Relating to the monitoring of network security

US 10,681,059 B2
Filed: 05/25/2016
Issued: 06/09/2020
Est. Priority Date: 05/25/2016
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring a network and its nodes for security threats, the method comprising:

monitoring the activity of a plurality of network nodes by measuring parameters and/or actions associated with each network node;

calculating a plurality of node scores for each of the network nodes based upon the measured parameters and/or actions;

comparing the calculated one or more node scores against a reference activity, the reference activity including both ofa peer node score indicative of the monitored activity of a peer node having a similar type as the respective network node, anda network node score indicative of the monitored activity of a network node having a historically similar activity profile as the respective network node;

calculating a node suspicion score representing the likelihood of suspicious activity for the one or more network nodes based upon the comparison, wherein the node suspicion score for a particular network node includes a weighted sum ofa) a peer anomaly score representing a difference between a cumulative peer node score for an individual network node over time and a mean of cumulative peer node scores for all of the network nodes, the difference then divided by a standard deviation of the cumulative peer node scores for all of the network nodes, andb) a discord anomaly score representing a difference between an average of the network node scores for the individual network node over time and a mean of the average network node scores for all of the network nodes, the difference then divided by a standard deviation of the average network node scores for all of the network nodes; and

applying a Grubbs test to determine whether the node suspicion score is a statistical outlier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a target centric monitoring of a network enabling a likelihood score for the existence of an attack to be calculated. The score is calculated by monitoring a plurality of network nodes for a range of symptoms. Detected symptoms are then profiled using a classical Bayesian-based framework such that a node score is calculated for every node. The node scores are compared against reference activity so as to identify deviations from reference activity. The reference activity may comprise peer analysis comparing the node scores against the nodes scores or per nodes and discord analysis comparing the node score of a particular node against historical behaviour. Based on the deviations, the method can enable the calculation of a likelihood of suspicious activity for each node.

Citations

12 Claims

1. A method of monitoring a network and its nodes for security threats, the method comprising:
- monitoring the activity of a plurality of network nodes by measuring parameters and/or actions associated with each network node;
  
  calculating a plurality of node scores for each of the network nodes based upon the measured parameters and/or actions;
  
  comparing the calculated one or more node scores against a reference activity, the reference activity including both ofa peer node score indicative of the monitored activity of a peer node having a similar type as the respective network node, anda network node score indicative of the monitored activity of a network node having a historically similar activity profile as the respective network node;
  
  calculating a node suspicion score representing the likelihood of suspicious activity for the one or more network nodes based upon the comparison, wherein the node suspicion score for a particular network node includes a weighted sum ofa) a peer anomaly score representing a difference between a cumulative peer node score for an individual network node over time and a mean of cumulative peer node scores for all of the network nodes, the difference then divided by a standard deviation of the cumulative peer node scores for all of the network nodes, andb) a discord anomaly score representing a difference between an average of the network node scores for the individual network node over time and a mean of the average network node scores for all of the network nodes, the difference then divided by a standard deviation of the average network node scores for all of the network nodes; and
  
  applying a Grubbs test to determine whether the node suspicion score is a statistical outlier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the one or more network nodes include a hardware or software interface within the network at which data is generated, collected, or observed, or any network point having an address.
  - 3. The method of claim 1, wherein monitoring the activity of one or more network nodes includes determining if an event is relevant.
  - 4. The method of claim 1, wherein calculating one or more node scores for each of the one or more network nodes is based upon the monitored activity observed within a monitoring time window.
  - 5. The method of claim 4, wherein calculating one or more node scores includes calculating a weighted sum of attack symptoms observed within the monitoring time window.
  - 6. The method of claim 1, wherein the reference activity includes an activity profile of peer nodes.
  - 7. The method of claim 1, wherein the reference activity includes a mean of peer group node scores.
  - 8. The method of claim 1, wherein the reference activity is calculated from historical activity of the monitored network node during a historical time window by developing a historical model of the node scores during the historical time window.
  - 9. The method of claim 8, wherein the historical model is based upon an autoregressive integrated moving average (ARIMA) model.
  - 10. The method of claim 9, wherein generating the discord anomaly score includes determining whether the node score at a particular time falls within a 95% confidence interval (CI) of the historical model;
    - and in the event that the node score at the particular time does not fall within the CI, calculating the absolute deviation of the node score from the CI.
  - 11. The method of claim 10, wherein the discord anomaly score is calculated from the average of the absolute deviation of the node score from the CI.
  - 12. The method of claim 1, wherein the node suspicion score is tested to determine whether or not the node suspicion score indicates that an attack on one or more of the network nodes is underway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberOwl Limited
Original Assignee
CyberOwl Limited
Inventors
Shaikh, Siraj Ahmed, Kalutarage, Harsha Kumara
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US15/164,035
Publication Number

US 20170346834A1
Time in Patent Office

1,476 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Relating to the monitoring of network security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Relating to the monitoring of network security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links