Multiparameter network fault detection system using probabilistic and aggregation analysis

US 20040193943A1
Filed: 02/12/2004
Published: 09/30/2004
Est. Priority Date: 02/13/2003
Status: Abandoned Application

First Claim

Patent Images

1. A network monitoring system, comprising:

a rules server, running a plurality of separate rules which monitor aspects of a network, including at least a first rule that monitors operations of the network to produce a first alarm representing a first specified probability of attack on the network, based on a first network condition other than content of packets of information being processed by the network, and a second rule that detects content of network packets being processed by the network, to produce a second alarm representing a second specified probability of attack on the network, based on suspicious content in said network packets, and a third rule that correlates results of said first and second rules, to produce information indicative of a correlated probability of attack on the network that represents a higher probability than a probability represented by either said first alarm or said second alarm.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network intrusion detection system using both probabilistic analysis and aggregation analysis. The system is run within a network system, and includes a first set of firewall rules, a second set of intrusion detection rules, and a third set of authentication rules which authenticates the user, the VPN, and host intrusion. A special correlation rule set correlates among the other rules in order to determine information from patterns. The rules look at probabilistic information and also look at patterns within the data, attempting to find where intrusions may exist prior to their actual occurance.

Citations

44 Claims

1. A network monitoring system, comprising:
- a rules server, running a plurality of separate rules which monitor aspects of a network, including at least a first rule that monitors operations of the network to produce a first alarm representing a first specified probability of attack on the network, based on a first network condition other than content of packets of information being processed by the network, and a second rule that detects content of network packets being processed by the network, to produce a second alarm representing a second specified probability of attack on the network, based on suspicious content in said network packets, and a third rule that correlates results of said first and second rules, to produce information indicative of a correlated probability of attack on the network that represents a higher probability than a probability represented by either said first alarm or said second alarm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A system as in claim 1, wherein said first rule comprises monitoring a condition of a firewall within the network.
  - 3. A system as in claim 2, wherein said first rule includes a rule that monitors a way in which the firewall is being administered.
  - 4. A system as in claim 1, wherein said second rule comprises detecting trends within said network packet content.
  - 5. A system as in claim 4, wherein said second rule comprises monitoring requests from specified network addresses, identifying requests which include attempted network intrusions, and maintaining an attack probability for a first specified network address by increasing said attack probability based on identifying said requests from said first specified network address which include an attempted network intrusion.
  - 6. A system as in claim 5, further comprising decreasing said attack probability after a specified amount of time of not receiving a request which includes an attempted network intrusion from said first specified network address.
  - 7. A system as in claim 3, wherein said first rule includes a rule which defines a length of time since specified servicing of the firewall.
  - 8. A system as in claim 4, wherein said detecting trends comprises detecting a trend in increase or decrease of a number of rejected network packets.
  - 9. A system as in claim 1, wherein said second rule comprises determinining information indicative of a slope of a curve which plots amounts of suspicious content against time, and determines a probability of attack based on said slope of said curve.
  - 10. A system as in claim 9, further comprising producing an alarm of a specified criticality for a linear slope, and producing a second alarm of a higher criticality for a slope which is greater than linear.
  - 11. A system as in claim 1, wherein said second rule provides weighting for specified events.
  - 12. A system as in claim 11, wherein said second rule provides a higher weighting for an event which happens less often.
  - 13. A system as in claim 1, wherein said second rule monitors a trend of data, and detects a change in the trend to signal an alarm.
  - 14. A system as in claim 13, wherein said second rule monitors an average density of network packets, and said trend comprises a reduction in data density within the network packets.
  - 15. A system as in claim 13, wherein said second rule monitors sources from failed networks attacks and maintains a probability of attack from said sources.
  - 16. A system as in claim 1, wherein said third rule monitors multiple clients detecting similar parameters, and detects whether each of the multiple clients have each detected a similar change in said similar parameters, and increases a criticality of an alarm based on detecting that each of the multiple clients have each detected the similar change.

