Cyber Behavior Analysis and Detection Method, System and Architecture

US 20140157405A1
Filed: 12/04/2012
Published: 06/05/2014
Est. Priority Date: 12/04/2012
Status: Abandoned Application

First Claim

Patent Images

1. A method for analyzing network, transport and application protocols in a computer network to identify a predetermined network behavior comprising the steps of:

monitoring and logging a port usage in a first host in a computer network,monitoring and logging a set of first host information,monitoring and logging a set of data activities in the network for a predetermined change in the first host information and in a first host data flow, and,generating an alert to a user based on a correlation between the logged port usage, the logged first host information and the logged first host data flow.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable cyber-security system, method and architecture for the identification of malware and malicious behavior in a computer network. Host flow, host port usage, host information and network data at the application, transport and network layers are aggregated from within the network and correlated to identify a network behavior such as the presence of malicious code.

238 Citations

12 Claims

1. A method for analyzing network, transport and application protocols in a computer network to identify a predetermined network behavior comprising the steps of:
- monitoring and logging a port usage in a first host in a computer network,monitoring and logging a set of first host information,monitoring and logging a set of data activities in the network for a predetermined change in the first host information and in a first host data flow, and,generating an alert to a user based on a correlation between the logged port usage, the logged first host information and the logged first host data flow.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 wherein the first host information is selected from at least one member of the group of information consisting of an IP address used by the first host, an operating system used by the first host, a service being provided by the first host, an IP protocol used by the first host, a TCP port used by the first host, a UDP port used by the first host, connected host information with which the first host communicates, services used by the first host, a TCP port contacted by the first host, and a UDP port contacted by the first host.
  - 3. The method of claim 1 wherein the data logged consists of data selected from at least one of the group consisting of a timestamp, an event or alert type, a rating, a network layer protocol, a transport layer protocol, an application layer protocol, a source IP address, a destination IP address, a source and destination TCP and UDP port, an ICMP type and code, a packet header field, a predetermined policy violation, a use of a predetermined application service, an IP time-to-live, a number of bytes and packets sent by a source host and a destination host for a connection, a prevention action performed, a connection or session ID, a decoded payload data, an application request and response, and a state-related information set.

4. A device for analyzing network, transport and application protocols in a computer network to identify a predetermined activity comprising:
- a sensor platform comprising at least one sensor configured to collect and export a predetermined data structure from within the firewall of the network comprising aggregated data about a network host, flow and address block, and comprising a sensor control processor,a correlator server configured to support at least one sensor control processor,an optical I/O module,an SRAM processing module, and,a DRAM processing module.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 12)
- - 5. The device of claim 4 wherein at least one of the I/O modules, SRAM modules or DRAM modules is comprised of a combined memory array and field programmable gate array device comprising a field programmable gate array (FPGA),an access lead network electrically coupled and proximate to the FPGA,a plurality of external memories electrically coupled and proximate to the access lead network, and,wherein the FPGA can independently access each of the plurality of external memories via the access lead network without use of an address/data bus.
  - 6. The device of claim 4 wherein the SRAM module comprises a plurality of interconnect ports and a plurality of independent SRAM memories and the DRAM module comprises a plurality of interconnect ports, at least one independent DRAM memory, and at least one SRAM memory.
  - 7. The device of claim 4 further comprising a hash spectrum detector and a spectral Bloom filter.
  - 8. The device of claim 4 further comprising a TCP flow rectifier configured to re-order and align a TCP flow content into a predetermined format.
  - 9. The device of claim 8 where the predetermined format comprises TCP payload information and a header that identifies a data flow.
  - 10. The device of claim 8 wherein the TCP flow rectifier module is configured for input header processing/flow ID extraction processing, TCP flow state and gap record management processing, buffer bypass TCP payload packet processing, DRAM buffer processing, buffer playout manager processing and output header generation processing.
  - 12. The device of claim 8 wherein the TCP flow rectifier is comprised of a DRAM-based buffer memory configured for storing payload segments, and an SRAM-based flow state memory for storing a TCP flow state and a TCP gap records.

11. The device of 8 wherein the TCP flow rectifier is configured to output TCP payload streams in interleaved blocks for multiple flows simultaneously.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber adAPT, Inc., PFG Ip, LLC
Original Assignee
Cyber adAPT, Inc.
Inventors
Joll, Bill, Rhodes, Keith, Deerman, James

Application Number

US13/693,226
Publication Number

US 20140157405A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Cyber Behavior Analysis and Detection Method, System and Architecture

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

238 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

Cyber Behavior Analysis and Detection Method, System and Architecture

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

238 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others