Patents Assigned to VECTRA NETWORKS, INC.
  • Patent number: 9407647
    Abstract: A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway.
    Type: Grant
    Filed: March 10, 2015
    Date of Patent: August 2, 2016
    Assignee: Vectra Networks, Inc.
    Inventors: Nicolas Beauchesne, Ryan James Prenger
  • Publication number: 20160191551
    Abstract: An approach for detecting network attacks using metadata vectors may initially involve receiving network communications or packets, extracting metadata items from the packets. The metadata items describe the communications without requiring deep content inspection of the data payload or contents. The communications may be clustered into groups using the metadata items. If a cluster exceeds a threshold, an alarm may be generated.
    Type: Application
    Filed: November 17, 2015
    Publication date: June 30, 2016
    Applicant: VECTRA NETWORKS, INC.
    Inventors: Nicolas Beauchesne, David Lopes Pegna, Karl Lynn
  • Publication number: 20160191560
    Abstract: A method and system for identifying insider threats within an organization is provided. The approach constructs an internal connectivity graph to identify communities of hosts/users, and checks for abnormal behavior relative to past behaviors.
    Type: Application
    Filed: November 2, 2015
    Publication date: June 30, 2016
    Applicant: VECTRA NETWORKS, INC.
    Inventors: David Lopes Pegna, Himanshu Mhatre, Oliver Brdiczka
  • Publication number: 20160191563
    Abstract: Disclosed is an improved approach to implement a system and method for detecting insider threats, where models are constructed that is capable of defining what constitutes the normal behavior for any given hosts and quickly find anomalous behaviors that could constitute a potential threat to an organization. The disclosed approach provides a way to identify abnormal data transfers within and external to an organization without the need for individual monitoring software on each host, by leveraging metadata that describe the data exchange patterns observed in the network.
    Type: Application
    Filed: November 2, 2015
    Publication date: June 30, 2016
    Applicant: VECTRA NETWORKS, INC.
    Inventors: Nicolas Beauchesne, David Lopes Pegna
  • Publication number: 20160191559
    Abstract: Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.
    Type: Application
    Filed: November 2, 2015
    Publication date: June 30, 2016
    Applicant: VECTRA NETWORKS, INC.
    Inventors: Himanshu Mhatre, David Lopes Pegna
  • Publication number: 20160149936
    Abstract: An approach for detecting network threats is disclosed, that may involve receiving network traffic, plotting the network traffic in a n-dimensional feature space to form a network map, generating a client signature at least by placing new client points in the map, setting a threshold, and generating an alarm if one or more client activity points exceed the threshold. In some embodiments, the network map and the client signature are updated using sliding windows and distance calculations.
    Type: Application
    Filed: November 17, 2015
    Publication date: May 26, 2016
    Applicant: VECTRA NETWORKS, INC.
    Inventors: David Lopes Pegna, Nicolas Beauchesne
  • Patent number: 9237164
    Abstract: Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert.
    Type: Grant
    Filed: June 19, 2014
    Date of Patent: January 12, 2016
    Assignee: Vectra Networks, Inc.
    Inventors: James Harlacher, Mark Abene
  • Publication number: 20150312211
    Abstract: A host identification engine receives network traffic from a network and uses one or more artifact extractors to extract artifact data items that can identify a host. The artifact data items can be stored in a host signature database. Network addresses to which the hosts correspond can be stored in a network address database. A mapping table can be implemented to match the data in the signature database and network database to generate durable host identification data that can accurately track hosts as they use different identification data and/or move between hosts.
    Type: Application
    Filed: March 10, 2015
    Publication date: October 29, 2015
    Applicant: VECTRA NETWORKS, INC.
    Inventors: Nicolas Beauchesne, Monty Sher Gill, Oliver Kourosh Tavakoli
  • Publication number: 20150264061
    Abstract: Approaches for detecting network intrusions, such as malware infection, Trojans, worms, or bot net mining activities includes: identifying one or more threat detections in session datasets, the session datasets corresponding to network traffic from a plurality of hosts; determining a layered detection score, the layered detection score corresponding to a certainty score and threat score; determining a layered host score, the layered host score corresponding to a certainty score and threat score; and generating alarm data comprising the layered detection score and the layered host score. In some embodiments, the network traffic may be received passively through a network switch; for example, by “tapping” the switch. Other additional objects, features, and advantages of the invention are described in the detailed description, figures and claims.
