NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION

US 20110173699A1
Filed: 01/13/2010
Published: 07/14/2011
Est. Priority Date: 01/13/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:

receiving, at a first host machine of the plurality of host machines, a first security report from a second host machine of the plurality of host machines, wherein the first security report summarizes network activity at the second host machine;

processing, via at least one processor, at least the first security report from the second host machine and network traffic at the first host machine to determine whether a network intrusion attempt is suspected;

if it is determined that the network intrusion attempt is suspected, generating a second security report indicating that the network intrusion attempt is suspected by the first host machine; and

processing a plurality of security reports to determine whether a network intrusion attempt is detected, the plurality of security reports being generated by multiple host machines of the plurality of host machines, the plurality of security reports comprising the second security report.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.

Citations

20 Claims

1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
- receiving, at a first host machine of the plurality of host machines, a first security report from a second host machine of the plurality of host machines, wherein the first security report summarizes network activity at the second host machine;
  
  processing, via at least one processor, at least the first security report from the second host machine and network traffic at the first host machine to determine whether a network intrusion attempt is suspected;
  
  if it is determined that the network intrusion attempt is suspected, generating a second security report indicating that the network intrusion attempt is suspected by the first host machine; and
  
  processing a plurality of security reports to determine whether a network intrusion attempt is detected, the plurality of security reports being generated by multiple host machines of the plurality of host machines, the plurality of security reports comprising the second security report.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the processing of the plurality of security reports is performed by a processor of a third host machine of the plurality of host machines.
  - 3. The method of claim 1, wherein the processing of the plurality of security reports is performed by a processor of a server separate from the plurality of host machines.
  - 4. The method of claim 1, wherein the first host machine is connected to the network by a wireless connection.
  - 5. The method of claim 1, wherein the first host machine is a virtual machine.
  - 6. The method of claim 1, wherein the processing at least the first security report from the second host machine and network traffic at the first host machine further comprises decrypting network traffic data received at the first host machine.
  - 7. The method of claim 1, wherein the first security report comprises data generated by at least one host protection technology operatively connected to the second host machine.

8. A system for detecting a security threat to a network comprising a plurality of host machines, the system comprising:
- a first threat monitoring agent operatively connected to a first host machine of the plurality of host machines, the first threat monitoring agent being configured to;
  
  process data from the first host machine to generate a first security report identifying a possible security threat to the network, andsend the first security report to at least a second host machine of the plurality of host machines;
  
  a second threat monitoring agent operatively connected to the second host machine, the second threat monitoring agent being configured to;
  
  receive the first security report from the first threat monitoring agent,process at least the first security report from the first threat monitoring agent and data from the second host machine to determine whether the security threat to the network is suspected, andif it is determined that the security threat to the network is suspected, generate a second security report indicating that the security threat to the network is suspected by the second host machine;
  
  anda threat detecting agent configured to process a plurality of security reports to determine whether a security threat to the network is detected, the plurality of security reports being obtained from multiple ones of the plurality of host machines, and the plurality of security reports comprising the second security report.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the threat detecting agent is operatively connected to a third host machine of the plurality of host machines.
  - 10. The system of claim 8, wherein the threat detecting agent is operatively connected to a server separate from the plurality of host machines.
  - 11. The system of claim 8, wherein at least one of the plurality of host machines is connected to the network by a wireless connection.
  - 12. The system of claim 8, wherein at least one of the plurality of host machines is a virtual machine.
  - 13. The system of claim 8, wherein the first threat monitoring agent is further configured to:
    - decrypt network traffic data received at the first host machine; and
      
      process at least the decrypted network traffic data to generate the first security report.
  - 14. The system of claim 8, wherein the threat detecting agent is further configured to:
    - if it is determined that a security threat to the network is detected, generate a third security report identifying the detected security threat to the network.
  - 15. The system of claim 14, wherein the third security report identifies at least one of a severity of the detected security threat to the network and a fidelity of the detected security threat to the network.

16. At least one computer-readable storage medium encoded with a plurality of computer-executable instructions that, when executed, perform a method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
- processing network traffic at a first host machine of the plurality of host machines to identify network traffic indicative of a possible network intrusion attempt;
  
  generating a first security report containing security data indicating the identified network traffic;
  
  correlating at least the identified network traffic with network traffic indicated in first security reports received from others of the plurality of host machines;
  
  based on a result of the correlating, generating a second security report indicating that a network intrusion attempt is suspected; and
  
  processing at least second security reports generated by multiple ones of the plurality of host machines to determine whether a network intrusion attempt is detected.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The at least one computer-readable storage medium of claim 16, wherein:
    - the security data indicating the identified network traffic comprises an identification of a source and a type of network traffic identified as indicative of a possible network intrusion attempt; and
      
      the correlating comprises comparing the source and type of identified network traffic on each of a portion of the plurality of host machines.
  - 18. The at least one computer-readable storage medium of claim 16, wherein the method further comprises removing security reports received from a suspected source of the network intrusion attempt before processing at least second security reports generated by multiple ones of the plurality of host machines to determine whether the network intrusion attempt is detected.
  - 19. The at least one computer-readable storage medium of claim 16, wherein the processing at least second security reports generated by multiple ones of the plurality of host machines comprises:
    - correlating second security reports generated by multiple ones of the plurality of host machines; and
      
      determining whether the network intrusion attempt is detected based on a weighted combination of host machines generating a second security report indicating that a same network intrusion attempt is suspected.
  - 20. The at least one computer-readable storage medium of claim 16, wherein the processing at least second security reports generated by multiple ones of the plurality of host machines is performed by at least one processor of at least one of a host machine of the plurality of host machines and a server separate from the plurality of host machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Fitzgerald, Robert Eric, Arzi, Lior, Figlin, Igal, Williams, Jeffrey S., LeMond, Jennifer R., Hudis, Efim, Ahmed, Khaja E., Hardy, Edward W., Zavalkovsky, Arthur

Granted Patent

US 8,516,576 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/205   involving negotiation or de...

NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links