Network surveillance and security system

US 20030051026A1
Filed: 01/19/2001
Published: 03/13/2003
Est. Priority Date: 01/19/2001
Status: Abandoned Application

First Claim

Patent Images

1. A network security system for a network having a plurality of computers, said system comprising at least one security program, said security program monitoring activity of a set of computers in the network, said program including an artificial intelligence component and a plurality of security rules, said security rules being alterable by the artificial intelligence component of the program in response to the monitored activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that monitors and protects the security of computer networks uses artificial intelligence, including learning algorithms, neural networks and genetic programming, to learn from security events. The invention maintains a knowledge base of security events that updates autonomously in real time. The invention encrypts communications to exchange changes in its knowledge base with separate security systems protecting other computer networks. The invention autonomously alters its security policies in response to ongoing events. The invention tracks network communication traffic from inception at a well-known port throughout the duration of the communication including monitoring of any port the communication is switched to. The invention is able to track and utilize UNIX processes for monitoring, threat detection, and threat response functions. The invention is able to subdivide the network communications into identifying tags for tracking and control of the communications without incurring lags in response times.

1002 Citations

40 Claims

1. A network security system for a network having a plurality of computers, said system comprising at least one security program, said security program monitoring activity of a set of computers in the network, said program including an artificial intelligence component and a plurality of security rules, said security rules being alterable by the artificial intelligence component of the program in response to the monitored activity.
- View Dependent Claims (2, 3)
- - 2. The network security system as set forth in claim 1 wherein the set of computers whose activity is monitored constitutes less than all the computers in the network.
  - 3. The network security system as set forth in claim 1 wherein the network is in communication with an external computer network through one or more ports, the set of computers being monitored including at least some computers not connected directly to the ports in communication with the external network.

4. A network security system for a first computer network in communication with external computer networks having said security system, said system comprising at least a security program, said security program monitoring activity of the computer network and operating in accordance with a plurality of security rules, said security rules in the program running in the first computer network being alterable in response to information from at least one of the external computer networks running said security system, said information reflecting the monitoring of activity in said external computer network by the security system running in that external computer network.
- View Dependent Claims (5)
- - 5. The network security system as set forth in claim 4 further including an encrypted communication channel between said first computer network and said external computer network over which the security rule alteration information is communicated.

6. A network security system for a computer network, said system comprising at least a security program, said program monitoring activity of a set of computers in the network running a plurality of processes, said program assigning to each of said processes a unique identifier, said program further using said unique identifier to track the characteristics of each of said processes in the set of computers which is monitored.

7. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network;
  
  modeling information relating to new events in the monitored activities by examining previously obtained information relating to known events and thereby simulating the new events using the information relating to the known events;
  
  applying security measures based upon the results of said modeling.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method as set forth in claim 7 further including modeling information processes of said computers using artificial intelligence learning algorithms incorporating communication theory paradigms.
  - 9. The method as set forth in claim 7 wherein the security measures include the execution of UNIX utilities, further including using artificial intelligence genetic evolution and co-evolution for modeling separate generations of said UNIX utilities, and applying those utilities of the separate generations that are the most successful at protecting security in the modeling.
  - 10. The method as set forth in claim 9 wherein the most successful utilities are identified by their ability to accomplish pre-specified results, based upon prior observations of network events.
  - 11. The method as set forth in claim 7 wherein the security measures are continuously updated using artificial intelligence programs in response to on-going events.
  - 12. The method as set forth in claim 7 wherein the modeled information processes are UNIX processes, said process modeling step including the use of genetic programming and genetic machine learning programs.
  - 13. The method as set forth in claim 7 wherein the process modeling step includes self-initiated and self-controlled genetic programming.

14. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network;
  
  modeling information processes of said computers using artificial intelligence learning algorithms incorporating communication theory paradigms;
  
  identifying security events and sequences in the monitored activities and analyzing said security events with an expert system;
  
  inferring motivations to the security events by modeling the events, taking into account preset system security policies and customer security policies;
  
  applying security measures based upon the results of said modeling;
  
  autonomously adapting the security measures in response to on-going security events;
  
  identifying previously unseen security events and sequences and adding information concerning such events and sequences to a store of known security events and sequences;
  
  testing previously unseen security events and sequences against a knowledge base to compare information concerning the previously unseen security events and sequences with information concerning known security events and sequences;
  
  refining the knowledge base as a result of the testing of the previous step, including logging the events and sequences to automatically enhance the security measures to protect against future attack.
- View Dependent Claims (15, 37)
- - 15. The method as set forth in claim 14 further including scheduling processes in accordance with an adaptation of the Digital UNIX real-time process scheduling scheme.
  - 37. The method as set forth in claim 14 wherein the security policies are autonomously altered during run-time based upon preset security goals.

16. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network;
  
  modeling Internet and local area networks by applying artificial intelligence neural network programming to construct a plurality of knowledge bases;
  
  simulating logical operations involved in securing computers against security threats using artificial intelligence neural networks;
  
  maintaining the information security of the network against dynamic threats using artificial intelligence genetic programs and neural network sub-systems, including simulating internetworking security and creating an internetworking knowledge base based upon said simulating;
  
  observing Internet and internetworking security policy violations in real time;
  
  applying security measures based upon the observations and results of the modeling and simulations.
- View Dependent Claims (17, 18, 19)
- - 17. The method as set forth in claim 16 wherein the modeling includes constructing symbolic representations of UNIX utilities designed to protect computer systems against security threats.
  - 18. The method as set forth in claim 16 further including using neural networks comprised of simulated neurons to obtain, in real time, knowledge relating to dynamic security threats.
  - 19. The method as set forth in claim 18 further including characterizing computer security threats by establishing states representing current system security, said neural network predicting future system security states based upon past system security states.

20. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network, including monitoring of multiple packets at TCP ports in real time;
  
  detecting anomalous events in the monitored activities both statistically and with pattern matching, using both firewall logs and system logs;
  
  identifying newly encountered attack sequences and storing information relating to said sequences in a knowledge base;
  
  updating firewall filters in response to newly encountered attack sequences;
  
  generating alerts and warnings to system administrators and site officials upon the detection of an attack sequence.
- View Dependent Claims (21)
- - 21. The method as set forth in claim 20 further including communicating information relating to newly encountered attack sequences to other computer networks.

22. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network, including monitoring all connections to TCP and UDP ports;
  
  analyzing packet contents in the monitored activities statefully using information from packet headers, including stateful analysis of Ethernet packet headers, IP packet headers, and TCP packet headers;
  
  further including statefully analyzing session identification and protocol layer information from packet headers;
  
  applying security measures based upon the stateful analysis of the packet header information.

23. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network, including monitoring of failed login attempts;
  
  detecting monitored activities that are contrary to preestablished administrative policies;
  
  monitoring network system traffic;
  
  administering internal and external resource authorizations for the network, including authorizations for the computers being monitored;
  
  applying security measures based upon the detection of monitored activities that are contrary to said preestablished administrative policies.

24. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network, including monitoring file systems and file security to protect file ownership and directory ownership;
  
  detecting and locking weak accounts;
  
  applying security measures based upon results of the monitoring that indicate a security threat.

25. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network;
  
  said network having at least some ports for connection to external computers outside the network;
  
  making a connection to an external computer over a first port;
  
  monitoring the connection over the first port;
  
  switching the port over which the connection to the external computer is made to a second port;
  
  continuing to monitor the connection over the second port throughout the existence of the connection.
- View Dependent Claims (26)
- - 26. The method as set forth in claim 25 wherein the first port is a user defined port (UDP).

27. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network in real time;
  
  modeling the plurality of computers and the operations performed thereby in a multidimensional, dynamically evolving network status space, each dimension of said network status space representing a quality relating to the network, network users, or the computer processes.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The method as set forth in claim 27 wherein the coordinates of a point in network status space represent the state of the network and its operations.
  - 29. The method as set forth in claim 27 wherein the network status space is divided into areas of acceptable security, areas of unacceptable security, and areas of uncertain security.
  - 30. The method as set forth in claim 29 further including the step of determining a path from an unacceptable security area in network status space to an acceptable security area, and effecting a move of the network from an unacceptable security area to an acceptable security area in network status space.
  - 31. The method as set forth in claim 27 wherein the position of the network in network status space is tracked and monitored throughout the duration of external communications with the network.
  - 32. The method as set forth in claim 27 wherein the modeling step includes forming a matrix-representation of the computers and the operations performed thereby.

33. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising:
- monitoring the activities of at least a plurality of computers in the network;
  
  modeling Internet and local area networks by applying artificial intelligence neural network programming to construct a plurality of knowledge bases;
  
  simulating logical operations involved in securing computers against security threats using artificial intelligence neural networks;
  
  maintaining the information security of the network against dynamic threats using neural network sub-systems, including simulating internetworking security and creating an internetworking knowledge base based upon said simulating;
  
  observing Internet and internetworking security policy violations in real time;
  
  applying security measures based upon the observations and results of the modeling and simulations.
- View Dependent Claims (34, 35, 36)
- - 34. The method as set forth in claim 33 wherein the modeling includes constructing symbolic representations of UNIX utilities designed to protect computer systems against security threats.
  - 35. The method as set forth in claim 33 further including using neural networks comprised of simulated neurons to obtain, in real time, knowledge relating to dynamic security threats.
  - 36. The method as set forth in claim 35 further including characterizing computer security threats by establishing states representing current system security, said neural network predicting future system security states based upon past system security states.

38. An encryption method for communications between computers, said method comprising:
- storing in an initial vector a time at which data is encrypted, a sequence number, and a length of a data buffer;
  
  breaking the data to be encrypted into packets;
  
  padding the final packet with random numbers and encoded information relating to the length of the padding and the location of the last bit of data;
  
  encrypting the data in the packets and directing the encrypted data into a buffer having a length substantially longer than the length of the packets;
  
  performing a logical operation on the data in the buffer and a key to form encoded buffer contents, said key being unique to each transmission;
  
  generating a counter mask using the initial vector;
  
  performing a logical operation on the counter mask and the key to form an encoded counter mask;
  
  performing a logical operation on the encoded buffer contents and the encoded counter mask;
  
  transporting the result of the previous step over an electronic channel.
- View Dependent Claims (39, 40)
- - 39. The method as set forth in claim 38 wherein the initial vector is padded to create a vector of a predetermined length.
  - 40. The method as set forth in claim 38 wherein the key is randomly generated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Institute For Information Sciences
Original Assignee
Institute For Information Sciences
Inventors
Zolotov, Vasily, Carter, Ernst B.

Application Number

US09/766,560
Publication Number

US 20030051026A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 2209/04   Masking or blinding

H04L 2209/20   Manipulating the length of ...

H04L 41/00   Arrangements for maintenanc...

H04L 41/0816   the condition being an adap...

H04L 41/16   using machine learning or a...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

H04L 9/065   Encryption by serially and ...

Network surveillance and security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

1002 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Network surveillance and security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1002 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links