. The detection method includes merging a baseline inventory of file attributes for a number of files from each client computing system.
The method includes receipt of an updated inventory of file attributes in a current inventory survey from different ones of the clients. Each received inventory survey can be compared to the merged inventory and, in response to die comparison, a deviant pattern or file attribute changes can be detected in at least one inventory survey for a corresponding one of the clients. The deviant pattern can be classified as one of a benign event or a malware attack.
100101 Similarly, a thesis by Blount entitled "Adaptive rule-based malware detection employing learning classifier systems", Missouri University of Science and Technology, 2011, discloses a rule-based expert system for the detection of malware with an evolutionary learning algorithm. This creates a self-training adaptive malware detection system, that dynamically evolves detection rules. The thesis uses a training set to train the algorithm.
Summary of the invention
100111 In one aspect of the invention, there is provided a system for detection of irregularities on a computer device in accordance with Claim 1 Tn another aspect of the invention, there is provided a method for detection of irregularities on a computer device according to Claim 11.
Description of the Figures
100121 Fig. 1 shows an overview of a user computer connected to a network.
100131 Fig. 2 shows an example of messages generated by the user computer.
100141 Fig. 3 shows an example of connections to services.
100151 Fig. 4 shows a flow diagram of the method.
Detailed description of the invention
100161 The invention will now be described on the basis of the drawings. It will be understood that the embodiments and aspects of the invention described herein are only examples and do not limit the protective scope of the claims in any way. The invention is defined by the claims and their equivalents. It will be understood that features of one aspect or embodiment of the invention can be combined with a feature of a different, aspect or aspects and/or embodiments of the invention.
100171 Fig. 1 shows a user computer 10 with a plurality of outgoing connections 26 and a plurality of incoming connections 30 in a computer network 100. The outgoing connections 26 and the incoming connections 30 are connected to one or more servers 15a-c using, for example, a TCP protocol. A plurality of processes 40a-c are running on the user computer 10. The processes 40a-c include regular processes, such as, but not limited to a Splunk® process 40a, a Python® process 40b, and a master process 40c. Each one of the regular processes 40a-c will use one or more of the ports of the outgoing ports 25 or the incoming ports 35. The typical port number is shown in the schematic boxes illustrating the processes 40a-c.
100181 A malware 50 may be operating on the user's computer 10. The malware 50 could be a specially developed piece of software code or could be a regular piece of code and will generally also run as a process. The malware 50 is also connected to one or more of the outgoing ports 25 or the incoming ports 35. In the aspect of the invention shown hi fig. 1, it is assumed that the malware 50 is a process in the user computer 10 running a file transfer protocol using the outgoing port 41217. The malware could also be a modified version of an existing piece of code.
100191 A monitoring program 60 installed within the network 100 in which the user computer 10 is operating continually monitors the network 100 and the user computer 10 as well as messages 70 exchanged within the network 100 and/or generated by the user computer 10. The monitoring program 60 uses a variety of data sources for performing the monitoring.
100201 The monitoring program 60 uses data sources based on network flow traffic statistics through the computer network 100. These data sources include proxy logs and NetFlow® records, which record the destination of data sent through the outgoing ports 25 and the source of incoming data received through the incoming ports 35. The monitoring program 60 analyzes headers in the data records and can also investigate which browsers are being run on the user computer 10.
100211 Many computer networks 100 also have a DNS server 110 located in the private network, as well as having access to public DNS servers. The DNS server 110 includes a variety of data log entries, including time stamps, indicating which ones of the user computers 10 attempted to access which web sites or external servers at which period of time.
100221 The monitoring program 60 can also review headers in emails and/or other messages 70 sent throughout the computer network 100. The email headers will include information, such as the time, the destination and the source, as well as having information about the size of the email.
100231 It will be appreciated that these data sources are merely exemplary and that other data sources can be used or supplied. Only a single user computer 10 is shown in Fig. 1 for simplicity. In practice, there will be a large number of user computers 10 and servers 15a-c. It will be appreciated that the network 100 may also contain other devices that can generate messages 70 or other data.
