Abstract: A method and system to detect cyber-attacks by analyzing client-server or other east-west traffic within an enterprise network is disclosed. East-west traffic comprises communications between network devices within the enterprise network, in contradistinction to north-south traffic which involves communications intended to traverse the periphery of the enterprise network. The system includes a network interface to receive the network traffic; analysis logic to analyze communications within the received network traffic to identify a set of indicators; correlation logic to assemble one or more groups of weak indicators from the set of indicators, and conduct an analysis to determine whether each of the groups of weak indicators is correlated with known malicious patterns or sequences of indicators, thereby producing at least one strong indicator from which a determination can be made of whether a cyber-attack is being conducted.

Abstract: A method for detecting a cyber-attack is described. The method features (i) collecting a first plurality of weak indicators, (ii) grouping a second plurality of weak indicators from the first plurality of weak indicators where the second plurality of weak indicators being lesser in number than the first plurality of weak indicators, and (iii) performing a correlation operation between the second plurality of weak indicators and one or more patterns or sequences of indicators associated with known malware. A weak indicator of the first plurality of weak indicators corresponds to data that, by itself, is not definitive as to whether the data is associated with a cyber-attack being conducted on a source of the weak indicator.