Method and apparatus for facilitating detection of network intrusion

US 20030236995A1
Filed: 06/21/2002
Published: 12/25/2003
Est. Priority Date: 06/21/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method of deriving a threat metric that characterizes a threat potential for a specific session in a packet network, the method comprising:

accumulating historical data corresponding to at least some of a plurality of traffic parameters;

measuring the plurality of traffic parameters for the specific session;

producing a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;

producing, at least in part by scaling summary parameters using the historical data, a plurality of component metrics defining a point corresponding to the specific session in a multi-dimensional space containing a distribution of points corresponding to current sessions; and

determining a distance of the point from a centroid of the distribution to produce the threat metric.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System for facilitating detection of network intrusion. Through continuous accumulation of network traffic parameter information, data for a particular session is reduced to a single metric that represents the threat potential of the session as compared to normal network traffic. An analysis station accumulates and maintains the historical data and defines a point for each specific session within a distribution. The dimensions in the distribution space take into account various network traffic parameters useful in identifying an attack. The distance between a session'"'"'s point and the centroid of the distribution represents the threat metric. The analysis station can display the threat metric as a point or points on a display. The intensity of the point is an indication of the threat potential. The easy-to-read display calls anomalous traffic to the attention of an operator and facilitates discrimination among ambiguous cases.

206 Citations

70 Claims

1. A method of deriving a threat metric that characterizes a threat potential for a specific session in a packet network, the method comprising:
- accumulating historical data corresponding to at least some of a plurality of traffic parameters;
  
  measuring the plurality of traffic parameters for the specific session;
  
  producing a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
  
  producing, at least in part by scaling summary parameters using the historical data, a plurality of component metrics defining a point corresponding to the specific session in a multi-dimensional space containing a distribution of points corresponding to current sessions; and
  
  determining a distance of the point from a centroid of the distribution to produce the threat metric.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the plurality of traffic parameters comprises time between packets and inverse time between packets, and wherein the producing of the plurality of summary parameters further comprises computing central moments of the time between packets and the inverse time between packets.
  - 3. The method of claim 1 wherein the producing of the plurality of summary parameters further comprises:
    - producing rates computed against numbers of packets; and
      
      producing nonlinear generalizations of rates.
  - 4. The method of claim 1 further comprising displaying the threat metric on a gram-metric display in connection with a network address associated with the specific session.
  - 5. The method of claim 2 further comprising displaying the threat metric on a gram-metric display in connection with a network address associated with the specific session.
  - 6. The method of claim 3 further comprising displaying the threat metric on a gram-metric display in connection with a network address associated with the specific session.
  - 7. The method of claim 4 wherein the specific session comprises a plurality of subsessions associated with the network address, and wherein the producing of the plurality of summary parameters comprises summing a kernel over all of the plurality of subsessions.
  - 8. The method of claim 5 wherein the specific session comprises a plurality of subsessions associated with the network address, and wherein the producing of the plurality of component metrics comprises summing a kernel over all of the plurality of subsessions.
  - 9. The method of claim 6 wherein the specific session comprises a plurality of subsessions associated with the network address, and wherein the producing of the plurality of component metrics comprises summing a kernel over all of the plurality of subsessions.
  - 10. The method of claim 1 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the producing of the plurality of summary parameters comprises assigning a number to the packet violation.
  - 11. The method of claim 2 wherein the plurality of traffic parameters further comprises an indication of whether a packet violation exists, and the producing of the plurality of summary parameters further comprises assigning a number to the packet violation.

12. A system for deriving a threat metric that characterizes a threat potential for a specific session in a packet network, the system comprising:
- means for measuring a plurality of traffic parameters;
  
  means for accumulating historical data corresponding to at least some of the plurality of traffic parameters;
  
  means for producing a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
  
  means for producing a plurality of component metrics defining a point corresponding to the specific session in a multi-dimensional space containing a distribution of points corresponding to current sessions; and
  
  means for determining a distance of the point from a centroid of the distribution to produce the threat metric.
- View Dependent Claims (13)
- - 13. The system of claim 12 further comprising means for displaying the threat metric on a gram-metric display in connection with a network address associated with the specific session.