10024] The monitoring program 60 creates a user profile 62, stored in a user profile database 65 attached to the monitoring program 60, for each one of the user computers 10 using the plurality of data sources. It will be appreciated that the user profile database 65 contains more than one user profile 62. The user profile 62 in the user profile database 65 receives data items 66, that indicate how the user computer 10 generally reacts with the network 100 as well as with servers 15a-c and other devices in the network 100. For example, the user profile 62 identifies which ones of the outgoing ports 25 and the incoming ports 35 are typically used by the user computer 10 for which processes 40. The user profile 62 will continually he updated as new ones of the data items 66 relating to activity of the user computer 10 are generated. The user profile 62 creates in essence a baseline from which the 'normal' can be deduced.
100251 Suppose now that the malware process 50 starts on die user computer 10. The monitoring program 60 will receive further data items that indicate that behavior of the user computer 10 deviates from the behaviour expected by comparison the user profile 62 stored in the user profile database 65. Non limiting examples of such deviant behaviour include massive amounts of data being transferred to one of the servers 15a-c, or continual access to a new website. The monitoring program 60 can notify an administrator of a possible malware infection of the user computer and the administrator can investigate the user computer 10.
100261 An example is shown in Fig. 2. Fig. 2 shows how the monitoring system reports anomalous behaviour. On Thursday October 2012 an ftp process 40 started on a server 15a-e.
This process 40 was unusual compared to the normal network processes 40a-c running on this server. The monitoring program 60 automatically identified this and reported this as a non-zero anomaly score.
100271 Another example is shown in Fig. 3. in which two user computers 10 connected to a server 15 running a plurality of processes 40. One of the processes 40m connects generally to tire same IP address 10.135.1.7. However, in one instance this connects to an IP address 10.230.80.46 (shown in Fig. 3 as 10.230.80.x), which is unexpected. This unexpected connection will fee picked up by the monitoring program 60 and reported to the administrator, 100281 The monitoring program 60 can also review attempts to connect to the user computer 10 through various ones of the incoming ports 35. For example, incoming requests for a particular process 40a-c would be expected on several ones of the incoming ports 35. An attempt to connect to a particular process 40 would he detected by the monitoring program 60 and indicated to the administrator. The monitoring program 60 would identify that a connection to a particular process through a particular port 25 has never or rarely been seen is a deviant behaviour and generate an alert 80 for the administrator.
100291 Fig. 4 shows an outline of a process 400 for the detection of irregularities, such as malware. The process 400 starts at 410 and in step 420 data from the various data sources is gathered. In step 430 the gathered data Is compared with one or more of the user profiles 62 and, if an anomaly is discovered, an alert is generated in step 440 such that the administrator can investigate in step 450. In step 460, the user profile 62 is updated from the newly gathered data items. The user profile 62 will also be updated using data relating to the anomaly.
100301 The updating of the user profile 62 in step 460 ensures that the user profile 62 is continually adapted to new devices or other computers inserted into the computer network 100 and/or changes to the processes 40a-c running on the user computer.
100311 In a further aspect of the invention, the system and method can he used to detect other irregularities on the user computer 10 or in the computer network 100. It would be possible, for example, to use the teachings of a disclosure to detect fraud by users of the user computer 10. The fraud can be detected by, for example, identifying anomalous attempts to access certain websites, which are not normally accessed, or, by art attempt to transfer significant amounts of data to a computer or memory device that is not normally in use, or by the generation of a large number of emails in a particular period of time.
100321 The detection of fraud is made by detection of unusual activity in the user profile 62, One method for identifying fraud is by comparing the different ones of the user profiles 62 of different users of the computer. If one of the user profiles 62 is substantially different than other ones of the user profiles 62, then notification can be made to an administrator or a fraud officer to investigate the user and the user computer 10. Another method for identifying fraud is if the user profile 62 suddenly changes.
Some non-limiting aspects of the invention are as follows: Clause 1. A system for the detection of irregularities of a device comprising: -a monitoring program for reviewing data relating to operation of the device; - a device profile including data items relating to typical operation of the device; and - an alert module for generating an alert on detection of irregularity relating to the device (10).
Clause 2. The system of clause 1, wherein the data items comprise at least one of ports associated with processes, addresses of connectable devices, volumes of data.
Clause 3. The system of clause 1, wherein the irregularities are one or more of malware or fraud.
Clause 4. A method for the detection of irregularities of a device comprising: - detecting a plurality of data items relating to the operation of the device; - comparing the detected plurality of data items with a device profile; and - generating an alert on detection of irregularities.
Clause S. The method of clause 4, further comprising update the device profile by monitoring the data items over a period of time and generating data items for storage in the device profile

