Methods and systems for detecting abnormal digital traffic

US 20070067438A1
Filed: 09/21/2005
Published: 03/22/2007
Est. Priority Date: 09/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting abnormal network traffic comprising:

assigning characterizations of-network behaviors according to knowledge nodes, said knowledge nodes comprising a characterization model based on prior network information, wherein at least one knowledge node is not based on fixed thresholds or signatures; and

calculating a confidence value based on the characterizations from at least one knowledge node and on weighting factors associated with the knowledge nodes, wherein the confidence value comprises a quantification of the degree of confidence that the network behaviors constitute abnormal network traffic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments encompassing methods and systems for detecting abnormal digital traffic are disclosed. The method comprises the steps of assigning characterizations of network behaviors according to knowledge nodes and calculating a confidence value based on the characterizations from at least one knowledge node and on weighting factors associated with the knowledge nodes. The knowledge nodes comprise a characterization model based on prior network information. At least one of the knowledge nodes should not be based on fixed thresholds or signatures. The confidence value comprises a quantification of the degree of confidence that the network behaviors constitute abnormal network traffic. The system comprises sensors to detect network events, a program on a computer-readable medium, and a processing device to execute the program,.wherein a network behavior comprises at least one network event. The program comprises at least one knowledge node to assign characterizations of network behaviors and at least one hypothesis node to calculate a confidence value based on the characterizations from at least one knowledge node.

101 Citations

View as Search Results

22 Claims

1. A method for detecting abnormal network traffic comprising:
- assigning characterizations of-network behaviors according to knowledge nodes, said knowledge nodes comprising a characterization model based on prior network information, wherein at least one knowledge node is not based on fixed thresholds or signatures; and
  
  calculating a confidence value based on the characterizations from at least one knowledge node and on weighting factors associated with the knowledge nodes, wherein the confidence value comprises a quantification of the degree of confidence that the network behaviors constitute abnormal network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as recited in claim 1, wherein each knowledge node is associated with at least one network behavior.
  - 3. The method as recited in claim 1, prior to the assigning step, further comprising the step of detecting network events by network sensors.
  - 4. The method as recited in claim 3, wherein the network sensors are selected from the group consisting of signature-based sensors, network anomaly sensors, protocol anomaly sensors and combinations thereof.
  - 5. The method as recited in claim 1, prior to the assigning step, further comprising the step of classifying network traffic as approved or unapproved.
  - 6. The method as recited in claim 5, wherein the classifying is based on source data, destination data, connection state, traffic data flow, or combinations thereof.
  - 7. The method as recited in claim 5, wherein the network behaviors comprise unapproved network traffic.
  - 8. The method as recited in claim 1, further comprising the step of logging the network behaviors.
  - 9. The method as recited in claim 1, further comprising the step of performing a security action when the confidence value is greater than or equal to an alert value.
  - 10. The method as recited in claim 9, wherein the security action is notifying administrators, collecting forensic data, establishing a quarantine for offending systems, transferring offending systems to a virtual network, suspend user access, or a combination thereof.
  - 11. The method as recited in claim 1, wherein the knowledge nodes are selected from the group consisting of failed connect egress, failed connect ingress, success MSPorts, failed SMTP, P2P ports, failed connect intranet, and success SMTP.
  - 12. The method as recited in claim 1, wherein the calculating step is performed by hypothesis nodes.
  - 13. The method as recited in claim 12, wherein hypothesis nodes are selected from the group consisting of portscan, P2P, unknown alert, virus, MS walk, and SMTP storm.
  - 14. The method as recited in claim 1, further comprising the step of refining the knowledge nodes according to the accumulation of said prior network information and administrator feedback.
  - 15. The method as recited in claim 1, wherein the calculating step is based on a modified Bayesian analysis model.

16. A system for detecting abnormal traffic comprising:
- a. sensors to detect network events, wherein a network behavior comprises at least one network event;
  
  b. a program on a computer-readable medium, wherein the program comprises;
  
  i. at least one knowledge node to assign characterizations of network behaviors, each knowledge node comprising a characterization model based on prior network information, wherein at least one of the knowledge nodes is not based on fixed thresholds or signatures;
  
  ii. at least one hypothesis node to calculate a confidence value based on the characterizations from at least one knowledge node, each hypothesis node comprising a weighting factor for associated knowledge nodes, wherein the confidence value comprises a quantification of the degree of confidence that the network behaviors constitute abnormal network traffic; and
  
  c. a processing device to execute the program.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The system as recited in claim 16, wherein the sensors are selected from the group of sensors consisting of signature-based sensors, network anomaly sensors, protocol anomaly sensors and combinations thereof.
  - 18. The system as recited in claim 16, wherein each knowledge node is associated with at least one network behavior.
  - 19. The system as recited in claim 16, further comprising means for aggregating a plurality of network events.
  - 20. The system as recited in claim 16, further comprising means for performing security actions in response to abnormal network traffic.
  - 21. The system as recited in claim 16, further comprising means for logging network behaviors.
  - 22. The system as recited in claim 16, further comprising means for refining the knowledge nodes according to the accumulation of said prior network information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Battelle Memorial Institute
Original Assignee
Battelle Memorial Institute
Inventors
Burnette, John, Goranson, Craig

Granted Patent

US 7,908,357 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Methods and systems for detecting abnormal digital traffic

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting abnormal digital traffic

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links