Invention Grant
- Patent Title: System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack
-
Application No.: US16658621Application Date: 2019-10-21
-
Publication No.: US11431592B2Publication Date: 2022-08-30
- Inventor: Khawar Deen , Navindra Yadav , Anubhav Gupta , Shashidhar Gandham , Rohit Chandra Prasad , Abhishek Ranjan Singh , Shih-Chun Chang
- Applicant: Cisco Technology, Inc.
- Applicant Address: US CA San Jose
- Assignee: Cisco Technology, Inc.
- Current Assignee: Cisco Technology, Inc.
- Current Assignee Address: US CA San Jose
- Agency: Polsinelli PC
- Main IPC: G06F17/00
- IPC: G06F17/00 ; G06F15/16 ; G06F9/00 ; H04L43/045 ; H04L9/40 ; G06F9/455 ; G06N20/00 ; G06F21/55 ; G06F21/56 ; G06F16/28 ; G06F16/2457 ; G06F16/248 ; G06F16/29 ; G06F16/16 ; G06F16/17 ; G06F16/11 ; G06F16/13 ; G06F16/174 ; G06F16/23 ; G06F16/9535 ; G06N99/00 ; H04L9/32 ; H04L41/0668 ; H04L43/0805 ; H04L43/0811 ; H04L43/0852 ; H04L43/106 ; H04L45/00 ; H04L45/50 ; H04L67/12 ; H04L67/01 ; H04L43/026 ; H04L43/062 ; H04L43/10 ; H04L47/2441 ; H04L41/0893 ; H04L43/08 ; H04L43/04 ; H04W84/18 ; H04L67/10 ; H04L67/51 ; H04L41/046 ; H04L43/0876 ; H04L41/12 ; H04L41/16 ; H04L41/0816 ; G06F21/53 ; H04L41/22 ; G06F3/04842 ; G06F3/04847 ; H04L41/0803 ; H04L67/75 ; H04L43/0829 ; H04L43/16 ; H04L1/24 ; H04W72/08 ; H04L9/08 ; H04J3/06 ; H04J3/14 ; H04L61/5007 ; H04L47/20 ; H04L47/32 ; H04L43/0864 ; H04L47/11 ; H04L69/22 ; H04L45/74 ; H04L47/2483 ; H04L43/0882 ; H04L41/0806 ; H04L43/0888 ; H04L43/12 ; H04L47/31 ; G06F3/0482 ; G06T11/20 ; H04L43/02 ; H04L47/28 ; H04L69/16 ; H04L67/1001 ; H04L45/302 ; H04L67/50
Abstract:
A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent at the device to yield a determination, detecting that hidden network traffic exists, and predicting a malware issue with the first host based on the determination.
Public/Granted literature
Information query