Claims (18)

  1. Claims A system for the detection of irregularities (50) on a computer device (10), the irregularities (50) being one or more of malware and fraud, the system comprising: a monitoring program (60) configured to: continuously receive data items (66) relating to a typical operation of the computer device (10) within a network, the monitoring program (60) and the computer device (10) being connected to the network; based on the data items (66), create a plurality of device baseline profiles (62) associated with the typical operation of the computer device (10), each of the plurality of device baseline profiles (62) being associated with one of a plurality of users, the plurality of users being associated with the computer device (10); receive further data items indicative of a current operation of the computer device (10). and determine whether the further data items deviate from the typical operation of the computer device (10) by comparing the further data items with the plurality of device baseline profiles (62); an alert module (80) configured to, based on the determining of the deviating of the further data items from the typical operation of the computer device (10), generate an alert (80); and a user profile database (65) configured to store the plurality of device baseline profiles (62) 2. The system of claim 1, wherein the monitoring program (60) is further configured to: upon the determining of the deviating from the typical operation of the computer device (10), determine, based on the plurality of device baseline profiles (62), a user of the plurality of users, the user being associated with an unusual operation of the computer device (10); and wherein the alert module (80) is further configured to send a notification to an administrator associated with the network to investigate the user.3. The system of claim 1, wherein the monitoring program (60) is further configured to: based on the determining whether the further data items deviate from the typical operation of the computer device (10), update at least one of the plurality of device baseline profiles (62) to include the further data items if the further data items do not deviate from the typical operation of the computer device (10).4. The system of claim 1, wherein the deviating from the typical operation of the device (10) includes one or more of transferring unusual amounts of data, continually accessing an unusual website, connecting to an unexpected Internet Protocol address, and using an infrequently used port.5. The system of claim 1, wherein the data items (66) include one or more of incoming ports and outgoing ports associated with processes run on the computing device (10) arid typical for an operation of the computing device (10), addresses of connectable devices, volumes of data transferred to or from the computing device (10), and data log entries.6. The system of claim 1, wherein the monitoring program (60) is further configured to monitor messages exchanged within the network and messages generated by the computer device (10), wherein the data items (66) further include the messages exchanged within the network and the messages generated by the computer device (10).7. The system of claim 1, wherein the continuously receiving, by the monitoring program (60), the data items (66) includes receiving the data items (66) from a plurality of data sources.8 The system of claim 7, wherein the plurality of data sources include proxy logs and NetFlow records that store a destination of outgoing data sent through outgoing ports and sources of incoming data received through incoming ports.9. The system of claim 1, wherein the monitoring program (60) is further configured to analyze headers of messages sent throughout the network, wherein the data items (66) further include data related to the headers of messages 10. The system of claim 1, wherein the monitoring program (60) is further configured to analyze browsers run on the computer device (10), wherein the data items (66) further include data related to the browsers.11. A method for the detection of irregularities (50) on a computer device (10), the irregularities (50) being one or more of malware and fraud, the method comprising: continuously receiving, by a monitoring program (60), data items (66) relating to a typical operation of the computer device (10) within a network, the monitoring program (60) and the computer device (10) being connected to the network; based on the data items (66), creating, by the monitoring program (60), a plurality of device baseline profiles (62) associated with the typical operation of the computer device (10), each of the plurality of device baseline profiles (62) being associated with one of a plurality of users, the plurality of users being associated with the computer device (10); receiving, by the monitoring program, further data items indicative of a current operation of the computer device (10); determining, by the monitoring program, whether the further data items deviate from the typical operation of the computer device (10) by comparing the further data items with the plurality of device baseline profiles (62); and based