System and method for network intrusion detection of covert channels based on off-line network traffic

US 20160127395A1
Filed: 09/10/2015
Published: 05/05/2016
Est. Priority Date: 10/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system for network intrusion detection, comprising:

one or more servers configured to receive off-line network traffic, said off-line network traffic having a predefined format capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures, wherein each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection; and

a plurality of covert channel processors configured to analyze said off-line network traffic, said analysis comprising determining whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network intrusion detection system and method is configured to receive off-line network traffic. The off-line network traffic with a predefined format, PCAP file, is capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures. Each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection. A plurality of covert channel processors are configured to analyze off-line network traffic. The analysis determines whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures. The covert channels are employed in at least one standard layer of the standard protocol stack and the off-line network data traffic comprises at least one standard protocol stack having multiple standard layers.

Citations

18 Claims

1. A system for network intrusion detection, comprising:
- one or more servers configured to receive off-line network traffic, said off-line network traffic having a predefined format capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures, wherein each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection; and
  
  a plurality of covert channel processors configured to analyze said off-line network traffic, said analysis comprising determining whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further comprising a plurality of malware processors configured to analyze said off-line network traffic to detect malware, wherein a malware uses the standard protocol without deviation.
  - 3. The system of claim 1, further comprising a plurality of steganography processors configured to analyze said off-line network traffic to detect steganography.
  - 4. The system of claim 1, further comprising a plurality of Potentially Unwanted Program (PUP) processors configured to analyze said off-line network traffic to detect PUPs.
  - 5. The system of claim 1, wherein the off-line network data traffic comprises at least one standard protocol stack having multiple standard layers.
  - 6. The system of claim 5, wherein the covert channels is employed in at least one standard layer of the standard protocol stack.
  - 7. The system of claim 6, wherein the at least one standard layer comprises one of HTTP or TCP/IP.
  - 8. The system of claim 1, wherein the off-line network traffic is analyzed at two levels comprising a first level and a second level, wherein;
    - at the first level analysis, a deviation is detected based on a covert channel signature; and
      
      at the second level, analysis comprises of at least one of decryption processes, key-in processes, administration detection processes, header checking processes, or field checking processes in the standard.
  - 9. The system of claim 1, wherein the predefined format of network data traffic is a PCAP file.

10. A method for network intrusion detection, comprising:
- receiving off-line network traffic, said off-line network traffic having a predefined format capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures, wherein each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection; and
  
  determining whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising analyzing said off-line network traffic to detect malware, wherein a malware uses the standard protocol without deviation.
  - 12. The method of claim 10, further comprising analyzing said off-line network traffic to detect steganography.
  - 13. The method of claim 10, further comprising analyzing said off-line network traffic to detect PUPs.
  - 14. The method of claim 10, wherein the off-line network data traffic comprises at least one standard protocol stack having multiple standard layers.
  - 15. The method of claim 14, wherein the covert channels is employed in at least one standard layer of the standard protocol stack.
  - 16. The method of claim 15, wherein the at least one standard layer comprises one of HTTP or TCP/IP.
  - 17. The method of claim 10, wherein the off-line network traffic is analyzed at two levels comprising a first level and a second level, wherein;
    - at the first level analysis, a deviation is detected based on a covert channel signature; and
      
      at the second level, analysis comprises of at least one of decryption processes, key-in processes, administration detection processes, header checking processes, or field checking processes in the standard.
  - 18. The method of claim 10, wherein the predefined format of network data traffic is a PCAP file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber Crucible Incorporated
Original Assignee
Cyber Crucible Incorporated
Inventors
Underwood, Dennis, Stryker, Ethan, Peterson, Jonathan

Granted Patent

US 9,832,213 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/556   involving covert channels, ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

System and method for network intrusion detection of covert channels based on off-line network traffic

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network intrusion detection of covert channels based on off-line network traffic

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links