DETECTING NETWORK INTRUSION AND ANOMALY INCIDENTS

US 20140230062A1
Filed: 08/08/2013
Published: 08/14/2014
Est. Priority Date: 02/12/2013
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented data processing method comprising:

using computing apparatus, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams;

using computing apparatus, determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions;

using computing apparatus, in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions;

generating, based on the one or more tags, one or more aggregated alert streams;

applying one or more rules to the one or more aggregated alert streams and receiving a result indicating whether a network intrusion is in progress;

in response to receiving the result indicating that the network intrusion is in progress, determining and executing one or more remedial actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a method comprises: using computing apparatus, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams; determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions; in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions: generating, based on the one or more tags, one or more aggregated alert streams; applying one or more rules to the one or more aggregated alert streams and receiving a result indicating whether a network intrusion is in progress; in response thereto, determining and executing one or more remedial actions.

Citations

20 Claims

1. A computer-implemented data processing method comprising:
- using computing apparatus, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams;
  
  using computing apparatus, determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions;
  
  using computing apparatus, in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions;
  
  generating, based on the one or more tags, one or more aggregated alert streams;
  
  applying one or more rules to the one or more aggregated alert streams and receiving a result indicating whether a network intrusion is in progress;
  
  in response to receiving the result indicating that the network intrusion is in progress, determining and executing one or more remedial actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the determining one or more tags for the one or more data streams comprises, using computing apparatus, performing one or more of:
    - determining whether a particular attribute value associated with a particular characteristic of the one or more characteristics exceeds an attribute threshold value, and in response thereto, adding a first tag to a set of the one or more tags;
      
      determining whether a particular statistical anomaly value associated with the particular characteristic of the one or more characteristics exceeds a statistical threshold value, and in response thereto, adding a second tag to the set of the one or more tags;
      
      determining whether one or more attribute values associated with the one or more characteristics of the one or more data streams form a known pattern, and in response thereto, adding a third tag to the set of the one or more tags.
  - 3. The method of claim 1, wherein the determining whether the one or more tags indicate one or more malicious patterns comprises:
    - executing both misuse and anomaly detection algorithms in parallel on the one or more data streams to generate one or more alerts indicating one or more possible patterns;
      
      analyzing the one or more alerts to identify a subset of alerts by excluding false alerts from the one or more alerts;
      
      aggregating the subset of alerts into the one or more aggregated alert streams;
      
      based on the one or more aggregated alert streams, determining the one or more tags indicating the one or more malicious patterns representative of network intrusions.
  - 4. The method of claim 1, wherein the determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions comprises performing one or more of an intra-event intrusion detection and performing a discrete event sequence intrusion detection.
  - 5. The method of claim 4, wherein the performing the intra-event intrusion detection comprises performing one or more of a signature based intrusion detection, a classification based intrusion detection, a statistical anomaly detection.
  - 6. The method of claim 4, wherein the performing the discrete event sequence intrusion detection comprises performing one or more of a regular expression based matching, a clustering based anomaly detection.
  - 7. The method of claim 1, wherein the one or more characteristics of the one or more data streams comprise one or more of physical attributes, communication attributes, network and flow characteristics, packet content.
  - 8. The method of claim 1, wherein the one or more data streams are received using a streaming database.

9. A computer system comprising:
- one or more processors;
  
  a stream database unit coupled to the one or more processors and configured to use computing apparatus to;
  
  receive one or more data streams;
  
  determine one or more characteristics of the one or more data streams;
  
  based on the one or more characteristics of the one or more data streams, determine one or more tags for the one or more data streams;
  
  determine whether the one or more tags indicate one or more malicious patterns representative of network intrusions;
  
  in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions, generate, based on the one or more tags, one or more aggregated alert streams;
  
  a rule engine configured to;
  
  apply one or more rules to the one or more aggregated alert streams and receive a result indicating whether a network intrusion is in progress;
  
