Method for detecting sophisticated cyber attacks

US 20060265748A1
Filed: 05/23/2005
Published: 11/23/2006
Est. Priority Date: 05/23/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting cyber attacks upon networked targets by potential intruders comprising the steps of:

a) organizing audit log data into event records;

b) adding unique target identifiers to said event records;

c) adding the type of work performed by the networked targets to said event records;

d) sorting said event records by the IP addresses of potential intruders;

e) generating intruder records of the potential intruders of target IP addresses that were accessed;

f) generating a vector space model of said event records;

g) generating a dissimilarity matrix of the data and IP addresses in said event records; and

h) clustering event records from said dissimilarity matrix that contain a selected event.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of analyzing computer intrusion detection information that looks beyond known attacks and abnormal access patterns to the critical information that an intruder may want to access. Unique target identifiers and type of work performed by the networked targets is added to audit log records. Analysis using vector space modeling, dissimilarity matrix comparison, and clustering of the event records is then performed.

68 Citations

View as Search Results

4 Claims

1. A method of detecting cyber attacks upon networked targets by potential intruders comprising the steps of:
- a) organizing audit log data into event records;
  
  b) adding unique target identifiers to said event records;
  
  c) adding the type of work performed by the networked targets to said event records;
  
  d) sorting said event records by the IP addresses of potential intruders;
  
  e) generating intruder records of the potential intruders of target IP addresses that were accessed;
  
  f) generating a vector space model of said event records;
  
  g) generating a dissimilarity matrix of the data and IP addresses in said event records; and
  
  h) clustering event records from said dissimilarity matrix that contain a selected event.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein said unique target identifier is an employee number.
  - 3. The method of claim 1 wherein said type of work performed by the networked target is the job classification of the networked target.
  - 4. The method of claim 1 wherein said intruder records include at least an intruder'"'"'s IP address, a list of the IP addresses that were accessed, and, for each IP address accessed, the registered owner of the IP address, the type of work the owner does, when the potential attack occurred, and the characterization of the event type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
UT-Battelle LLC
Original Assignee
UT-Battelle LLC
Inventors
Potok, Thomas E.

Granted Patent

US 7,454,790 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1425 Traffic logging, e.g. anoma...

Method for detecting sophisticated cyber attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

4 Claims

Specification

Solutions

Use Cases

Quick Links

Method for detecting sophisticated cyber attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

4 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links