NETWORK INTRUSION DETECTION VISUALIZATION
First Claim
1. A network monitoring and visualization system comprising:
- a computer coupled to a network and adapted to receive data from the network, the computer including a computer readable medium having stored thereon software instructions for programming the computer to monitor the network and to provide a graphical visualization of monitored network activity, the software instructions, when executed by the computer, cause the computer to perform operations including;
retrieving a plurality of minimum description length (MDL) models, each MDL model representing a different network activity behavior and each MDL model including a grammar having a plurality of motifs;
receiving a network activity data sample corresponding to network activity;
applying the grammar of each MDL model to the data sample to determine a measure of similarity between the data sample and the MDL model corresponding to the grammar being applied;
characterizing the data sample based on the measure of similarity, including mapping a normalized difference value for each motif of a grammar to a generate a plurality of statistical features;
generating a plurality of intelligent icons, each corresponding to one of the MDL models and each including a plurality of graphical representations corresponding to one of the statistical features representing the normalized difference value of a respective one of the motifs for that MDL model; and
simultaneously displaying the intelligent icons on a display device coupled to the computer.
3 Assignments
0 Petitions
Accused Products
Abstract
A network activity visualization system can include a minimum description length (MDL) based network intrusion detection system having an MDL grammar database adapted to store a plurality of MDL grammars, and a pattern matching module adapted to match a received network activity data set against the MDL grammars by calculating a distance of the network activity data set from each MDL grammar. The system can also include an intelligent icon module coupled to the MDL-based intrusion detection system and adapted to receive the MDL grammars and distances of a network data set from each respective MDL grammar, and adapted to generate intelligent icons based on the MDL grammars and distances. The system can further include a display system adapted to display the intelligent icons so as to provide a visual indication of network security.
-
Citations
20 Claims
-
1. A network monitoring and visualization system comprising:
-
a computer coupled to a network and adapted to receive data from the network, the computer including a computer readable medium having stored thereon software instructions for programming the computer to monitor the network and to provide a graphical visualization of monitored network activity, the software instructions, when executed by the computer, cause the computer to perform operations including; retrieving a plurality of minimum description length (MDL) models, each MDL model representing a different network activity behavior and each MDL model including a grammar having a plurality of motifs; receiving a network activity data sample corresponding to network activity; applying the grammar of each MDL model to the data sample to determine a measure of similarity between the data sample and the MDL model corresponding to the grammar being applied; characterizing the data sample based on the measure of similarity, including mapping a normalized difference value for each motif of a grammar to a generate a plurality of statistical features; generating a plurality of intelligent icons, each corresponding to one of the MDL models and each including a plurality of graphical representations corresponding to one of the statistical features representing the normalized difference value of a respective one of the motifs for that MDL model; and simultaneously displaying the intelligent icons on a display device coupled to the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network activity visualization system comprising:
-
means for detecting network intrusions using an intrusion detection system having a mathematical model database adapted to store a plurality of mathematical models, and a pattern matching module adapted to match a received network activity data set against each mathematical model by calculating a distance of the network activity data set from a respective one of the mathematical models; means for generating intelligent icons based on the mathematical models and corresponding calculated distances; and means for displaying the intelligent icons so as to provide a visual indication of network security. - View Dependent Claims (11, 12, 13)
-
-
14. A computer-implemented method of intrusion detection visualization comprising:
-
retrieving a plurality of minimum description length (MDL) models, each model representing a different network activity behavior; receiving network activity data corresponding to network activity; characterizing the network activity data using a computer programmed to perform intrusion detection visualization and the MDL models, the characterizing including generating, with the computer, a plurality of statistical features each representing a relationship between the network activity data and a respective one of the MDL models; associating, with the computer, each of a plurality of graphical representations with a corresponding one of the MDL models; altering, with the computer, the appearance of each graphical representation based on the statistical feature of the corresponding MDL model; and displaying one or more of the graphical representations on a display device coupled to the computer, the graphical representations providing a visual indication of the corresponding statistical feature. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification