Enabling network intrusion detection by representing network activity in graphical form utilizing distributed data sensors to detect and transmit activity data

US 20070209075A1
Filed: 03/04/2006
Published: 09/06/2007
Est. Priority Date: 03/04/2006
Status: Active Grant

First Claim

Patent Images

1. A method for generating a network activity graph comprising:

at a control server, receiving from a sensor at a remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device; and

fusing activity data retrieved from multiple ones of said message into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer program product for detecting and mapping activity occurring at and between devices on a computer network for utilization within an intrusion detection mechanism. An enhanced graph matching intrusion detection system (eGMIDS) utility executing on a control server provides data collection functions and data fusion techniques. The eGMIDS comprises multiple sensors and associated unique adaptors that are located at different remote devices of the network and utilized to detect specific types of activity occurring at the respective devices relevant to eGMIDS processing. The sensors convert the data into eGMIDS format and encapsulate the data in a special transmission packet that is transmitted to the control server. The eGMIDS utility converts the activity data within these packets into eGMIDS-usable format and then processes the converted data via a data fusion technique to generate a graphical representation of the network (devices) and the activity occurring at/amongst the various devices.

160 Citations

32 Claims

1. A method for generating a network activity graph comprising:
- at a control server, receiving from a sensor at a remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device; and
  
  fusing activity data retrieved from multiple ones of said message into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the activity and interactivity comprises user activity at the remote device and communication among two or more devices on the network.
  - 3. The method of claim 1, further comprising:
    - activating a sensor within the remote device on the network, said sensor comprising an adapter uniquely designed to enable sensed activity occurring at the remote device to be packaged in a specialized format for transmission to the control server;
      
      wherein said sensor encapsulates the sensed activity into an specific transmission message recognizable by receiving components at the control server and forwards the message to the control server.
  - 4. The method of claim 1, wherein the activity graph is generated for an enhanced graph matching intrusion detection system (eGMIDS) and said fusing is provided by an eGMIDS utility.
  - 5. The method of claim 3, further comprising:
    - providing said sensor with the unique eGMIDS host adapter, which converts the sensed activity data at the host device into eGMIDS readable format for transmission to the control server;
      
      providing at the remote sensors, eGMIDS sensor adapters written to translate the output from respective third-party intrusion detection systems (IDSes) into an eGMIDS message format; and
      
      wherein the eGMIDS host adapter wraps and modifies the IDS sensors and translate information about activity into eGMIDS message format.
  - 6. The method of claim 3, wherein each remote device on the network comprises one or more sensors from among multiple available sensors and the specific adapter designed for the associated sensor at the remote device, said sensors including a Snort sensor, a Tripwire sensor, an email sensor, a keystroke sensor, an encrypted session sensor, a host device fingerprinting sensor, wherein the method comprises:
    - translating sensed activity data into sensor-specific event objects;
      
      packaging the sensor-specific event objects into eGMIDS message format; and
      
      forwarding the packaged eGMIDS message to the control server.
  - 7. The method of claim 1, wherein said sensors comprise an email sensor, which completes the functions of:
    - tracking emails between users on a network;
      
      monitoring the exchange of emails within a context, which includes the sender'"'"'s and recipient'"'"'s other activities on the network, said other activities being pre-determined to trigger said monitoring.
  - 8. The method of claim 1, wherein said sensors comprise one or more of:
    - a first sensor tool on the host devices to monitor keystroke timing to distinguish users;
      
      a second sensor tool on the host server device that determines whether or not a particular TCP session is transferring encrypted or plain text data, based on statistics of the information being transferred, said information being utilized to understand the context of activities on the network; and
      
      a clock skew fingerprinting tool by which an individual computer may be identified even if sending or receiving data under multiple IP address aliases, wherein eGMIDS utility restructures the nodes and edges in the activity graph representing the individual computer to more accurately reflect this action.
  - 9. The method of claim 1, wherein responsive to receipt of sensor data and alerts in the eGMIDS message format:
    - translating the received message into eGMIDS usable format;
      
      forwarding the data to an eGMIDS sensor fusion mechanism for incorporation into the activity graph; and
      
      generating and outputting the activity graph with the events and alerts represented therein.
  - 10. The method of claim 1, further comprising:
    - the control server generating a request for secondary evidence and transmitting the request to the sensor of the remote device;
      
      when a request for secondary evidence is received at the sensor of the remote device from the control server, said sensor locates, packages and transmits the requested additional evidence to the control server; and
      
      when the secondary evidence is received at the control server, automatically fusing the secondary evidence into the activity graph.