17. A system, comprising:
- a network monitoring system which monitors network traffic; and
  
  a rules server including a first set of rules detecting alarms based on a network firewall, a second set of rules detecting alarms based on network intrusion detection events, and a third set of rules detecting alarms based on authentication events, each detection of each alarm having a criticality, and a fourth set of rules correlating at least one of said rules with another of said rules to produce an alarm that has a higher criticality than that produced by either of said one rule or said another rule individually.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. A system as in claim 17, wherein at least one of said sets of rules includes a probabilistic based rule that detects a probability of network attack based on an event that is not actually a successful network attack.
  - 19. A system as in claim 18, wherein said probability of network attack is detected from an unsuccessful network attack.
  - 20. A system as in claim 18, further comprising maintaining a probability count for a specified network address by increasing a count for the network address when conditions indicative of an attack are detected, and decreasing the count for the network address when no conditions indicative of attack are detected for a specified time.
  - 21. A system as in claim 18, wherein said probability of attack is determined by monitoring a trend of network events.
  - 22. A system as in claim 17, wherein said third set of rules includes a host-based intrusion system rule set, and wherein said fourth set of rules includes a rule that correlates an alarm generated by said host-based intrusion set with a corresponding alarm based on said network intrusion detection rules and increases a criticality of an alarm produced when both said alarm is generated by said host-based intrusion set and said corresponding alarm is produced based on said network intrusion detection rules, compared to an alarm that would be produced for either of said host-based intrusion set or said corresponding alarm, individually.
  - 23. A system as in claim 17, wherein said third set of rules includes rules detecting a virtual private network intrusion.
  - 24. A system as in claim 23, wherein said third set of rules establishes an alarm based on virtual private network key exchanges of more than a specified amount.
  - 25. A system as in claim 17, wherein said first set of rules monitors characteristics of a firewall firewall monitoring system.
  - 26. A system as in claim 17, wherein said first set of rules monitors a trend of otherwise acceptable events, and establishes an alarm based on the trend being greater than a specified amount.

27. A system comprising:
- a network monitoring system that monitors network traffic; and
  
  a rules server, including a set of firewall rules, a set of network intrusion detection rules, and a set of authentication rules, and a set of correlating rules which correlates at least one of said rules with another of said rules, at least one of said correlating rules detecting first and second alarms from violations of rules, said first and second alarms each having a specified criticality, and using the correlating to increase a criticality of an alarm from violating the combination of rules as compared with violating either of the rules individually.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. A system as in claim 27, wherein said at least one rule comprises a rule looking for similar suspicious activity on multiple devices from the same network address.
  - 29. A system as in claim 27, wherein said at least one rule monitors a trend in specified activity.
  - 30. A system as in claim 27, wherein said at least one rule monitors for unusual numbers of packets of a specified protocol.
  - 31. A system as in claim 27, wherein said at least one rule monitors for trends in numbers of denied packets per unit time.
  - 32. A system as in claim 27, wherein at least one of said rules monitors based on precompiled information about an architecture of a network.
  - 33. A system as in claim 28, wherein said correlating rules correlates a suspected attack against a network based intrusions system, with a similar suspected attack against a host-based intrusions system.
  - 34. A system as in claim 27, wherein said correlating rules correlating scans of a network from a first network address at a first time with later packets being sent from said first network address at a later time.

35. A method of monitoring a network, comprising:
- running a first rule that monitors operations of a first part of the network to produce a first alarm based on a first network condition, said first alarm having a first criticality;
  
  running a second rule that detects operations of a second part of the network, to produce a second alarm based on suspicious content in said second part of said network, said second alarm having a second criticality; and
  
  running a third rule that correlates the first and second alarms produced by said first and second rules, to produce correlation alarm information that represents a higher criticality than a criticality of either said first alarm or said second alarm.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 36. A method as in claim 35, wherein said first rule comprises monitoring of conditions of a firewall within the network.
  - 37. A method as in claim 36, wherein said running a first rule comprises monitoring a way in which the firewall is being administered.
  - 38. A method as in claim 35, wherein said running a second rule comprises detecting trends contents of network packets.
  - 39. A method as in claim 38, wherein said running a second rule comprises monitoring requests from specified network addresses, identifying requests which include attempted network intrusions, and maintaining an attack probability for a first specified network address and increasing said attack probability based on identifying said requests from said first specified network address which include an attempted network intrusion.
  - 40. A method as in claim 39, further comprising decreasing said attack probability after a specified amount of time of not receiving a request which includes an attempted network intrusion from said first specified network address.
  - 41. A method as in claim 38, wherein said detecting trends comprises detecting a trend in increase or decrease of a number of rejected network packets.
  - 42. A method as in claim 35, wherein said second rule comprises determinining information indicative of a slope of a curve which plots amounts of suspicious content against time, and determining a probability of attack based on said slope of said curve.
  - 43. A method as in claim 42, further comprising producing a first alarm of a specified criticality for a linear slope, and producing a second alarm of a higher criticality for a slope which is greater than linear.
  - 44. A method as in claim 35, wherein said first rule comprises a firewall rule;
    - said second rule comprises a network intrusion detection rule, and further comprising a third rule which is a network authentication rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
High Tower Software, Inc. (BlackStratus, Inc.)
Original Assignee
High Tower Software, Inc. (BlackStratus, Inc.)
Inventors
Angelino, Robert, Schwuttke, Ursula

Application Number

US10/778,920
Publication Number

US 20040193943A1
Time in Patent Office

Days
Field of Search
US Class Current

714/4.1
CPC Class Codes

H04L 41/0631   using root cause analysis; ...

H04L 63/02   for separating internal fro...

H04L 63/1408   by monitoring network traff...

Multiparameter network fault detection system using probabilistic and aggregation analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Multiparameter network fault detection system using probabilistic and aggregation analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links