| CPC H04L 63/1416 (2013.01) [H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 2463/146 (2013.01)] | 21 Claims |
|
1. A non-transitory storage medium including logic that, upon execution by a processor, perform operations in an attempt to detect a malicious host operating within a network prior to a cyber-attack being conducted by the malicious host, comprising:
querying logic to (i) retrieve profile information associated with each host of a plurality of hosts operating within the network and (ii) generate a query message to each host of the plurality of host based on characteristics included as part of the retrieved profile information pertaining to the host where each query message is intended to solicit a return of salient characteristics associated with an infrastructure of the host for use in determining whether the host is suspicious based on a change of the infrastructure of the host including a change in components installed within the host;
profile confirmation logic, in response to the querying logic determining the host of the plurality of hosts is suspicious, to establish communications with the host and retrieve additional context information associated with the infrastructure of the host from the host;
classification logic, based at least on the salient characteristics retrieved by the query logic and the additional context information retrieved by the profile confirmation logic, to determine whether the host is operating as a malicious host prior to and without reliance on information associated with a cyber-attack being conducted by the host; and
reporting logic to output analytic results identifying the host is operating as a malicious host.
|