System and methods for computer network security involving user confirmation of network connections

US 10,129,273 B2
Filed: 02/26/2016
Issued: 11/13/2018
Est. Priority Date: 11/30/2001
Status: Active Grant

First Claim

Patent Images

1. A computer system for monitoring a data communication network comprising:

at least one processor configured for;

receiving security event data from a sensor, the sensor operatively coupled to the data communication network and operative for determining the existence of a client/server connection on the data communication network;

transmitting a notification to a particular user of a machine on the data communication network associated with the client of the client/server connection, the notification comprising the indication of the nature of a security event represented in the security event data and a query as to the nature of the particular user'"'"'s network activity relating to a server of the client/server connection, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic, and wherein the security indication characteristic includes data indicating;

(a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk;

receiving the particular user'"'"'s response to the query;

based upon the particular user'"'"'s response to the query, generating a security alert based on the response to the query and the security event data;

communicating the security alert to a security analyst computer system associated with the data communication network; and

employing user responses in connection with pre-stored data obtained by logging of information derived from one or more prior communications with a particular server, to enable the security analyst computer system to analyze historical traffic data with the particular server and use that historical traffic data to assess a security risk for the particular server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting anomalies in network traffic and providing notification to the users of the computers that generated the network traffic for confirmation of the activities that resulted in the network traffic are described herein. According to particular embodiments, the system is configured to collect data regarding network activity (e.g., via sensors), generate inquiries to users regarding that activity, receive the user'"'"'s response to those inquiries, and provide the user'"'"'s response along with the network activity to a security analyst.

47 Citations

27 Claims

1. A computer system for monitoring a data communication network comprising:
- at least one processor configured for;
  
  receiving security event data from a sensor, the sensor operatively coupled to the data communication network and operative for determining the existence of a client/server connection on the data communication network;
  
  transmitting a notification to a particular user of a machine on the data communication network associated with the client of the client/server connection, the notification comprising the indication of the nature of a security event represented in the security event data and a query as to the nature of the particular user'"'"'s network activity relating to a server of the client/server connection, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic, and wherein the security indication characteristic includes data indicating;
  
  (a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk;
  
  receiving the particular user'"'"'s response to the query;
  
  based upon the particular user'"'"'s response to the query, generating a security alert based on the response to the query and the security event data;
  
  communicating the security alert to a security analyst computer system associated with the data communication network; and
  
  employing user responses in connection with pre-stored data obtained by logging of information derived from one or more prior communications with a particular server, to enable the security analyst computer system to analyze historical traffic data with the particular server and use that historical traffic data to assess a security risk for the particular server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein the client/server connection is characterized by a monitored exchange of packets between the client and the server.
  - 3. The system of claim 1, wherein the client/server connection is characterized by NetFlow data.
  - 4. The system of claim 1, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic.
  - 5. The system of claim 4, wherein the security indication characteristic includes data indicating:
    - (a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk.
  - 6. The system of claim 1, wherein the security event data comprises at least a user identifier and an indication relating to the security event.
  - 7. The system of claim 6, wherein the at least one processor is further configured for using the user identifier to determine a manner of communication to the particular user of the machine that generated the security event data.
  - 8. The system of claim of claim 6, wherein the at least one processor is further configured for matching the user identifier with a computer system constituting the client of the client/server connection and determining the particular user on the data communication network.
  - 9. The system of claim 1, wherein the at least one processor is further configured for assigning a priority to the security alert based on comparing the response to the query with a predetermined response database.
  - 10. The system of claim 9, wherein the at least one processor is further configured for communicating the security alert to the security analyst computer system further comprises communicating the assigned priority of the security alert.
  - 11. The system of claim 1, wherein the existence of the client/server connection is determined by reference to communication metadata relating to a communication between the client and the server.
  - 12. The system of claim 1, wherein the security event data comprises data correlating the identity of the server involved in the communication with security characteristics of previously identified servers.
  - 13. The system of claim 12, wherein the data correlating the identity of the server involved in the communication comprises “
    - previously seen”
      
      data obtained from a separate network security system.
  - 14. The system of claim 1, wherein the query to the particular user comprises a request to the particular user for an indication of intention to connect to the particular server in the client/server connection.
  - 15. The system of claim 1, wherein the at least one processor is further configured for obtaining context information as to characteristics of the connection between the client and the server useful by the security analyst computer system in assessing security risk of the server.
  - 16. The system of claim 15, wherein context information includes but is not limited to one or more of the following:
    - whether the server is on a black list of known nefarious servers, whether the server is on white list of previously-approved servers, whether a particular application on the server is expected to execute, an expected duration of connection to the server, an expected frequency of connection to the server, whether use of a particular port in the communication protocol was expected by the particular user, whether a connection to the server at a particular time of day was expected, the role of the particular user.
  - 17. The system of claim 1, wherein the notification to the particular user is communicated to the particular user by one or more of the following communication mechanisms:
    - executing a browser script to generate a user interface for displaying information to the particular user and/or receiving user input;
      
      executing a stand-alone application for generating a user interface for displaying information to the particular user and/or receiving user input;
      
      providing a text message (SMS) to the user with information about the query;
      
      providing an email to the particular user with information about the query.