    Type: Application
    Filed: March 10, 2015
    Publication date: September 17, 2015
    Applicant: VECTRA NETWORKS, INC.
    Inventors: Oskar IBATULLIN, Ryan James PRENGER, Nicolas BEAUCHESNE, Karl Matthew LYNN, Oliver Kourosh TAVAKOLI
  • Publication number: 20150264083
    Abstract: A system and method for detecting malicious relay communications is disclosed. Network communications can be received and analyzed using such network components as a network switch. The received traffic can be parsed into sessions. Relay metadata can be extracted from the sessions and further be used to categorize the sessions into one or more types of relay metadata behaviors. Once a significant amount of sessions are detected an alarm may be triggered and/or alarm data may be generated for analysis by network security administrators.
    Type: Application
    Filed: March 10, 2015
    Publication date: September 17, 2015
    Applicant: Vectra Networks, Inc.
    Inventors: Ryan James Prenger, Nicolas Beauchesne, Karl Matthew Lynn
  • Publication number: 20150264078
    Abstract: A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance.
    Type: Application
    Filed: March 10, 2015
    Publication date: September 17, 2015
    Applicant: VECTRA NETWORKS, INC.
    Inventors: Nicolas Beauchesne, Sungwook Yoon
  • Publication number: 20150264069
    Abstract: A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway.
    Type: Application
    Filed: March 10, 2015
    Publication date: September 17, 2015
    Applicant: Vectra Networks, Inc.
    Inventors: Nicolas Beauchesne, Ryan James Prenger
  • Publication number: 20150264070
    Abstract: A method and system for detecting algorithm-generated domains (AGDs) is disclosed wherein domain names requested by an internal host are categorized or classified using curated data sets, active services (e.g. Internet services), and certainty scores to match domain names to domain names or IP addresses used by command and control servers.
    Type: Application
    Filed: March 10, 2015
    Publication date: September 17, 2015
    Applicant: VECTRA NETWORKS, INC.
    Inventors: James Patrick HARLACHER, Aditya SOOD, Oskar IBATULLIN
  • Publication number: 20150264068
    Abstract: A bot detection engine to determine whether hosts in an organization's network are performing bot-related activities is disclosed. is A bot detection engine can receive network traffic between hosts in a network, and/or between hosts across several networks. The bot engine may parse the network traffic into session datasets and discard the session datasets that were not initiated by hosts in a given network. The session datasets may be analyzed and state data may be accumulated. The state data may correspond to actions performed by the hosts, such as requesting a website or clicking ads, or requesting content within the website (e.g. clicking on a image which forms a HTTP request/response transaction for the image file).
    Type: Application
    Filed: March 10, 2015
    Publication date: September 17, 2015
    Applicant: VECTRA NETWORKS, INC.
    Inventor: Nicolas Beauchesne
  • Publication number: 20150264073
    Abstract: A real-time perspective engine that can detect network intrusions by accepting network packets as input, organizing the packets, and processing them through a series of detection schemes to identify potentially malicious network behavior. The detection system can implement stateless detection that detects network threats in real-time. The detection system can implement state-full detection that detects network threats which in small amounts may appear innocuous but over time evidence a network attack or malicious activity.
    Type: Application
    Filed: March 10, 2015
    Publication date: September 17, 2015
    Applicant: VECTRA NETWORKS, INC.
    Inventors: Oliver Kourosh Tavakoli, Tao Ma, Panning Huang, Jeffrey Charles Venable
  • Publication number: 20150082433
    Abstract: Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert.
    Type: Application
    Filed: June 19, 2014
    Publication date: March 19, 2015
    Applicant: VECTRA NETWORKS, INC.
    Inventors: James Harlacher, Mark Abene