Behavioral baselining of network systems

US 10,666,673 B2
Filed: 08/02/2017
Issued: 05/26/2020
Est. Priority Date: 02/27/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

instantiating, by at least one processor, a baseline, wherein the baseline comprises a set of assets, and a set of relationships including a first relationship;

associating a first event stream with the baseline, wherein the first event stream comprises a sequence of events, the events include a first event at a first time and a second event at a second time, and each event comprises a source or destination attribute;

performing an evaluation to create a range of addresses, the addresses based on values for source or destination addresses collected from the first event stream;

evaluating each event of the first event stream by performing evaluations corresponding to attributes in the set of relationships, the evaluating comprising determining whether a value of a source or destination address in the first event is within the range of addresses; and

detecting, by the at least one processor, based on the evaluating of the first event stream, a drift from the baseline, wherein the drift is based on a failure of at least one attribute value in the first event to match at least one attribute value of the first relationship.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for behavioral baselining of network systems. In one embodiment, a method includes: storing, in an asset attribute database, information regarding assets, wherein each asset comprises at least one attribute; storing, in a relationship database, information regarding relationships, wherein each relationship comprises at least one attribute; selecting, from the asset attribute database, assets based on at least one attribute value; selecting, from the relationship database, one or more relationships based on at least one attribute value, the selected relationships including a first relationship; creating a baseline, wherein the baseline comprises the selected assets and the selected relationships; connecting a first event stream to the baseline, wherein the first event stream comprises a set of events, and each event comprises attributes; and detecting a drift from the baseline, wherein the drift is determined using the first event stream and is based on a failure of at least one attribute value in a first event of the first event stream to match at least one attribute value of the first relationship.

106 Citations

20 Claims

1. A method, comprising:
- instantiating, by at least one processor, a baseline, wherein the baseline comprises a set of assets, and a set of relationships including a first relationship;
  
  associating a first event stream with the baseline, wherein the first event stream comprises a sequence of events, the events include a first event at a first time and a second event at a second time, and each event comprises a source or destination attribute;
  
  performing an evaluation to create a range of addresses, the addresses based on values for source or destination addresses collected from the first event stream;
  
  evaluating each event of the first event stream by performing evaluations corresponding to attributes in the set of relationships, the evaluating comprising determining whether a value of a source or destination address in the first event is within the range of addresses; and
  
  detecting, by the at least one processor, based on the evaluating of the first event stream, a drift from the baseline, wherein the drift is based on a failure of at least one attribute value in the first event to match at least one attribute value of the first relationship.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
- - 2. The method of claim 1, wherein the first relationship comprises a first attribute and a first evaluation corresponding to the first attribute, and detecting the drift further comprises using the first evaluation to evaluate event data from the first event that corresponds to the first attribute, and determining that the evaluated event data fails the first evaluation.
  - 3. The method of claim 2, wherein an event type for each event in the first event stream is flow, and the event data includes the value of the source or destination address in the first event.
  - 4. The method of claim 1, wherein the first relationship comprises a derived attribute, the derived attribute has a value determined using collected first data corresponding to a second attribute of the first relationship, and the collected first data is used to calculate the value of the derived attribute.
  - 5. The method of claim 4, wherein the derived attribute is an average number of packets or bytes over a predetermined time period, and the collected first data is a set of values corresponding to the second attribute, each value being a flow count.
  - 6. The method of claim 1, wherein each event in the first event stream further comprises a time attribute having a value based on a time that the respective event occurred, and the evaluating of the first event stream is performed over an evaluation period comprising a plurality of time periods.
  - 7. The method of claim 6, wherein the evaluating of the first event stream further comprises a first evaluation corresponding to the time attribute that compares the respective time value for each event to one or more temporal ranges.
  - 8. The method of claim 7, wherein the first evaluation determines whether the respective time value is within a predetermined range of time values.
  - 9. The method of claim 1,wherein determining whether the value of the source or destination address in the first event is within the range of addresses is performed subsequent to performing the evaluation to create the range of addresses.
  - 10. The method of claim 9, further comprising:
    - performing an evaluation to create a first group of assets; and
      
      performing an evaluation to determine whether a source or destination asset for an event in the first event stream is in the first group of assets.
  - 20. The method of claim 1, further comprising performing an evaluation to determine whether a source or destination asset for an event in the first event stream is in a group of assets.

