| CPC H04L 63/1416 (2013.01) [H04L 63/10 (2013.01); H04L 63/1425 (2013.01); H04L 2463/146 (2013.01)] | 18 Claims |
|
1. A method for automatically linking security events associated with a computer network having plural networked computers including server computers and client computers, the method comprising:
monitoring system calls at each of the plural networked computers;
aggregating system call information of the monitoring with an agent at each of the plural networked computers, the system call information including at least start time, stop time, parent process and spawn events;
monitoring the network for security events;
identifying a security event;
communicating the system call information from each agent through the network to a network location;
comparing the system call information of the plural networked computers at the network location to identify causal relationships of the security event with the system call information, the comparing including at least comparing start time, stop time, parent process and spawn events of first and second of the plural networked computers to monitor process life cycles that include initiation and termination of network sockets, the network sockets having address buffers tracked by a hash, the network sockets applied to mirror structures from an operating system of each of the plural networked computers and temporally track network interfaces between the server computers and the client computers;
presenting the causal relationships as a causal graph that interrelates the security event and the system call information with the server computers and the client computers; and
blocking at least one of the plural networked computers associated with a causal relationship from a predetermined network access.
|