on the determining of the deviating of the further data items from the typical operation of the computer device (10), generating, by an alert module (80), an alert (80).12. The method of claim 11, further comprising: upon the determining of the deviating from the typical operation of the computer device (10), determining, based on the plurality of device baseline profiles (62), a user of the plurality of users, the user being associated with an unusual operation of the computer device (10); and sending a notification to an administrator associated with the network to investigate the user.13. The method of claim 11, further comprising: based on the determining whether the further data items deviate from the typical operation of the computer device (10), updating, by the monitoring program (60), at least one of the plurality of device baseline profiles (62) to include the further data items if the further data items do not deviate from the typical operation of the computer device (10).14. The method of claim 11, wherein the deviating from the typical operation of the device (10) includes one or more of transferring unusual amounts of data, continually accessing an unusual website, connecting to an unexpected Internet Protocol address, and using an infrequently used port.15. The method of claim 11, wherein the data items (66) include one or more of incoming ports and outgoing ports associated with processes run on the computing device (10) and typical for an operation of the computing device (10), addresses of connectable devices, volumes of data transferred to or from the computing device (10), and data log entries.16. The method of claim 11, further comprising monitoring, by the monitoring program (60), messages exchanged within the network and messages generated by the computer device (10), wherein the data items (66) further include the messages exchanged within the network and the messages generated by the computer device (10).17. The method of claim 11, wherein the continuously receiving, by the monitoring program (60), the data items (66) includes receiving the data items (66) from a plurality of data sources.18. The method of claim 17, wherein the plurality of data sources include proxy logs and NetFlow records that store a destination of outgoing data sent through outgoing ports and sources of incoming data received through incoming ports.19. The method of claim 11, further comprising analyzing, by the monitoring program (60), headers of messages sent throughout the network, wherein the data items (66) further include data related to the headers of messages.20. The method of claim 11, further comprising analyzing, by the monitoring program (60), browsers nm on the computer device (10), wherein the data items (66) further include data related to the browsers.Claims A system for the detection of irregularities (50) on a computer device (10), the system comprising: a monitoring program (60) configured to: continuously receive data items (66) relating to an operation of the computer device (10) within a network (100), the monitoring program (60) and the computer device (10) being connected to the network (100), the data items (66) indicating how the computer device (10) reacts with the network (100) as well as with servers (15a-c) and other devices in the network (100); based on the data items (66), create a plurality of user profiles (62), each of the plurality of user profiles (62) being associated with a different one of a plurality of users, the plurality of users being associated with the computer device (10); and determine whether one of the plurality of user profiles (62) deviates from the T IS other ones of the plurality of user profiles (62) by comparing the plurality of user C\I profiles (62), wherein the deviating from the other ones of the plurality of user profiles CD (62) includes continually accessing an unusual w-ebsite;CDan alert module (80) configured to, based on the determining of the deviating of the one of the plurality of user profiles (62) from the other ones of the plurality of user profiles (62), generate an alert (80); and a user profile database (65) configured to store the plurality of user profiles (62).
  2. 2. The system of claim 1, wherein the alert module (80) is further configured to send a notification to an administrator associated with the network (100) to investigate a user associated with the one of the plurality of user profiles (62).
  3. 3. The system of claim 1, wherein the deviating from the other ones of the plurality of user profiles (62) further includes one or more of transferring unusual amounts of data, connecting to an unexpected Internet Protocol address, and using an infrequently used port.
  4. 4. The system of claim 1, wherein the data items (66) include one or more of incoming ports (30) and outgoing ports (25) associated with processes (40a-c) run on the computing device (10) and typical for an operation of the computing device (10), addresses of connectable devices, volumes of data transferred to or from the computing device (10), and data log entries.
