NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION

US 20130305371A1
Filed: 07/12/2013
Published: 11/14/2013
Est. Priority Date: 01/13/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:

receiving, at a first host machine, security reports relating to one or more host machines in the network, each security report summarizes network traffic at a respective host machine indicative of a possible intrusion attempt at a respective host machine and/or context data local to a host machine;

correlating, at the first host machine, the security reports;

associating, at the first host machine, a level of security concern when a correlation exceeds a threshold; and

when the level of security concern indicates a network intrusion attempt, generating a second security report indicating a suspected network intrusion attempt.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken.

Citations

20 Claims

1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
- receiving, at a first host machine, security reports relating to one or more host machines in the network, each security report summarizes network traffic at a respective host machine indicative of a possible intrusion attempt at a respective host machine and/or context data local to a host machine;
  
  correlating, at the first host machine, the security reports;
  
  associating, at the first host machine, a level of security concern when a correlation exceeds a threshold; and
  
  when the level of security concern indicates a network intrusion attempt, generating a second security report indicating a suspected network intrusion attempt.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the correlation of the security reports is performed by a processor of a second host machine of the one or more host machines.
  - 3. The method of claim 1, wherein the correlation of the security reports is performed by a processor of a server separate from the one or more host machines.
  - 4. The method of claim 1, wherein the first host machine is connected to the network by a wireless connection.
  - 5. The method of claim 1, wherein the first host machine is a virtual machine.
  - 6. The method of claim 1, further comprising:
    - monitoring, at the first host machine, local network activity at the first host machine; and
      
      decrypting network traffic data received at the first host machine.
  - 7. The method of claim 1, wherein the security reports from the host machines in the network comprises data generated by at least one host protection technology operatively connected to a second host machine.

8. A system for detecting a security threat to a network comprising a plurality of host machines, the system comprising:
- a first processor and a memory, the first processor executing instructions that;
  
  receives security reports relating to one or more host machines in the network, each security report summarizes network traffic at a respective host machine indicative of a possible intrusion attempt at a respective host machine and/or context data local to a host machine;
  
  correlates the security reports;
  
  associates a level of security concern when a correlation exceeds a threshold; and
  
  when the level of security concern indicates a network intrusion attempt, generates a second security report indicating a suspected network intrusion attempt.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the first processor correlates the security reports with known patterns indicative of an intrusion attempt.
  - 10. The system of claim 8, the first processor executing further instructions that sends the second security report to one or more of the host machines.
  - 11. The system of claim 8, wherein the security report includes a source of network traffic associated with an intrusion attempt.
  - 12. The system of claim 8, wherein each security report includes information on local network interactions at a particular host machine.
  - 13. The system of claim 8, wherein at least one of the host machines is a virtual machine.
  - 14. The system of claim 8, wherein at least one security report includes security data that has been correlated by a respective host machine with security data received from at least another of the host machines.
  - 15. The system of claim 8, the first processor executing further instructions that removes a security report from consideration when the security report is associated with a compromised host machine.

16. At least one computer-readable storage memory encoded with a plurality of computer-executable instructions that, when executed, perform a method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
- receiving, at a first host machine, security reports relating to one or more host machines in the network, each security report summarizes network traffic at a respective host machine indicative of a possible intrusion attempt at a respective host machine and/or context data local to a host machine;
  
  correlating, at the first host machine, the security reports;
  
  associating, at the first host machine, a level of security concern when a correlation exceeds a threshold; and
  
  when the level of security concern indicates a network intrusion attempt, generating a second security report indicating a suspected network intrusion attempt.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The at least one computer-readable storage memory of claim 16, wherein the correlation of the security reports is performed by a processor of a second host machine of the one or more host machines.
  - 18. The at least one computer-readable storage memory of claim 16, wherein the correlation of the security reports is performed by a processor of a second host machine of the one or more host machines.
  - 19. The at least one computer-readable storage memory of claim 16, wherein the first host machine is a virtual machine.
  - 20. The at least one computer-readable storage memory of claim 16, the method further comprising:
    - monitoring, at the first host machine, local network activity at the first host machine; and
      
      decrypting network traffic data received at the first host machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Figlin, Igal, Zavalkovsky, Arthur, Arzi, Lior, Hudis, Efim, Fitzgerald, Robert Eric, Ahmed, Khaja E., Williams, Jeffrey S., Hardy, Edward W., Lemond, Jennifer R.

Granted Patent

US 9,560,068 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/205   involving negotiation or de...

NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links