18. A method for monitoring a data communication network, comprising:
- receiving security event data from a sensor, the sensor operatively coupled to the data communication network and operative for determining the existence of a client/server connection on the data communication network;
  
  transmitting a notification to a particular user of a machine on the data communication network associated with the client of the client/server connection, the notification comprising the indication of the nature of a security event represented in the security event data and a query as to the nature of the particular user'"'"'s network activity relating to a server of the client/server connection, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic, and wherein the security indication characteristic includes data indicating;
  
  (a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk;
  
  receiving the particular user'"'"'s response to the query;
  
  based upon the particular user'"'"'s response to the query, generating a security alert based on the response to the query and the security event data;
  
  communicating the security alert to a security analyst computer system associated with the data communication network; and
  
  employing user responses in connection with prestored data obtained by logging of information derived from one or more prior communications with a particular server, to enable the security analyst computer system to analyze historical traffic data with the particular server and use that historical traffic data to assess a security risk for the particular server.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18, wherein the security event data comprises at least a user identifier and an indication relating to the security event, and further comprising:
    - matching the user identifier with a computer system constituting the client of the client/server connection and determining the particular user on the data communication network.
  - 20. The method of claim 18, wherein the security event data comprises data correlating the identity of the server involved in the communication with security characteristics of previously identified servers.
  - 21. The method of claim 18, further comprising obtaining context information as to characteristics of the connection between the client and the server useful by the security analyst computer system in assessing security risk of the server.
  - 22. The method of claim 18, wherein the notification to the particular user is communicated to the particular user by one or more of the following communication mechanisms:
    - executing a browser script to generate a user interface for displaying information to the particular user and/or receiving user input;
      
      executing a stand-alone application for generating a user interface for displaying information to the particular user and/or receiving user input;
      
      providing a text message (SMS) to the particular user with information about the query;
      
      providing an email to the particular user with information about the query.

23. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations including:
- receiving security event data from a sensor, the sensor operatively coupled to a data communication network and operative for determining the existence of a client/server connection on the data communication network;
  
  transmitting a notification to a particular user of a machine on the data communication network associated with the client of the client/server connection, the notification comprising the indication of the nature of a security event represented in the security event data and a query as to the nature of the particular user'"'"'s network activity relating to a server of the client/server connection, wherein the security event comprises a determination that the server involved in the client/server connection possesses a security indication characteristic, and wherein the security indication characteristic includes data indicating;
  
  (a) that the server presents a known security risk to the network, (b) that the server has not been seen in previous communications on the network, (c) that characteristics of the communication between the client and the server exhibits characteristics indicative of possible security risk;
  
  receiving the particular user'"'"'s response to the query;
  
  based upon the particular user'"'"'s response to the query, generating a security alert based on the response to the query and the security event data;
  
  communicating the security alert to a security analyst computer system associated with the data communication network; and
  
  employing user responses in connection with pre-stored data obtained by logging of information derived from one or more prior communications with a particular server, to enable the security analyst computer system to analyze historical traffic data with the particular server and use that historical traffic data to assess a security risk for the particular server.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The non-transitory computer readable storage media of claim 23, wherein the security event data comprises at least a user identifier and an indication relating to the security event, and further comprising instructions that cause the processor to perform:
    - matching the user identifier with a computer system constituting the client of the client/server connection and determining a particular user on the data communication network.
  - 25. The non-transitory computer readable storage media of claim 23, wherein the security event data comprises data correlating the identity of the server involved in the communication with security characteristics of previously identified servers.
  - 26. The non-transitory computer readable storage media of claim 23, wherein the notification to the particular user is communicated to the particular user by one or more of the following communication mechanisms:
    - executing a browser script to generate a user interface for displaying information to the particular user and/or receiving user input;
      
      executing a stand-alone application for generating a user interface for displaying information to the particular user and/or receiving user input;
      
      providing a text message (SMS) to the particular user with information about the query;
      
      providing an email to the particular user with information about the query.
  - 27. The non-transitory computer readable storage media of claim 23, wherein context information includes but is not limited to one or more of the following:
    - whether the server is on a black list of known nefarious servers, whether the server is on white list of previously-approved servers, whether a particular application on the server is expected to execute, an expected duration of connection to the server, an expected frequency of connection to the server, whether use of a particular port in the communication protocol was expected by the particular user, whether a connection to the server at a particular time of day was expected, the role of the particular user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Palazzo, Robert Charles, Luu, Michael Sea
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Beheshti Shirazi, Sayed Aresh

Application Number

US15/054,574
Publication Number

US 20160255105A1
Time in Patent Office

991 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and methods for computer network security involving user confirmation of network connections

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for computer network security involving user confirmation of network connections

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links