11. A system for generating a graph representation of sensed activity data within a network, said system comprising:
- a software utility executing at a control server and which comprises functional components for completing the functions of;
  
  at the control server, receiving from a sensor at a remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device; and
  
  fusing activity data retrieved from multiple ones of said message into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The system of claim 11, said functional components further comprising:
    - a client adapter that generates activity reports corresponding to activity data from a host device;
      
      a sensor data fusion utility that provides the functions of;
      
      translating data within the activity reports into a graph representation and incorporates the translated data into a combined activity graph;
      
      determining which elements within the activity report are already represented by a node or edge within the activity graph; and
      
      creating a new node or edge for those elements not already represented within the activity graph.
  - 13. The system of claim 12, wherein:
    - said nodes represent hosts, users, files and events; and
      
      said edges represent communication, packet flow between hosts, event participation, file location and user account location;
      
      wherein each node defines attributes possessed by the node and each edge defines attributes possessed by the edge, wherein said attributes are utilized to improve accuracy of pattern searches.
  - 14. The system of claim 11, further comprising:
    - means for activating a sensor within the remote device on the network, said sensor comprising an adapter uniquely designed to enable sensed activity occurring at the remote device to be packaged in a specialized format for transmission to the control server;
      
      wherein said sensor encapsulates the sensed activity into an specific transmission message recognizable by receiving components at the control server and forwards the message to the control server.
  - 15. The system of claim 11, wherein the activity graph is generated for an enhanced graph matching intrusion detection system (eGMIDS) and said fusing is provided by an eGMIDS utility.
  - 16. The system of claim 15, further comprising:
    - means for providing said sensor with the unique eGMIDS host adapter, which converts the sensed activity data at the host device into eGMIDS readable format for transmission to the control server; and
      
      means for providing at the remote sensors, eGMIDS sensor adapters written to translate the output from respective third-party intrusion detection systems (IDSes) into an eGMIDS message format;
      
      wherein the eGMIDS host adapter wraps and modifies the IDS sensors and translate information about activity into eGMIDS message format.
  - 17. The system of claim 15, wherein each remote device on the network comprises one or more sensors from among multiple available sensors and the specific adapter designed for the associated sensor at the remote device, said sensors including a Snort sensor, a Tripwire sensor, an email sensor, a keystroke sensor, an encrypted session sensor, a host device fingerprinting sensor, wherein the system comprises:
    - translating sensed activity data into sensor-specific event objects;
      
      packaging the sensor-specific event objects into eGMIDS message format; and
      
      forwarding the packaged eGMIDS message to the IP address of the control server.
  - 18. The system of claim 11, wherein said sensors comprise an email sensor, which completes the functions of:
    - tracking emails between users on a network;
      
      monitoring the exchange of emails within a context, which includes the sender'"'"'s and recipient'"'"'s other activities on the network, said other activities being pre-determined to trigger said monitoring.
  - 19. The system of claim 11, wherein said sensors comprise one or more of:
    - a first sensor tool on the host devices to monitor keystroke timing to distinguish users;
      
      a second sensor tool on the host server device that determines whether or not a particular TCP session is transferring encrypted or plain text data, based on statistics of the information being transferred, said information being utilized to understand the context of activities on the network; and
      
      a clock skew fingerprinting tool by which an individual computer may be identified even if sending or receiving data under multiple IP address aliases, wherein eGMIDS utility restructures the nodes and edges in the activity graph representing the individual computer to more accurately reflect this action.
  - 20. The system of claim 11, wherein responsive to receipt of sensor data and alerts in the eGMIDS message format, said utility comprises code for completing the following:
    - translating the received message into eGMIDS usable format;
      
      forwarding the data to an eGMIDS sensor fusion mechanism for incorporation into the activity graph; and
      
      generating and outputting the activity graph with the events and alerts represented therein,
  - 21. The system of claim 11, said IDS utility further comprising code for completing the functions of:
    - the control server generating a request for secondary evidence and transmitting the request to the sensor of the remote device;
      
      when a request for secondary evidence is received at the sensor of the remote device from the control server, said sensor locates, packages and transmits the requested additional evidence to the control server; and
      
      when the secondary evidence is received at the control server, automatically fusing the secondary evidence into the activity graph.