  5. 5. The system of claim 1, wherein the monitoring program (60) is further configured to monitor messages exchanged within the network (100) and messages generated by the computer device (10), wherein the data items (66) further include the messages exchanged within the network (100) and the messages generated by the computer device (10).
  6. 6. The system of claim I, wherein the continuously receiving, by the monitoring program (60), the data items (66) includes receiving the data items (66) from a plurality of data sources r 15 C\I
  7. 7. The system of claim 6, wherein the plurality of data sources include network 40) flow traffic statistics that store a destination of outgoing data sent through outgoing ports (25)CDand sources of incoming data received through incoming ports (30).
  8. 8. The system of claim I, wherein the monitoring program (60) is further configured to analyze headers of messages sent throughout the network (100), wherein the data items (66) further include data related to the headers of messages.
  9. 9. The system of claim 1, wherein the monitoring program (60) is further configured to analyze browsers run on the computer device (10), wherein the data items (66) further include data related to the browsers.
  10. 10. A method for the detection of irregularities (50) on a computer device (10), the method comprising: continuously receiving, by a monitoring program (60), data items (66) relating to an operation of the computer device (10) within a network (100), the monitoring program (60) and the computer device (10) being connected to the network (100), the data items (66) indicating how the computer device (10) reacts with the network (100) as well as with sewers (15a-c) and other devices in the network (100); based on the data items (66), creating, by the monitoring program (60), a plurality of user profiles (62), each of the plurality of user profiles (62) being associated with a different one of a plurality of users, the plurality of users being associated with the computer device (10); determining, by the monitoring program (60), whether one of the plurality of user profiles (62) deviates from the other ones of the plurality of user profiles (62) by comparing the plurality of user profiles (62), wherein the deviating from the other ones of the plurality of user profiles (62) includes continually accessing an unusual website; and based on the determining of the deviating of the one of the plurality of user profiles (62) from the other ones of the plurality of user profiles (62), generating, by an alert module (80), an alert (80).r 15
  11. 11. The method of claim 10, further comprising: C\I sending a notification to an administrator associated with the network (100) to CD investigate a user associated with the one of the plurality of user profiles (62).CD
  12. 12. The method of claim 10, wherein the deviating from the other ones of the plurality of user profiles (62) includes one or more of transferring unusual amounts of data, connecting to an unexpected Internet Protocol address, and using an infrequently used port.
  13. 13. The method of claim 10, wherein the data items (66) include one or more of incoming ports (30) and outgoing ports (25) associated with processes (40a-c) run on the computing device (10) and typical for an operation of the computing device (10), addresses of connectable devices, volumes of data transferred to or from the computing device (10), and data log entries.
  14. 14. The method of claim 10, further comprising monitoring, by the monitoring program (60), messages exchanged within the network (100) and messages generated by the computer device (10), wherein the data items (66) further include the messages exchanged within the network (100) and the messages generated by the computer device (10)
  15. 15. The method of claim 10, wherein the continuously receiving, by the monitoring program (60), the data items (66) includes receiving the data items (66) from a plurality of data sources.
  16. 16. The method of claim 15, wherein the plurality of data sources include network flow traffic statistics that store a destination of outgoing data sent through outgoing ports (25) and sources of incoming data received through incoming ports (30).
  17. 17. The method of claim 10, further comprising analyzing, by the monitoring program (60), headers of messages sent throughout the network (100), wherein the data items (66) further include data related to the headers of messages.
  18. 18. The method of claim 10, further comprising analyzing, by the monitoring T 15 program (60), browsers mn on the computer device (10), wherein the data items (66) further (\I include data related to the browsers. a)
GB2105359.0A 2013-09-13 2013-09-13 Method and apparatus for detecting irregularities on device Active GB2594157B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB2105359.0A GB2594157B (en) 2013-09-13 2013-09-13 Method and apparatus for detecting irregularities on device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB2105359.0A GB2594157B (en) 2013-09-13 2013-09-13 Method and apparatus for detecting irregularities on device
GB1316319.1A GB2519941B (en) 2013-09-13 2013-09-13 Method and apparatus for detecting irregularities on device