  in response to receiving the result indicating that the network intrusion is in progress, determine and execute one or more remedial action.
- View Dependent Claims (10, 11, 12)
- - 10. The intrusion detection system of claim 9, wherein the stream database unit is further configured to use computing apparatus to:
    - determine whether a particular attribute value associated with a particular characteristic of the one or more characteristics exceeds an attribute threshold value, and in response thereto, adding a first tag to a set of the one or more tags;
      
      determine whether a particular statistical anomaly value associated with the particular characteristic of the one or more characteristics exceeds a statistical threshold value, and in response thereto, adding a second tag to the set of the one or more tags;
      
      determine whether one or more attribute values associated with the one or more characteristics of the one or more data streams form a known pattern, and in response thereto, adding a third tag to the set of the one or more tags.
  - 11. The intrusion detection system of claim 9, wherein the stream database unit is further configured to use computing apparatus to:
    - execute both misuse and anomaly detection algorithms in parallel on the one or more data streams to generate one or more alerts indicating one or more possible patterns;
      
      analyze the one or more alerts to identify a subset of alerts by excluding false alerts from the one or more alerts;
      
      aggregate the subset of alerts into the one or more aggregated alert streams;
      
      based on the one or more aggregated alert streams, determine the one or more tags indicating the one or more malicious patterns representative of network intrusions.
  - 12. The intrusion detection system of claim 9, wherein the stream database unit comprises:
    - a data splitter coupled to an event labeler that is configured to produce a labeled derived stream;
      
      a sequence pattern detection unit, an event pattern detection unit, an event anomaly detection unit, and a sequence anomaly detection unit, each unit configured to receive the labeled derived stream and to produce the one or more aggregated alert streams.

13. A non-transitory computer-readable storage medium storing one or more instructions which, when executed by one or more processors, cause performing:
- using the one or more processors, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams;
  
  using the one or more processors, determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions;
  
  using the one or more processors, in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions;
  
  generating, based on the one or more tags, one or more aggregated alert streams;
  
  applying one or more rules to the one or more aggregated alert streams to determine whether a network intrusion is in progress;
  
  in response to determining that the network intrusion is in progress, determining and executing one or more remedial action.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, comprising instructions which, when executed, cause:
    - determining whether a particular attribute value associated with a particular characteristic of the one or more characteristics exceeds an attribute threshold value, and in response thereto, adding a first tag to a set of the one or more tags;
      
      determining whether a particular statistical anomaly value associated with the particular characteristic of the one or more characteristics exceeds a statistical threshold value, and in response thereto, adding a second tag to the set of the one or more tags;
      
      determining whether one or more attribute values associated with the one or more characteristics of the one or more data streams form a known pattern, and in response thereto, adding a third tag to the set of the one or more tags.
  - 15. The non-transitory computer-readable storage medium of claim 13, comprising instructions which, when executed, cause:
    - executing both misuse and anomaly detection algorithms in parallel on the one or more data streams to generate one or more alerts indicating one or more possible patterns;
      
      analyzing the one or more alerts to identify a subset of alerts by excluding false alerts from the one or more alerts;
      
      aggregating the subset of alerts into the one or more aggregated alert streams;
      
      based on the one or more aggregated alert streams, determining the one or more tags indicating the one or more malicious patterns representative of network intrusions.
  - 16. The non-transitory computer-readable storage medium of claim 13, comprising instructions which, when executed, cause:
    - performing an intra-event intrusion detection, performing a discrete event sequence intrusion detection.
  - 17. The non-transitory computer-readable storage medium of claim 13, comprising instructions which, when executed, cause:
    - performing a signature-based intrusion detection, performing a classification-based intrusion detection, performing a statistical anomaly detection.
  - 18. The non-transitory computer-readable storage medium of claim 13, comprising instructions which, when executed, cause:
    - a regular expression based matching, a clustering based anomaly detection.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the one or more characteristics of the one or more data streams comprise one or more of:
    - physical attributes, communication attributes, network and flow characteristics, packet content.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the one or more data streams are received using a streaming database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kumaran, Vikram

Application Number

US13/962,863
Publication Number

US 20140230062A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1408 by monitoring network traff...

DETECTING NETWORK INTRUSION AND ANOMALY INCIDENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING NETWORK INTRUSION AND ANOMALY INCIDENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links