14. A method of establishing and displaying a threat potential for each of a plurality of current sessions in a packet network, the method comprising:
- accumulating historical data corresponding to at least some of a plurality of traffic parameters;
  
  receiving, for each specific session of the plurality of current sessions, a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
  
  producing, at least in part by scaling summary parameters using the historical data, a plurality of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions;
  
  determining, for each specific session, a distance of the point for the specific session from a centroid of the distribution; and
  
  displaying an indication of the distance for each specific session in connection with a network address associated with the specific session specific session as an indication of the threat potential.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The method of claim 14 wherein the plurality of component metrics comprises at least seven component metrics.
  - 16. The method of claim 14 wherein at least one of the plurality of current sessions is a one-to-many session comprising a plurality of subsessions associated with the network address.
  - 17. The method of claim 15 wherein at least one of the plurality of current sessions is a one-to-many session comprising a plurality of subsessions associated with the network address.
  - 18. The method of claim 14 further comprising highlighting the indication if and when the distance for the specific session exceeds a pre-determined threshold.
  - 19. The method of claim 15 further comprising highlighting the indication if and when the distance for the specific session exceeds a pre-determined threshold.
  - 20. The method of claim 16 further comprising highlighting the indication if and when the distance for the specific session exceeds a pre-determined threshold.
  - 21. The method of claim 14 further comprising highlighting the indication if and when the distance for the specific session is at least as great as a pre-determined threshold.
  - 22. The method of claim 15 further comprising highlighting the indication if and when the distance for the specific session is at least as great as a pre-determined threshold.
  - 23. The method of claim 16 further comprising highlighting the indication if and when the distance for the specific session is at least as great as a pre-determined threshold.

24. A computer program product including a computer program for enabling the display of a threat potential for each of a plurality of current sessions in a packet network, the computer program comprising:
- instructions for accumulating historical data corresponding to at least some of a plurality of traffic parameters;
  
  instructions for receiving, for each specific session of the plurality of current sessions, a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
  
  instructions for producing, at least in part by scaling summary parameters using the historical data, a plurality of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions;
  
  instructions for determining, for each specific session, a distance of the point for the specific session from a centroid of the distribution; and
  
  instructions for displaying an indication of the distance for each specific session in connection with a network address associated with the specific session specific session as an indication of the threat potential.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The computer program product of claim 24 wherein the plurality of component metrics comprises at least seven component metrics.
  - 26. The computer program product of claim 24 further comprising instructions for highlighting the indication if and when the distance for the specific session exceeds a pre-determined threshold.
  - 27. The computer program product of claim 25 further comprising instructions for highlighting the indication if and when the distance for the specific session exceeds a pre-determined threshold.
  - 28. The computer program product of claim 24 further comprising instructions for highlighting the indication if and when the distance for the specific session is at least as great as a pre-determined threshold.
  - 29. The computer program product of claim 25 further comprising instructions for highlighting the indication if and when the distance for the specific session is at least as great as a pre-determined threshold.

30. An instruction execution system operable as an analysis station for displaying of a threat potential for each of a plurality of current sessions in a packet network, the instruction execution system comprising:
- a network interface operable to receive, for each specific session of the plurality of current sessions, a plurality of summary parameters characterizing a plurality of traffic parameters for the specific session;
  
  a processing system operatively connected to the network interface, the processing system operable to accumulate historical data corresponding to at least some of the plurality of traffic parameters, and to produce, at least in part by scaling summary parameters, a plurality of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions, and to determine a distance of the point for the specific session from a centroid of the distribution; and
  
  a display operably connected to the processing system, the display further being operable under the control of the processing system to display an indication of the distance for each specific session in connection with a network address associated with the specific session as an indication of the threat potential.
- View Dependent Claims (31, 32, 33, 34, 35)
- - 31. The system of claim 30 wherein the plurality of component metrics comprises at least seven component metrics.
  - 32. The system of claim 30 wherein the display is further operable to highlight the indication if and when the distance for the specific session exceeds a predetermined threshold.
  - 33. The system of claim 31 wherein the display is further operable to highlight the indication if and when the distance for the specific, session exceeds a predetermined threshold.
  - 34. The system of claim 30 wherein the display is further operable to highlight the indication if and when the distance for the specific session is at least as great as a pre-determined threshold.
  - 35. The system of claim 31 wherein the display is further operable to highlight the indication if and when the distance for the specific session is at least as great as a pre-determined threshold.

