Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses

US 20140181968A1
Filed: 12/20/2012
Published: 06/26/2014
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

collecting, by an intrusion detection system comprising a processor, logs each of which comprises a plurality of entries;

extracting, by the intrusion detection system, information from the logs;

based upon the information extracted from the logs, updating, by the intrusion detection system, on an entry-by-entry basis, intrusion detection information utilized by an intrusion detection rule;

updating, by the intrusion detection system, a profile utilized by the intrusion detection rule;

comparing, by the intrusion detection system, the profile and the intrusion detection rule against a running state of an on-going session;

tagging, by the intrusion detection system, corresponding log entries of the logs with a threat score;

calculating, by the intrusion detection system, the threat scores from the corresponding log entries to create an aggregated threat score; and

presenting, by the intrusion detection system, the aggregated threat score.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Concepts and technologies disclosed herein are for monitoring operational activities in networks and detecting potential network intrusions and misuses. According to one aspect disclosed herein, an intrusion detection system can collect logs from an authentication, authorization, and accounting system. The intrusion detection system can extract information from the logs, update intrusion detection information utilized by an intrusion detection rule based upon the information extracted from the logs, update a profile utilized by the intrusion detection rule, compare the profile and the intrusion detection rule against a running state of an on-going session, tag corresponding log entries with a threat score, calculate the threat scores from the corresponding log entries to create an aggregated threat score, and present the aggregated threat score. The intrusion detection system can also present an alarm if the aggregated threat score triggers an alarm condition.

97 Citations

View as Search Results

20 Claims

1. A method, comprising:
- collecting, by an intrusion detection system comprising a processor, logs each of which comprises a plurality of entries;
  
  extracting, by the intrusion detection system, information from the logs;
  
  based upon the information extracted from the logs, updating, by the intrusion detection system, on an entry-by-entry basis, intrusion detection information utilized by an intrusion detection rule;
  
  updating, by the intrusion detection system, a profile utilized by the intrusion detection rule;
  
  comparing, by the intrusion detection system, the profile and the intrusion detection rule against a running state of an on-going session;
  
  tagging, by the intrusion detection system, corresponding log entries of the logs with a threat score;
  
  calculating, by the intrusion detection system, the threat scores from the corresponding log entries to create an aggregated threat score; and
  
  presenting, by the intrusion detection system, the aggregated threat score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein updating, on the entry-by-entry basis, the intrusion detection information utilized by the intrusion detection rule comprises updating the running states of the on-going session, login identifications, origin Internet protocol addresses, and commands that are utilized by the intrusion detection rule.
  - 3. The method of claim 1, wherein calculating the threat scores from the corresponding log entries to create the aggregated threat score comprises calculating the threat scores from the corresponding log entries in a window according to a login identification.
  - 4. The method of claim 1, wherein calculating the threat scores from the corresponding log entries to create the aggregated threat score comprises calculating the threat scores from the corresponding log entries in a window according to an origin Internet protocol address.
  - 5. The method of claim 1, further comprising:
    - determining, by the intrusion detection system, if an alarm condition has been satisfied by the aggregated threat score; and
      
      if the alarm condition has been satisfied by the aggregated threat score, presenting an alarm.
  - 6. The method of claim 1, wherein the intrusion detection rule comprises:
    - generating a list of Internet protocol address blocks associated with a network;
      
      comparing an origin Internet protocol address of each log entry against the list;
      
      determining if any Internet protocol addresses are from outside the network;
      
      if an Internet protocol address is from outside the network,determining that the Internet protocol address is associated with a breach of the network, andgenerating a high threat score for the Internet protocol address; and
      
      if no Internet protocol address are from outside the network, determining that no Internet protocol addresses are associated with a breach of the network.
  - 7. The method of claim 1, wherein the intrusion detection rule comprises:
    - detecting a failed login attempt for an origin Internet protocol address;
      
      tracking a timestamp of the failed login attempt;
      
      monitoring the origin Internet protocol address for subsequent login attempts within a time period;
      
      determining whether a subsequent login attempt occurs within the time period;
      
      if the subsequent login attempt does not occur within the time period, resetting the timestamp and a count of consecutive failed login attempts;
      
      if the subsequent login attempt occurs within the time period, determining if the subsequent login attempt is successful;
      
      if the subsequent login attempt is successful, resetting the timestamp and the count of consecutive failed login attempts;
      
      if the subsequent login attempt failed,updating the timestamp to reflect a new failed login attempt,incrementing the count of consecutive failed login attempts for the origin Internet protocol address, anddetermining if the count of consecutive failed login attempts exceeds a threshold count,if the count of consecutive failed login attempts exceeds the threshold count,outputting entries associated with failed login attempts including the failed login attempt and the new failed login attempt, andassigning a threat score to each of the entries.
  - 8. The method of claim 1, wherein the intrusion detection rule comprises:
    - tracing stepping-stone accesses;
      
      determining if a length of an access chain is greater than a threshold length;
      
      determining if a fan out of the access chain is greater than a fan out threshold; and
      
      if the length of the access chain is greater than the threshold length, assigning a high threat score to a stepping-stone session associated with the stepping-stone accesses; and
      
      if the fan out of the access chain is greater than the threshold fan out, assigning a high threat score to a stepping-stone session associated with the stepping-stone accesses.
  - 9. The method of claim 1, wherein the intrusion detection rule comprises:
    - analyzing a log entry;
      
      determining if the log entry including a modification of a logging setting; and
      
      if the log entry includes the modification of the logging setting, assigning a high threat score to the log entry.
  - 10. The method of claim 1, wherein the intrusion detection rule comprises:
    - tracking a most recent date of appearance of an entry and a cumulative number of appearances for the entry;
      
      determining if the most recent appearance is older than a time;
      
      if the most recent appearance is older than the time, deleting the entry; and
      
      if the most recent appearance is not older than the time, determining if a threshold number of cumulative appearances of the entry has been reached; and
      
      if the threshold number of cumulative appearances of the entry has been reached, adding the entry to a long-term profile.
  - 11. The method of claim 1, wherein the intrusion detection rule comprises:
    - tracking a mean and a variance for an attribute;
      
      estimating running statistics for the attribute during a time period;
      
      determining if a cumulative count for the time period at least meets an attribute count threshold; and
      
      if the cumulative count for the time period at least meets the attribute count threshold, assigning a threat score to an access session involved with the attribute.

12. An intrusion detection system, comprising:
- a processor; and
  
  a memory in communication with the processor, the memory comprising instructions that, when executed by the processor, cause the processor to perform operations comprisingcollecting logs each of which comprises a plurality of entries;
  
  extracting information from the logs;
  
  based upon the information extracted from the logs, updating, on an entry-by-entry basis, intrusion detection information utilized by an intrusion detection rule;
  
  updating a profile utilized by the intrusion detection rule;
  
  comparing the profile and the intrusion detection rule against a running state of an on-going session;
  
  tagging corresponding log entries of the logs with a threat score;
  
  calculating the threat scores from the corresponding log entries to create an aggregated threat score; and
  
  presenting the aggregated threat score.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The intrusion detection system of claim 12, wherein the intrusion detection rule comprises:
    - generating a list of Internet protocol address blocks associated with a network;
      
      comparing an origin Internet protocol address of each log entry against the list;
      
      determining if any Internet protocol addresses are from outside the network;
      
      if an Internet protocol address is from outside the network,determining that the Internet protocol address is associated with a breach of the network, andgenerating a high threat score for the Internet protocol address; and
      
      if no Internet protocol address are from outside the network, determining that no Internet protocol addresses are associated with a breach of the network.
  - 14. The intrusion detection system of claim 12, wherein the intrusion detection rule comprises:
    - detecting a failed login attempt for an origin Internet protocol address;
      
      tracking a timestamp of the failed login attempt;
      
