SYSTEMS AND METHODS FOR FORENSIC ANALYSIS OF NETWORK BEHAVIOR

US 20100268818A1
Filed: 12/22/2008
Published: 10/21/2010
Est. Priority Date: 12/20/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for analyzing a data stream in a computer network, the method comprising the steps of:

providing a computer network having a data stream;

calculating a current consistency quotient by analyzing the data stream;

comparing the current consistency quotient against a previously stored consistency quotient to determine a consistency value between the currency consistency quotient and the previously stored consistency quotient;

combining the current consistency quotient and the previously stored consistency quotient to create a new consistency quotient.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods monitor and manage computer network traffic and identify a status of normality or consistency of the traffic on a per user, per interne protocol address or MAC address basis. More specifically, the systems and methods determine, with degrees of significance, the abnormality or inconsistency of network traffic from a user, IP address or MAC address based on a comparison of said network traffic to previous network traffic from the same location. Moreover, the systems and methods monitor and manage the network traffic whereby, after an anomaly has occurred, network traffic is tagged as suspicious and thereafter is flagged for forensic study and placed in storage. In addition, the systems and methods report tagged traffic and alert administrators of a breach or violation in the computer network.

Citations

20 Claims

1. A method for analyzing a data stream in a computer network, the method comprising the steps of:
- providing a computer network having a data stream;
  
  calculating a current consistency quotient by analyzing the data stream;
  
  comparing the current consistency quotient against a previously stored consistency quotient to determine a consistency value between the currency consistency quotient and the previously stored consistency quotient;
  
  combining the current consistency quotient and the previously stored consistency quotient to create a new consistency quotient.
- View Dependent Claims (2, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising the step of:
    - providing a node associated with the computer network wherein the data stream flows from the node.
  - 4. The method of claim 1 further comprising the step of:
    - providing a user and a node associated with the computer network wherein the user utilizes the network through the node wherein the data stream flows from the node and is associated with the user.
  - 5. The method of claim 1 further comprising the steps of:
    - providing a user and a node associated with the computer network; and
      
      defining a role based on the user utilizing the computer network through the node wherein the data stream is associated with the defined role.
  - 6. The method of claim 1 further comprising the step of:
    - storing the new consistency quotient.
  - 7. The method of claim 1 further comprising the steps of:
    - analyzing the consistency value between the current consistency quotient and the previously stored consistency quotient; and
      
      tagging the data stream if the consistency value between the current consistency quotient and the previously stored consistency quotient is above a predefined level.
  - 8. The method of claim 1 further comprising the steps of:
    - analyzing the consistency value between the current consistency quotient and the previously stored consistency quotient; and
      
      providing a rule defining an action to be taken if the consistency value between the current consistency quotient and the previously stored consistency quotient is above a predefined level; and
      
      acting on said rule when said consistency value is above a predefined level.
  - 9. The method of claim 1 further comprising the steps of:
    - analyzing the consistency value between the current consistency quotient and the previously stored consistency quotient;
      
      providing a rule defining an action to be taken if the consistency value between the current consistency quotient and the previously stored consistency quotient is above a predefined level; and
      
      acting on said rule when said consistency value is above a predefined level wherein the rule includes removing the data stream from the computer network.
  - 10. The method of claim 1 further comprising the steps of:
    - analyzing the consistency value between the current consistency quotient and the previously stored consistency quotient;
      
      tagging the data stream if the consistency value between the current consistency quotient and the previously stored consistency quotient is above a predefined level; and
      
      storing the tagged data stream.

11. A method for detecting a polymorphic worm in a computer network, the method comprising the steps of:
- providing a computer network having a first node and a second node wherein a first data stream is associated with the first node and a second data stream is associated with the second node;
  
  calculating a first consistency quotient by analyzing the first data stream associated with the first node;
  
  calculating a second consistency quotient by analyzing the second data stream associated with the second node; and
  
  combining the first consistency quotient and the second consistency quotient to form a third consistency quotient.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 further comprising the step of:
    - comparing the first consistency quotient to the second consistency quotient to determine a consistency value.
  - 13. The method of claim 11 further comprising the steps of:
    - comparing the first consistency quotient to the second consistency quotient to determine a consistency value; and
      
      tagging the first data stream and the second data stream if the consistency value is above a predefined level.
  - 14. The method of claim 11 further comprising the steps of:
    - comparing the first consistency quotient to the second consistency quotient to determine a consistency value;
      
      tagging the first data stream and the second data stream if the consistency value is above a predefined level; and
      
      storing the tagged first data stream and the tagged second data stream.
  - 15. The method of claim 11 further comprising the step of:
    - storing the third consistency quotient.

16. A system for determining a consistency in a data stream in a computer network comprising:
- a computer network having a data stream;
  
  a current consistency quotient calculated by analyzing the data stream;
  
  a consistency value calculated by comparing the current consistency quotient against a previously stored consistency quotient; and
  
  a new consistency quotient calculated by combining the current consistency quotient and the previously stored consistency quotient.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16 further comprising:
    - a node associated with the computer network wherein the data stream comes from the node.
  - 18. The system of claim 16 further comprising:
    - a user and a node associated with the computer network wherein the user utilizes the network through the node wherein the data stream comes from the node and is associated with the user.
  - 19. The system of claim 16 further comprising:
    - a user and a node associated with the computer network; and
      
      a role based on the user utilizing the computer network through the node wherein the data stream is associated with the role.
  - 20. The system of claim 16 further comprising:
    - a database for storing the new consistency quotient.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alfred R. Richmond, David S. Boubion, Mary Claire Ryan, Peter W. Rung
Original Assignee
Alfred R. Richmond, David S. Boubion, Mary Claire Ryan, Peter W. Rung
Inventors
Boubion, David S., Ryan, Mary Claire, Richmond, Alfred R., Rung, Peter W.

Application Number

US12/809,984
Publication Number

US 20100268818A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 41/16   using machine learning or a...

H04L 43/00   Arrangements for monitoring...

H04L 63/1425   Traffic logging, e.g. anoma...

SYSTEMS AND METHODS FOR FORENSIC ANALYSIS OF NETWORK BEHAVIOR

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR FORENSIC ANALYSIS OF NETWORK BEHAVIOR

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links