36. A method of monitoring traffic in a packet network to facilitate the characterization of a threat potential for each of a plurality of current sessions, the method comprising:
- measuring a plurality of traffic parameters for each specific session in the plurality of current sessions;
  
  producing a plurality of summary parameters characterizing the plurality of traffic parameters, the plurality of summary parameters being calculated to enable the determination of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions, wherein a distance for the point from a centroid of the distribution characterizes the threat potential; and
  
  sending the plurality of summary parameters to an analysis station over the packet network.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43)
- - 37. The method of claim 36 wherein the plurality of traffic parameters comprises time between packets and inverse time between packets, and wherein the producing of the plurality of summary parameters further comprises computing central moments of the time between packets and the inverse time between packets.
  - 38. The method of claim 36 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the producing of the plurality of summary parameters comprises assigning a number to the packet violation.
  - 39. The method of claim 37 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the producing of the plurality of summary parameters comprises assigning a number to the packet violation.
  - 40. The method of claim 36 wherein the producing of the plurality of summary parameters further comprises producing rates computed against numbers of packets.
  - 41. The method of claim 37 wherein the producing of the plurality of summary parameters further comprises producing rates computed against numbers of packets.
  - 42. The method of claim 36 wherein the producing of the plurality of summary parameters further comprises producing nonlinear generalizations of rates.
  - 43. The method of claim 37 wherein the producing of the plurality of summary parameters further comprises producing nonlinear generalizations of rates.

44. An instruction execution system operable as a monitoring agent for facilitating the characterization of a threat potential for each of a plurality of current sessions in a packet network, the instruction execution system comprising:
- a first network interface operable to capture packets associated with the plurality of current sessions;
  
  a processing system operatively connected to the first network interface, the processing system operable to control the instruction execution system to measure, based on captured packets, a plurality of traffic parameters for each specific session in the plurality of current sessions and to produce a plurality of summary parameters characterizing the plurality of traffic parameters, the plurality of summary parameters being calculated to enable the determination of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions, wherein a distance for the point from a centroid of the distribution characterizes the threat potential; and
  
  a second network interface operatively connected to the processing system operable to forward the plurality of summary parameters to an analysis station.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51)
- - 45. The system of claim 44 wherein the plurality of traffic parameters comprises time between packets and inverse time between packets, and wherein the producing of the plurality of summary parameters further comprises computing central moments of the time between packets and the inverse time between packets.
  - 46. The system of claim 44 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the producing of the plurality of summary parameters comprises assigning a number to the packet violation.
  - 47. The system of claim 45 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the producing of the plurality of summary parameters comprises assigning a number to the packet violation.
  - 48. The system of claim 44 wherein the producing of the plurality of summary parameters further comprises producing rates computed against numbers of packets.
  - 49. The system of claim 45 wherein the producing of the plurality of summary parameters further comprises producing rates computed against numbers of packets.
  - 50. The system of claim 44 wherein the producing of the plurality of summary parameters further comprises producing nonlinear generalizations of rates.
  - 51. The system of claim 45 wherein the producing of the plurality of summary parameters further comprises producing nonlinear generalizations of rates.