      monitoring the origin Internet protocol address for subsequent login attempts within a time period;
      
      determining whether a subsequent login attempt occurs within the time period;
      
      if the subsequent login attempt does not occur within the time period, resetting the timestamp and a count of consecutive failed login attempts;
      
      if the subsequent login attempt occurs within the time period, determining if the subsequent login attempt is successful;
      
      if the subsequent login attempt is successful, resetting the timestamp and the count of consecutive failed login attempts;
      
      if the subsequent login attempt failed,updating the timestamp to reflect a new failed login attempt,incrementing the count of consecutive failed login attempts for the origin Internet protocol address, anddetermining if the count of consecutive failed login attempts exceeds a threshold count,if the count of consecutive failed login attempts exceeds the threshold count,outputting entries associated with failed login attempts including the failed login attempt and the new failed login attempt, andassigning a threat score to each of the entries.
  - 15. The intrusion detection system of claim 12, wherein the intrusion detection rule comprises:
    - tracing stepping-stone accesses;
      
      determining if a length of an access chain is greater than a threshold length;
      
      determining if a fan out of the access chain is greater than a fan out threshold; and
      
      if the length of the access chain is greater than the threshold length, assigning a high threat score to a stepping-stone session associated with the stepping-stone accesses; and
      
      if the fan out of the access chain is greater than the threshold fan out, assigning a high threat score to a stepping-stone session associated with the stepping-stone accesses.
  - 16. The intrusion detection system of claim 12, wherein the intrusion detection rule comprises:
    - analyzing a log entry;
      
      determining if the log entry including a modification of a logging setting; and
      
      if the log entry includes the modification of the logging setting, assigning a high threat score to the log entry.
  - 17. The intrusion detection system of claim 12, wherein the intrusion detection rule comprises:
    - tracking a most recent date of appearance of an entry and a cumulative number of appearances for the entry;
      
      determining if the most recent appearance is older than a time;
      
      if the most recent appearance is older than the time, deleting the entry; and
      
      if the most recent appearance is not older than the time, determining if a threshold number of cumulative appearances of the entry has been reached; and
      
      if the threshold number of cumulative appearances of the entry has been reached, adding the entry to a long-term profile.
  - 18. The intrusion detection system of claim 12, wherein the intrusion detection rule comprises:
    - tracking a mean and a variance for an attribute;
      
      estimating running statistics for the attribute during a time period;
      
      determining if a cumulative count for the time period at least meets an attribute count threshold; and
      
      if the cumulative count for the time period at least meets the attribute count threshold, assigning a threat score to an access session involved with the attribute.

19. A computer-readable storage medium comprising computer-executable instructions that, when executed by a processor, cause the processor to perform operations comprising:
- collecting logs each of which comprises a plurality of entries;
  
  extracting information from the logs;
  
  based upon the information extracted from the logs, updating, on an entry-by-entry basis, intrusion detection information utilized by an intrusion detection rule;
  
  updating a profile utilized by the intrusion detection rule;
  
  comparing the profile and the intrusion detection rule against a running state of an on-going session;
  
  tagging corresponding log entries of the logs with a threat score;
  
  calculating the threat scores from the corresponding log entries to create an aggregated threat score;
  
  determining if an alarm condition has been satisfied by the aggregated threat score; and
  
  if the alarm condition has been satisfied by the aggregated threat score, presenting an alarm.
- View Dependent Claims (20)
- - 20. The computer-readable storage medium of claim 19, wherein calculating the threat scores from the corresponding log entries to create the aggregated threat score comprises one of the following:
    - summing the threat scores from each of the corresponding log entries in a window according to a login identification; and
      
      summing the threat scores from each of the corresponding log entries in a window according to a an origin Internet protocol address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Ge, Zihui, Yates, Jennifer, Chu, Jie, Huber, Richard, Ji, Ping, Yu, Yung-Chao

Granted Patent

US 9,401,924 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1425 Traffic logging, e.g. anoma...

Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others