DISTRIBUTED AGENT BASED MODEL FOR SECURITY MONITORING AND RESPONSE

US 20140237599A1
Filed: 10/01/2013
Published: 08/21/2014
Est. Priority Date: 12/24/2002
Status: Active Grant

First Claim

Patent Images

1. A system that detects the state of a computer network, comprising:

a plurality of distributed agents disposed in said computer network, each said distributed agent comprising;

data collection means for passively collecting, monitoring, and aggregating data representative of activities of respective nodes within said computer network;

means responsive to the data from the data collection means for analyzing said data to develop activity models representative of activities of said computer network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams and/or other suspicious activities in said computer network; and

means for generating counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An architecture is provided for a widely distributed security system (SDI-SCAM) that protects computers at individual client locations, but which constantly pools and analyzes information gathered from machines across a network in order to quickly detect patterns consistent with intrusion or attack, singular or coordinated. When a novel method of attack has been detected, the system distributes warnings and potential countermeasures to each individual machine on the network. Such a warning may potentially include a probability distribution of the likelihood of an intrusion or attack as well as the relative probabilistic likelihood that such potential intrusion possesses certain characteristics or typologies or even strategic objectives in order to best recommend and/or distribute to each machine the most befitting countermeasure(s) given all presently known particular data and associated predicted probabilistic information regarding the prospective intrusion or attack. If any systems are adversely affected, methods for repairing the damage are shared and redistributed throughout the network.

169 Citations

10 Claims

1. A system that detects the state of a computer network, comprising:
- a plurality of distributed agents disposed in said computer network, each said distributed agent comprising;
  
  data collection means for passively collecting, monitoring, and aggregating data representative of activities of respective nodes within said computer network;
  
  means responsive to the data from the data collection means for analyzing said data to develop activity models representative of activities of said computer network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams and/or other suspicious activities in said computer network; and
  
  means for generating counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A system as in claim 1, further comprising a distributed sensor network that aggregates and analyzes data to develop a probabilistic likelihood of a threat to safe code, machines, servers, or individuals, wherein said counter-offensive generating means generates counter-offensive measures that are targeted to a given threat or attack based upon historical feedback from successes and failures of previous counter measures used in response to similar attacks and threats.
  - 3. A system as in claim 2, wherein said historical feedback updates an adaptive learning or adaptive rule base.
  - 4. A system as in claim 2, wherein said distributed sensor network aggregates and analyzes data pertaining to software within the network in order to enable detection and characterization of vulnerabilities and/or provide recommendations for remedial repair or revision.
  - 5. A system as in claim 1, wherein said counter-offensive generating means creates a bogus target for invoking attack on said bogus target for purposes of achieving early detection of a system infection.

6. A method of detecting the state of a computer network, comprising:
- providing a plurality of distributed agents disposed in said computer network to passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network;
  
  analyzing said data to develop activity models based on collected data and representative of activities of said network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams and/or other suspicious activities in said computer network, said data analysis including performing a pattern analysis on the collected data to identify patterns in the collected data representative of suspicious activities; and
  
  generating counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure.
- View Dependent Claims (7, 8, 9, 10)
- - 7. A method as in claim 6, further comprising aggregating and analyzing data to develop a probabilistic likelihood of a threat to safe code, machines, servers, or individuals, and generating counter-offensive measures that are targeted to a given threat or attack based upon historical feedback from successes and failures of previous counter measures used in response to similar attacks and threats.
  - 8. A method as in claim 7, further comprising updating an adaptive learning or adaptive rule base with said historical feedback.
  - 9. A method as in claim 7, further comprising aggregating and analyzing data pertaining to software within the network in order to enable detection and characterization of vulnerabilities and/or provide recommendations for remedial repair or revision.
  - 10. A method as in claim 6, further comprising creating a bogus target for invoking attack on said bogus target for purposes of achieving early detection of a system infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Inventship LLC
Original Assignee
Walter Paul Labys
Inventors
Gertner, Yael, Herz, Frederick S.M., Labys, Walter Paul

Granted Patent

US 9,503,470 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

DISTRIBUTED AGENT BASED MODEL FOR SECURITY MONITORING AND RESPONSE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

169 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

DISTRIBUTED AGENT BASED MODEL FOR SECURITY MONITORING AND RESPONSE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others