Network based malware detection and reporting
Estimated expiration: 2032-Jul-05
Potentially relevant companies (2): Huawei Technologies Co., Ltd., ZTE Corporation
Products & technologies (1): Security:Computer
An apparatus, system and method are described for use in detecting the presence of malware on subscribers computers. The apparatus, system and method are network based and may be deployed within an Internet Service Provider (ISP) network. The system may include a plurality of network sensors for receiving and analyzing network traffic to determine the presence of malware. An aggregating apparatus receives alerts of the presence of malware and translates a network identifier of the alert to a subscriber identifier. The aggregating apparatus aggregates alert information and forwards it to a reporting infrastructure that can generate notifications in order to notify a subscriber that malware has been detected on a computer associated with the subscriber.
1. A system for network-based detection of malware on a plurality of client computers connected to a network, the system comprising:
a network sensor coupled to the network for generating detailed alerts based on one or more received packets including a packet header associated with a client computer of the plurality of client computers, the network sensor reconstructing connection state information based on an asymmetrical traffic flow using acknowledge (ACK) and sequence (SEQ) information in the packet headers of the respective one or more received packets to maintain session state and reassemble a data stream associated with the client computer, the network sensor comprising:
a detection engine for detecting the presence of malware on the client computer by comparing data provided within the one or more packets to an alert signature to identify malware behaviour; and
an alert generation module for generating an alert when the detection engine detects the presence of malware on the client computer, the alert comprising:
a network identifier associated with the client computer; and
an identifier associated with the detected malware;
an aggregator coupled to the network, the aggregator for translating network identifiers in one or more detailed alerts associated with the client computer to corresponding subscriber identifiers and generating alert summaries based on the alerts and corresponding subscriber identifier; and
a reporting infrastructure for receiving the one or more alert summaries and generating one or more subscriber malware notifications.
Interested in licensing a slice of this patent? Contact us to take the next step, or read about our method to understand the logistics.