22. A computer program product comprising:
- a computer readable medium; and
  
  program code on the computer readable medium for generating a graph representation of sensed activity data within a network, said program code comprising a software utility executing at a control server and which comprises functional components for completing the functions of;
  
  at the control server, receiving from a sensor at a remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device; and
  
  fusing activity data retrieved from multiple ones of said message into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. The computer program product of claim 22, said functional components further comprising:
    - a client adapter that generates activity reports corresponding to activity data from a host device;
      
      a sensor data fusion utility that provides the functions of;
      
      translating data within the activity reports into a graph representation and incorporates the translated data into a combined activity graph;
      
      determining which elements within the activity report are already represented by a node or edge within the activity graph; and
      
      creating a new node or edge for those elements not already represented within the activity graph.
  - 24. The computer program product of claim 23, wherein:
    - said nodes represent hosts, users, files and events; and
      
      said edges represent communication, packet flow between hosts, event participation, file location and user account location;
      
      wherein each node defines attributes possessed by the node and each edge defines attributes possessed by the edge, wherein said attributes are utilized to improve accuracy of pattern searches.
  - 25. The computer program product of claim 22, further comprising:
    - program means for activating a sensor within the remote device on the network, said sensor comprising an adapter uniquely designed to enable sensed activity occurring at the remote device to be packaged in a specialized format for transmission to the control server;
      
      wherein said sensor encapsulates the sensed activity into an specific transmission message recognizable by receiving components at the control server and forwards the message to the control server.
  - 26. The computer program product of claim 22, wherein the activity graph is generated for an enhanced graph matching intrusion detection computer program product (eGMIDS) and said fusing is provided by an eGMIDS utility.
  - 27. The computer program product of claim 26, further comprising:
    - program code for providing said sensor with the unique eGMIDS host adapter, which converts the sensed activity data at the host device into eGMIDS readable format for transmission to the control server; and
      
      program code for providing at the remote sensors, eGMIDS sensor adapters written to translate the output from respective third-party intrusion detection computer program products (IDSes) into an eGMIDS message format;
      
      wherein the eGMIDS host adapter wraps and modifies the IDS sensors and translate information about activity into eGMIDS message format.
  - 28. The computer program product of claim 26, wherein each remote device on the network comprises one or more sensors from among multiple available sensors and the specific adapter designed for the associated sensor at the remote device, said sensors including a Snort sensor, a Tripwire sensor, an email sensor, wherein the computer program product comprises code for:
    - translating sensed activity data into sensor-specific event objects;
      
      packaging the sensor-specific event objects into eGMIDS message format; and
      
      forwarding the packaged eGMIDS message to the IP address of the control server.
  - 29. The computer program product of claim 22, wherein said sensors comprise an email sensor, which completes the functions of:
    - tracking emails between users on a network;
      
      monitoring the exchange of emails within a context, which includes the sender'"'"'s and recipient'"'"'s other activities on the network, said other activities being pre-determined to trigger said monitoring.
  - 30. The computer program product of claim 22, wherein said sensors comprise one or more of:
    - a first sensor tool on the host devices to monitor keystroke timing to distinguish users;
      
      a second sensor tool on the host server device that determines whether or not a particular TCP session is transferring encrypted or plain text data, based on statistics of the information being transferred, said information being utilized to understand the context of activities on the network; and
      
      a clock skew fingerprinting tool by which an individual computer may be identified even if sending or receiving data under multiple IP address aliases, wherein eGMIDS utility restructures the nodes and edges in the activity graph representing the individual computer to more accurately reflect this action.
  - 31. The computer program product of claim 22, wherein responsive to receipt of sensor data and alerts in the eGMIDS message format, said utility comprises code for completing the following:
    - translating the received message into eGMIDS usable format;
      
      forwarding the data to an eGMIDS sensor fusion mechanism for incorporation into the activity graph; and
      
      generating and outputting the activity graph with the events and alerts represented therein,
  - 32. The computer program product of claim 22, said IDS utility further comprising code for completing the functions of:
    - the control server generating a request for secondary evidence and transmitting the request to the sensor of the remote device;
      
      when a request for secondary evidence is received at the sensor of the remote device from the control server, said sensor locates, packages and transmits the requested additional evidence to the control server; and
      
      when the secondary evidence is received at the control server, automatically fusing the secondary evidence into the activity graph.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
21st Century Technologies, Inc.
Inventors
Coffman, Thayne

Granted Patent

US 8,266,697 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/14 for detecting or protecting...

Enabling network intrusion detection by representing network activity in graphical form utilizing distributed data sensors to detect and transmit activity data

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

160 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling network intrusion detection by representing network activity in graphical form utilizing distributed data sensors to detect and transmit activity data

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

160 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links