DETECTION AND TRAIL-CONTINUATION FOR ATTACKS THROUGH REMOTE PROCESS EXECUTION LATERAL MOVEMENT

DETECTION AND TRAIL-CONTINUATION FOR ATTACKS THROUGH REMOTE PROCESS EXECUTION LATERAL MOVEMENT

Infrastructure attacks are identified by monitoring system level activities using software agents deployed on respective operating systems and constructing, based on the system level activities, an execution graph comprising a plurality of execution trails. A connection to a remote server executing...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Patil, Rushikesh, Kim, Eun-Gyu, Mukherjee, Niloy, Siroya, Sandeep
Format: Patent
Sprache:eng
Schlagworte:
CALCULATING
COMPUTING
COUNTING
ELECTRIC DIGITAL DATA PROCESSING
PHYSICS
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Infrastructure attacks are identified by monitoring system level activities using software agents deployed on respective operating systems and constructing, based on the system level activities, an execution graph comprising a plurality of execution trails. A connection to a remote server executing on a first one of the operating systems is identified, where the connection is initiated by a remote execution function executing on a second one of the operating systems. A connection is formed between the first operating system and the second operating system in a global execution trail in the execution graph. A new process created on the first operating system is determined to be associated with a logon session resulting from the connection, and behavior exhibited from the logon session is attributed to the global execution trail in the execution graph.