52. A computer program product including a monitoring agent program for monitoring traffic in a packet network to facilitate the characterization of a threat potential for each of a plurality of current sessions, the monitoring agent program comprising:
- instructions for measuring a plurality of traffic parameters for each specific session in the plurality of current sessions;
  
  instructions for producing a plurality of summary parameters characterizing the plurality of traffic parameters, the plurality of summary parameters being calculated to enable the determination of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions; and
  
  instructions for sending the plurality of summary parameters to an analysis station over the packet network.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 53. The computer program product of claim 52, further including an analysis station program for enabling the determination and display of the threat potential for each of the plurality of current sessions in a packet network, the analysis station program comprising:
    - instructions for accumulating historical data;
      
      instructions for receiving the plurality of summary parameters;
      
      instructions for producing the component metrics, at least in part by scaling summary parameters using the historical data;
      
      instructions for determining, for each specific session, a distance of the point for the specific session from a centroid of the distribution; and
      
      instructions for displaying an indication of the distance for each specific session in connection with a network address associated with the specific session as an indication of the threat potential.
  - 54. The computer program product of claim 52 wherein the plurality of traffic parameters comprises time between packets and inverse time between packets, and wherein the instructions for producing of the plurality of summary parameters further comprise instructions for computing central moments of the time between packets and the inverse time between packets.
  - 55. The computer program product of claim 53 wherein the plurality of traffic parameters comprises time between packets and inverse time between packets, and wherein the instructions for producing of the plurality of summary parameters further comprise instructions for computing central moments of the time between packets and the inverse time between packets.
  - 56. The computer program product of claim 52 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the instructions for producing of the plurality of component metrics further comprise instructions for assigning a number to the packet violation.
  - 57. The computer program product of claim 53 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the instructions for producing of the plurality of component metrics further comprise instructions for assigning a number to the packet violation.
  - 58. The computer program product of claim 52 wherein the instructions for producing of the plurality of component metrics further comprise instructions for producing rates computed against numbers of packets.
  - 59. The computer program product of claim 52 wherein the instructions for producing of the plurality of component metrics further comprise instructions for producing nonlinear generalizations of rates.
  - 60. The computer program product of claim 53 wherein the instructions for producing of the plurality of component metrics further comprise instructions for producing rates computed against numbers of packets.
  - 61. The computer program product of claim 53 wherein the instructions for producing of the plurality of component metrics further comprise instructions for producing nonlinear generalizations of rates.
  - 62. The computer program product of claim 53 wherein the instructions for producing the plurality of component metrics further comprise instructions for producing the plurality of component metrics for any of the plurality of current sessions which is a supersession comprising a plurality of subsessions associated with a network address.
  - 63. The computer program product of claim 55 wherein the instructions for producing the plurality of component metrics further comprise instructions for producing the plurality of component metrics for any of the plurality of current sessions which is a supersession comprising a plurality of subsessions associated with a network address.
  - 64. The computer program product of claim 57 wherein the instructions for producing the plurality of component metrics further comprise instructions for producing the plurality of component metrics for any of the plurality of current sessions which is a supersession comprising a plurality of subsessions associated with a network address.
  - 65. The computer program product of claim 60 wherein the instructions for producing the plurality of component metrics further comprise instructions for producing the plurality of component metrics for any of the plurality of current sessions which is a supersession comprising a plurality of subsessions associated with a network address.
  - 66. The computer program product of claim 61 wherein the instructions for producing the plurality of component metrics further comprise instructions for producing the plurality of component metrics for any of the plurality of current sessions which is a supersession comprising a plurality of subsessions associated with a network address.
  - 67. The computer program product of claim 52 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the instructions for producing of the plurality of component metrics further comprise instructions for assigning a number to the packet violation.
  - 68. The computer program product of claim 53 wherein the plurality of traffic parameters comprises an indication of whether a packet violation exists, and the instructions for producing of the plurality of component metrics further comprise instructions for assigning a number to the packet violation.
  - 69. The computer program product of claim 53 wherein the component metrics comprise at least seven component metrics.
  - 70. The computer program product of claim 69 wherein the instructions for producing the plurality of component metrics further comprise instructions for producing the plurality of component metrics for any of the plurality of current sessions which is a supersession comprising a plurality of subsessions associated with a network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
General Dynamics Advanced Information Systems Incorporated (General Dynamics Corporation)
Original Assignee
General Dynamics Advanced Information Systems Incorporated (General Dynamics Corporation)
Inventors
Fretwell, Lyman Jefferson Jr.

Application Number

US10/177,078
Publication Number

US 20030236995A1
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/14   Session management for real...

Method and apparatus for facilitating detection of network intrusion

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for facilitating detection of network intrusion

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links