Method of Detecting Anomalous Behaviour in a Computer Network

US 20070240207A1
Filed: 04/19/2005
Published: 10/11/2007
Est. Priority Date: 04/20/2004
Status: Active Grant

First Claim

Patent Images

1. Method of authenticating a user in a computer network in which network packets are transmitted, using an authentication module, including the steps of receiving kernel events requesting a connection, modifying the kernel events, transmitting the modified kernel events to a kernel of the operating system, generating connection and authentication information in the kernel, and sending authentication packets with the authentication information and connection request packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method of detecting anomalous behaviour in a computer network comprising the steps of—monitoring network traffic flowing in a computer network system,—authenticating users to which network packets of the network traffic are associated,—extracting parameters associated to the network packets for each user, said parameters including at least the type (T) of network services,—forming symbols based on a combination of one or more of said parameters, and—modelling and analysing individual user behavior based on sequences of occurrence of said symbols (S).

240 Citations

26 Claims

1. Method of authenticating a user in a computer network in which network packets are transmitted, using an authentication module, including the steps of receiving kernel events requesting a connection, modifying the kernel events, transmitting the modified kernel events to a kernel of the operating system, generating connection and authentication information in the kernel, and sending authentication packets with the authentication information and connection request packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 22, 23, 24, 25, 26)
- - 2. Method according to claim 1 wherein every kernel event requesting a connection is received, modified and transmitted.
  - 3. Method according to claim 1 wherein the authentication packets comprise a connection identification information field and a user identification label field.
  - 4. Method according to claim 1, 2 or 3 wherein the authentication packets comprise a process authentication field.
  - 5. Method according to claim 1, 2, 3 or 4 wherein the authentication packets comprise an application authentication field.
  - 6. Method according to claim 5, wherein the authentication packets comprise a binary checksum field.
  - 7. Method according to any one of the preceding claims, wherein the authentication packets are in the form of enhanced UDP packets.
  - 8. Method according to any one of claims 1 to 7, wherein the authentication module generates a User data stack in order to emulate and send new system calls to the kernel.
  - 22. Method according to any one of the preceding claims 9-21, wherein users are authenticated according to the method of any one of claims 1 to 8.
  - 23. Anomaly detection system deployed in a protected computer network system and adapted to implement the method of any one of the preceding claims, comprising an authentication module adapted to receive, modify and transmit kernel events to the kernel, such that the kernel generates connection information and authentication information.
  - 24. System according to claim 23, wherein the authentication module is deployed within a high priority thread to which maximum available CPU time is assigned.
  - 25. System according to claim 23 or 24, further comprising a synchronization functional block for controlling and organizing incoming connections into corresponding User threads.
  - 26. System according to claim 25, further comprising a User thread functional block for generating User models from isolated independent User threads received from the synchronization functional block.

9. Method of detecting anomalous behaviour in a computer network comprising the steps of:
- monitoring network traffic flowing in a computer network system, authenticating users to which network packets of the network traffic are associated, extracting parameters associated to the network packets for each user, said parameters including at least the type (T) of network services, forming symbols based on a combination of one or more of said parameters, and modelling and analysing individual user behaviour based on sequences of occurrence of said symbols (S).
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 10. Method according to claim 9 wherein the parameters extracted include the network IP group (N) being addressed.
  - 11. Method according to claim 9 or 10 wherein the parameters extracted include the frequency (F) of connections in a service
  - 12. Method according to claim 9, 10 or 11 wherein the parameters extracted include the duration (D) between first and last connection in a service.
  - 13. Method according to claim 9, 10, 11 or 12 wherein the parameters extracted include the period of day and the number of bytes.
  - 14. Method according to any one of the preceding claims 9-13 wherein each different combination of parameters extracted forms a different symbol.
  - 15. Method according to any one of the preceding claims 9-14 wherein User behaviour is modelled by modelling the sequence of symbols (S) using Hidden Markov Models (HMM).
  - 16. Method according to any one of the preceding claims 9-15, wherein the symbols are classified in the form of a hierarchical tree of decreasing importance, where the highest level includes generic symbols for each type of service with any value in network IP group, frequency and duration, the next lower level includes the type of network IP group with any value in frequency and duration and subsequent levels correspond to symbols including frequency and duration.
  - 17. Method according to claim 16, wherein the number of symbols are reduced by selecting the S most frequent symbols at the lowest level and summing the rest of the symbols at the lowest level to form the rest symbol value R.
  - 18. Method according to claim 17, wherein, if the value of the rest symbol R is greater than the value M_Sof the least frequent selected symbol, symbols are fused to the next higher level.
  - 19. Method according to any one of the preceding claims 9-18, wherein the type of network service parameter (T) is derived from the logical port.
  - 20. Method according to any one of the preceding claims 9-19, wherein the network IP group parameter (N) is determined by splitting IP destinies into different logical network sets including at least the IP group inside the protected computer network system (N1, N2) and the IP groups outside the protected computer network system (N3).
  - 21. Method according to any one of the preceding claims 9-20, wherein the parameters of frequency (F) and duration (D) of user services are quantified with either a fixed step quantification algorithm or a K-means clustering algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecole polytechnique fãdãrale de lausanne epfl (Schweizerische Eidgenossenschaft)
Original Assignee
Ecole polytechnique fãdãrale de lausanne epfl (Schweizerische Eidgenossenschaft)
Inventors
Flatings, Boi, Belakhdar, Omar, Bados, Pedro

Granted Patent

US 8,631,464 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

Method of Detecting Anomalous Behaviour in a Computer Network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

240 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method of Detecting Anomalous Behaviour in a Computer Network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

240 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links