Inter-arrival time intrusion-detection technique to provide enhanced cybersecurity

US 10,015,139 B2
Filed: 02/03/2016
Issued: 07/03/2018
Est. Priority Date: 02/03/2016
Status: Active Grant

First Claim

Patent Images

1. A method for performing an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system, comprising:

determining arrival times for incoming packets at a node in the networked computer system;

determining inter-arrival times between the incoming packets from the arrival times;

determining a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times;

monitoring a piecewise continuous digitized inter-arrival time MCF fingerprinting for all authenticated users;

in response to detecting a change in a slope of the MCF, generating an alarm to indicate that a malicious remote user is generating some of the incoming packets; and

wherein generating the alarm additionally comprises terminating the traffic of the malicious remote user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments relate to a system that performs an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system. During operation, the system determines arrival times for incoming packets at a node in the networked computer system. Next, the system determines inter-arrival times between the incoming packets from the arrival times. The system then determines a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times. Finally, upon detecting a change in a slope of the MCF, the system generates an alarm to indicate that a malicious remote user may be generating some of the incoming packets.

Citations

20 Claims

1. A method for performing an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system, comprising:
- determining arrival times for incoming packets at a node in the networked computer system;
  
  determining inter-arrival times between the incoming packets from the arrival times;
  
  determining a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times;
  
  monitoring a piecewise continuous digitized inter-arrival time MCF fingerprinting for all authenticated users;
  
  in response to detecting a change in a slope of the MCF, generating an alarm to indicate that a malicious remote user is generating some of the incoming packets; and
  
  wherein generating the alarm additionally comprises terminating the traffic of the malicious remote user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein detecting the change in the slope includes using Sen'"'"'s nonparametric slope estimation technique to compute the slope of the MCF.
  - 3. The method of claim 1, wherein detecting the change in the slope includes using a Mann-Kendall test to detect a change point in the slope of the MCF.
  - 4. The method of claim 1, wherein detecting the change in the slope includes using a fast Mann-Kendall computation to detect a change point in the slope of the MCF, wherein the fast Mann-Kendall computation inserts data points into a balanced search tree to improve performance of the Mann-Kendall computation.
  - 5. The method of claim 1, wherein prior to determining the inter-arrival times, the method further comprises filtering the incoming packets based upon at least one filtering criterion to generate a set of filtered incoming packets to be used in determining the inter-arrival times.
  - 6. The method of claim 1, wherein the method further comprises estimating a number of network hops traversed by packets originating from the malicious remote user based on a magnitude of the change in slope.
  - 7. The method of claim 1, wherein determining the arrival times for the incoming packets includes obtaining the arrival times for the incoming packets from timestamps generated by a packet-capturing tool located at the node in the networked computer system.
  - 8. The method of claim 1, wherein generating the alarm includes sending the alarm to a system administrator to enable the system administrator to verify whether a malicious remote user has compromised the network computer system by using a spoofed credential.

9. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for performing an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system, the method comprising:
- determining arrival times for incoming packets at a node in the networked computer system;
  
  determining inter-arrival times between the incoming packets from the arrival times;
  
  determining a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times;
  
  monitoring a piecewise continuous digitized inter-arrival time MCF fingerprinting for all authenticated users;
  
  in response to detecting a change in a slope of the MCF, generating an alarm to indicate that a malicious remote user is generating some of the incoming packets; and
  
  wherein generating the alarm additionally comprises terminating the traffic of the malicious remote user.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable storage medium of claim 9, wherein detecting the change in the slope includes using Sen'"'"'s nonparametric slope estimation technique to compute the slope of the MCF.
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein detecting the change in the slope includes using a Mann-Kendall test to detect a change point in the slope of the MCF.
  - 12. The non-transitory computer-readable storage medium of claim 9, wherein detecting the change in the slope includes using a fast Mann-Kendall computation to detect a change point in the slope of the MCF, wherein the fast Mann-Kendall computation inserts data points into a balanced search tree to improve performance of the Mann-Kendall computation.
  - 13. The non-transitory computer-readable storage medium of claim 9, wherein prior to determining the inter-arrival times, the method further comprises filtering the incoming packets based upon at least one filtering criterion to generate a set of filtered incoming packets to be used in determining the inter-arrival times.
  - 14. The non-transitory computer-readable storage medium of claim 9, wherein the method further comprises estimating a number of network hops traversed by packets originating from the malicious remote user based on a magnitude of the change in slope.
  - 15. The non-transitory computer-readable storage medium of claim 9, wherein determining the arrival times for the incoming packets includes obtaining the arrival times for the incoming packets from timestamps generated by a packet-capturing tool located at the node in the networked computer system.
  - 16. The non-transitory computer-readable storage medium of claim 9, wherein generating the alarm includes sending the alarm to a system administrator to enable the system administrator to verify whether a malicious remote user has compromised the network computer system by using a spoofed credential.

17. A system that performs an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system, comprising:
- an intrusion-detection mechanism that operates in the networked computer system;
  
  wherein during operation, the intrusion-detection mechanism,determines arrival times for incoming packets at a node in the networked computer system;
  
  determines inter-arrival times between the incoming packets from the arrival times;
  
  determines a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times;
  
  monitor a piecewise continuous digitized inter-arrival time MCF fingerprinting for all authenticated users;
  
  in response to detecting a change in a slope of the MCF, generates an alarm to indicate that a malicious remote user is generating some of the incoming packets; and
  
  wherein generating the alarm additionally comprises terminating the traffic of the malicious remote user.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein while detecting the change in the slope, the intrusion-detection mechanism uses Sen'"'"'s nonparametric slope estimation technique to compute the slope of the MCF.
  - 19. The system of claim 17, wherein while detecting the change in the slope, the intrusion-detection mechanism uses a Mann-Kendall test to detect a change point in the slope of the MCF.
  - 20. The system of claim 17, wherein prior to determining the inter-arrival times, the instruction-detection mechanism filters the incoming packets based upon at least one filtering criterion to generate a set of filtered incoming packets to be used in determining the inter-arrival times.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Gross, Kenny C., Vaidyanathan, Kalyanaraman, Brownsword, Andrew E.
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Bucknor, Olanrewaju J.

Application Number

US15/015,055
Publication Number

US 20170222976A1
Time in Patent Office

881 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

Inter-arrival time intrusion-detection technique to provide enhanced cybersecurity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Inter-arrival time intrusion-detection technique to provide enhanced cybersecurity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links