Network surveillance and security system
First Claim
1. A network security system for a network having a plurality of computers, said system comprising at least one security program, said security program monitoring activity of a set of computers in the network, said program including an artificial intelligence component and a plurality of security rules, said security rules being alterable by the artificial intelligence component of the program in response to the monitored activity.
1 Assignment
0 Petitions
Accused Products
Abstract
A system that monitors and protects the security of computer networks uses artificial intelligence, including learning algorithms, neural networks and genetic programming, to learn from security events. The invention maintains a knowledge base of security events that updates autonomously in real time. The invention encrypts communications to exchange changes in its knowledge base with separate security systems protecting other computer networks. The invention autonomously alters its security policies in response to ongoing events. The invention tracks network communication traffic from inception at a well-known port throughout the duration of the communication including monitoring of any port the communication is switched to. The invention is able to track and utilize UNIX processes for monitoring, threat detection, and threat response functions. The invention is able to subdivide the network communications into identifying tags for tracking and control of the communications without incurring lags in response times.
-
Citations
40 Claims
- 1. A network security system for a network having a plurality of computers, said system comprising at least one security program, said security program monitoring activity of a set of computers in the network, said program including an artificial intelligence component and a plurality of security rules, said security rules being alterable by the artificial intelligence component of the program in response to the monitored activity.
- 4. A network security system for a first computer network in communication with external computer networks having said security system, said system comprising at least a security program, said security program monitoring activity of the computer network and operating in accordance with a plurality of security rules, said security rules in the program running in the first computer network being alterable in response to information from at least one of the external computer networks running said security system, said information reflecting the monitoring of activity in said external computer network by the security system running in that external computer network.
-
6. A network security system for a computer network, said system comprising at least a security program, said program monitoring activity of a set of computers in the network running a plurality of processes, said program assigning to each of said processes a unique identifier, said program further using said unique identifier to track the characteristics of each of said processes in the set of computers which is monitored.
-
7. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network;
modeling information relating to new events in the monitored activities by examining previously obtained information relating to known events and thereby simulating the new events using the information relating to the known events;
applying security measures based upon the results of said modeling. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network;
modeling information processes of said computers using artificial intelligence learning algorithms incorporating communication theory paradigms;
identifying security events and sequences in the monitored activities and analyzing said security events with an expert system;
inferring motivations to the security events by modeling the events, taking into account preset system security policies and customer security policies;
applying security measures based upon the results of said modeling;
autonomously adapting the security measures in response to on-going security events;
identifying previously unseen security events and sequences and adding information concerning such events and sequences to a store of known security events and sequences;
testing previously unseen security events and sequences against a knowledge base to compare information concerning the previously unseen security events and sequences with information concerning known security events and sequences;
refining the knowledge base as a result of the testing of the previous step, including logging the events and sequences to automatically enhance the security measures to protect against future attack. - View Dependent Claims (15, 37)
-
-
16. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network;
modeling Internet and local area networks by applying artificial intelligence neural network programming to construct a plurality of knowledge bases;
simulating logical operations involved in securing computers against security threats using artificial intelligence neural networks;
maintaining the information security of the network against dynamic threats using artificial intelligence genetic programs and neural network sub-systems, including simulating internetworking security and creating an internetworking knowledge base based upon said simulating;
observing Internet and internetworking security policy violations in real time;
applying security measures based upon the observations and results of the modeling and simulations. - View Dependent Claims (17, 18, 19)
-
-
20. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network, including monitoring of multiple packets at TCP ports in real time;
detecting anomalous events in the monitored activities both statistically and with pattern matching, using both firewall logs and system logs;
identifying newly encountered attack sequences and storing information relating to said sequences in a knowledge base;
updating firewall filters in response to newly encountered attack sequences;
generating alerts and warnings to system administrators and site officials upon the detection of an attack sequence. - View Dependent Claims (21)
-
-
22. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network, including monitoring all connections to TCP and UDP ports;
analyzing packet contents in the monitored activities statefully using information from packet headers, including stateful analysis of Ethernet packet headers, IP packet headers, and TCP packet headers;
further including statefully analyzing session identification and protocol layer information from packet headers;
applying security measures based upon the stateful analysis of the packet header information.
-
-
23. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network, including monitoring of failed login attempts;
detecting monitored activities that are contrary to preestablished administrative policies;
monitoring network system traffic;
administering internal and external resource authorizations for the network, including authorizations for the computers being monitored;
applying security measures based upon the detection of monitored activities that are contrary to said preestablished administrative policies.
-
-
24. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network, including monitoring file systems and file security to protect file ownership and directory ownership;
detecting and locking weak accounts;
applying security measures based upon results of the monitoring that indicate a security threat.
-
-
25. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network;
said network having at least some ports for connection to external computers outside the network;
making a connection to an external computer over a first port;
monitoring the connection over the first port;
switching the port over which the connection to the external computer is made to a second port;
continuing to monitor the connection over the second port throughout the existence of the connection. - View Dependent Claims (26)
-
-
27. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network in real time;
modeling the plurality of computers and the operations performed thereby in a multidimensional, dynamically evolving network status space, each dimension of said network status space representing a quality relating to the network, network users, or the computer processes. - View Dependent Claims (28, 29, 30, 31, 32)
-
-
33. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
-
monitoring the activities of at least a plurality of computers in the network;
modeling Internet and local area networks by applying artificial intelligence neural network programming to construct a plurality of knowledge bases;
simulating logical operations involved in securing computers against security threats using artificial intelligence neural networks;
maintaining the information security of the network against dynamic threats using neural network sub-systems, including simulating internetworking security and creating an internetworking knowledge base based upon said simulating;
observing Internet and internetworking security policy violations in real time;
applying security measures based upon the observations and results of the modeling and simulations. - View Dependent Claims (34, 35, 36)
-
-
38. An encryption method for communications between computers, said method comprising:
-
storing in an initial vector a time at which data is encrypted, a sequence number, and a length of a data buffer;
breaking the data to be encrypted into packets;
padding the final packet with random numbers and encoded information relating to the length of the padding and the location of the last bit of data;
encrypting the data in the packets and directing the encrypted data into a buffer having a length substantially longer than the length of the packets;
performing a logical operation on the data in the buffer and a key to form encoded buffer contents, said key being unique to each transmission;
generating a counter mask using the initial vector;
performing a logical operation on the counter mask and the key to form an encoded counter mask;
performing a logical operation on the encoded buffer contents and the encoded counter mask;
transporting the result of the previous step over an electronic channel. - View Dependent Claims (39, 40)
-
Specification