11. A system, comprising:
- at least one processor; and
  
  at least one memory in communication with the at least one processor and storing instructions that, when executed by the at least one processor, cause the system to;
  
  instantiate a baseline, wherein the baseline comprises a set of assets, and a set of relationships including a first relationship;
  
  associate a first event stream with the baseline, wherein the first event stream comprises a sequence of events including a first event at a first time and a second event at a second time, and each event comprises a source or destination attribute;
  
  perform an evaluation to create a range of addresses, the addresses based on values for source or destination addresses collected from the first event stream;
  
  evaluate each event of the first event stream by performing evaluations corresponding to attributes in the set of relationships, the evaluating comprising determining whether a value of a source or destination address in the first event is within the range of addresses; and
  
  detect, based on the evaluating of the first event stream, a drift from the baseline, wherein the drift is based on a failure of at least one attribute value in the first event to match at least one attribute value of the first relationship.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein:
    - the first relationship comprises a first attribute, a second attribute, and a first evaluation;
      
      the first attribute is a flow count;
      
      the second attribute is an average number of packets over a time period; and
      
      the first evaluation comprises deriving the average number of packets using the flow count.
  - 13. The system of claim 11, wherein:
    - the set of assets comprises a first asset having a group attribute with a first group value, and a second asset having a group attribute with a second group value;
      
      the first relationship comprises a source attribute and a destination attribute, the source attribute having the first group value, and the destination attribute having the second group value; and
      
      the first event comprises event data including event values for a source group and a destination group, wherein the failure comprises at least one of;
      
      the event value for the source group does not match the first group value, or the event value for the destination group does not match the second group value.
  - 14. The system of claim 11, wherein an event type of the first relationship is authentication, and the first relationship includes a user attribute corresponding to a set of authorized users.
  - 15. The system of claim 14, wherein detecting the drift is based at least in part on evaluation of an event including a logon by a user that is not in the set of authorized users.
  - 16. The system of claim 11, wherein a second relationship of the set of relationships references an event stream having an event type of port scan, and the second relationship comprises a detected ports attribute with attribute values that are determined when the second relationship is instantiated.

17. A non-transitory, computer-readable medium storing instructions that, when executed, cause a computing device to:
- instantiate a baseline, wherein the baseline comprises a set of assets, and a set of relationships including a first relationship;
  
  associate a first event stream with the baseline, wherein the first event stream comprises events including a first event at a first time and a second event at a second time, and each event comprises a source or destination attribute;
  
  perform an evaluation to create a range of addresses, the addresses based on values for source or destination addresses collected from the first event stream;
  
  evaluate each event of the first event stream by performing evaluations corresponding to attributes in the set of relationships, the evaluating comprising determining whether a value of a source or destination address in the first event is within the range of addresses; and
  
  detect, based on the evaluating of the first event stream, a drift from the baseline, wherein the drift is based on a failure of at least one attribute value in the first event to match at least one attribute value of the first relationship.
- View Dependent Claims (18, 19)
- - 18. The non-transitory, computer-readable medium of claim 17, wherein each asset of the set of assets comprises an asset port attribute, the first event stream is provided from a set of vulnerability scanners, and each event of the first event stream includes data from a port scan that identifies port numbers for detected ports.
  - 19. The non-transitory, computer-readable medium of claim 17, wherein attribute values for detected port attributes of each relationship in the set of relationships are based on values for asset port attributes of the set of assets when the respective relationship is instantiated, and wherein detecting the drift is based on a failure of detected ports in the first event for a first asset of the set of assets to match detected ports for the first asset in the first relationship.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Catbird Networks, Inc.
Original Assignee
Catbird Networks, Inc.
Inventors
Rieke, Malcolm, Barry, Holland Carrere
Primary Examiner(s)
Dada, Beemnet W

Application Number

US15/667,526
Publication Number

US 20180248901A1
Time in Patent Office

1,028 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 21/31   User authentication

G06F 21/552   involving long-term monitor...

G06F 3/0482   Interaction with lists of s...

H04L 41/06   Management of faults, event...

H04L 43/026   using flow identification

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Behavioral baselining of network systems

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral baselining of network systems

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links