Field
The present invention generally relates to detecting network intrusions, anomalies, and policy violations, and more particularly, to detecting network intrusions, anomalies, and policy violations by path scanning for the detection of anomalous subgraphs embedded within time-evolving graphs and, additionally relates to the use of Domain Name Service (“DNS”) requests for situational awareness and anomaly/change detection on computer networks.
Description of the Related Art
Sophisticated computer hacking presents a serious threat to companies, governmental organizations, and other entities. Generally, a hacker gains entry to a system through automated means. For example, if a hacker sends a phishing email to an organization and a user clicks a link, malware may compromise the machine. This gives the hacker control of the compromised machine, and thus, a foothold into the network in which the compromised machine resides.
The hacker cannot choose which machines are compromised, and thus, where he or she lands in the network. From the initial point where the network was compromised, the hacker commonly traverses the network, searching for additional hosts to exploit. Since no single user generally has access to the entire network, the hacker must traverse through multiple machines to fully compromise the network. Often, a hacker will search for multi-user machines and use the compromised account to gain access—furthering his or her penetration into the network.
Conventional methods for the detection of malicious insiders in a computer network generally do not capture “traversal” well. Traversal occurs when a hacker advances through a network, infiltrating systems, and then using that compromised system to further compromise other hosts. While host-based detection systems that monitor specific machines are somewhat mature, and intrusion detection through a firewall is well-researched, methods that examine multiple hops within the security perimeter simultaneously to search for anomalies are generally not well-explored. Further, network traffic monitoring is generally performed using an elaborate system of network taps, router mirror ports, and router-based flow observation. This approach is costly and fails to provide complete coverage of traffic within a network.