Publications (3)

Publication Number Publication Date
GB202105359D0 GB202105359D0 (en) 2021-06-02
GB2594157A true GB2594157A (en) 2021-10-20
GB2594157B GB2594157B (en) 2022-02-16

Family

ID=76378334

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2105359.0A Active GB2594157B (en) 2013-09-13 2013-09-13 Method and apparatus for detecting irregularities on device

Country Status (1)

Country Link
GB (1) GB2594157B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100235915A1 (en) * 2009-03-12 2010-09-16 Nasir Memon Using host symptoms, host roles, and/or host reputation for detection of host infection
US20110004580A1 (en) * 2009-07-01 2011-01-06 Oracle International Corporation Role based identity tracker
US20110162055A1 (en) * 2009-12-30 2011-06-30 International Business Machines Corporation Business Process Enablement For Identity Management
CA2747584A1 (en) * 2011-05-31 2012-11-30 Bce Inc. System and method for generating and refining cyber threat intelligence data
WO2013029968A1 (en) * 2011-08-30 2013-03-07 Nec Europe Ltd. Method and system for detecting anomaly of user behavior in a network
WO2013126826A1 (en) * 2012-02-24 2013-08-29 Winshuttle, Llc Dynamic web services workflow system and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100235915A1 (en) * 2009-03-12 2010-09-16 Nasir Memon Using host symptoms, host roles, and/or host reputation for detection of host infection
US20110004580A1 (en) * 2009-07-01 2011-01-06 Oracle International Corporation Role based identity tracker
US20110162055A1 (en) * 2009-12-30 2011-06-30 International Business Machines Corporation Business Process Enablement For Identity Management
CA2747584A1 (en) * 2011-05-31 2012-11-30 Bce Inc. System and method for generating and refining cyber threat intelligence data
WO2013029968A1 (en) * 2011-08-30 2013-03-07 Nec Europe Ltd. Method and system for detecting anomaly of user behavior in a network
WO2013126826A1 (en) * 2012-02-24 2013-08-29 Winshuttle, Llc Dynamic web services workflow system and method

Also Published As

Publication number Publication date
GB2594157B (en) 2022-02-16
GB202105359D0 (en) 2021-06-02

Similar Documents

Publication Publication Date Title
US11068588B2 (en) Detecting irregularities on a device
US10237283B2 (en) Malware domain detection using passive DNS
JP6894003B2 (en) Defense against APT attacks
US10728263B1 (en) Analytic-based security monitoring system and method
Singh et al. Internet attacks and intrusion detection system: A review of the literature
US10095866B2 (en) System and method for threat risk scoring of security threats
US10726125B2 (en) Malware detection using clustering with malware source information
US11882137B2 (en) Network security blacklist derived from honeypot statistics
US8931099B2 (en) System, method and program for identifying and preventing malicious intrusions
Sandhu et al. A survey of intrusion detection & prevention techniques
US20170208084A1 (en) System and Method for Attribution of Actors to Indicators of Threats to a Computer System and Prediction of Future Threat Actions
US20080201722A1 (en) Method and System For Unsafe Content Tracking
EP3374870B1 (en) Threat risk scoring of security threats
US20090328210A1 (en) Chain of events tracking with data tainting for automated security feedback
Zuhair et al. RANDS: A machine learning-based anti-ransomware tool for windows platforms
US11372971B2 (en) Threat control
Shabtai et al. Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content
Coulibaly An overview of intrusion detection and prevention systems
US20230344838A1 (en) Detecting microsoft .net malware using machine learning on .net structure
CN115952375A (en) Method for verifying validity of threat information data
Barsha et al. Mitigation of malware using artificial intelligence techniques: a literature review
GB2594157A (en) Method and apparatus for detecting irregularities on device
Check Point et al. CHECKPOINT A
US20230082289A1 (en) Automated fuzzy hash based signature collecting system for malware detection
US20240039939A1 (en) Computer-readable recording medium storing attack situation output program, attack situation output device, and attack situation output system