COMPUTER DEFENSES AND COUNTERATTACKS

US 20160182533A1
Filed: 12/17/2014
Published: 06/23/2016
Est. Priority Date: 12/17/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processing system including one or more processors;

memory accessible to the processing system, wherein the memory stores instructions executable by at least one processor of the one or more processors to cause the at least one processor to perform operations comprising;

instantiating a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second processor to monitor network activity;

sending the first program code of the first detection agent to a remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent causes network activity data to be transmitted to the processing system, and wherein the processing system updates the detection criteria based on the network activity data to generate updated detection criteria;

instantiating a second detection agent based on the updated detection criteria wherein the second detection agent includes second program code; and

sending second program code of the second detection agent to the remote computing device for execution.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes instantiating a first detection agent based on detection criteria, where the first detection agent includes first program code executable by a second computing device to monitor network activity. The method further includes sending the first program code of the first detection agent to the second computing device for execution. When the first program code of the first detection agent is executed at the second computing device, the first detection agent causes network activity data to be transmitted to a network monitor, and the network monitor updates the detection criteria based on the network activity data to generate updated detection criteria. The method also includes instantiating a second detection agent based on the updated detection criteria and sending second program code of the second detection agent to the second computing device for execution.

Citations

20 Claims

1. A system comprising:
- a processing system including one or more processors;
  
  memory accessible to the processing system, wherein the memory stores instructions executable by at least one processor of the one or more processors to cause the at least one processor to perform operations comprising;
  
  instantiating a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second processor to monitor network activity;
  
  sending the first program code of the first detection agent to a remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent causes network activity data to be transmitted to the processing system, and wherein the processing system updates the detection criteria based on the network activity data to generate updated detection criteria;
  
  instantiating a second detection agent based on the updated detection criteria wherein the second detection agent includes second program code; and
  
  sending second program code of the second detection agent to the remote computing device for execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the operations further comprise executing a supervisor application, wherein the supervisor application is executable to perform operations comprising:
    - performing analysis of data received from one or more agents executing at one or more remote processors;
      
      initiating one or more actions automatically, without human intervention, based on the analysis; and
      
      notifying a human operator of results of the data, results of the analysis, actions taken, or a combination thereof.
  - 3. The system of claim 1, wherein the first program code of the first detection agent further includes instructions to authenticate other agents and to exchange secure messages with the other agents independently of the processing system.
  - 4. The system of claim 1, wherein the first program code of the first detection agent is configured to monitor first detection criterion and is not configured to monitor second detection criterion, and wherein the second program code is executable by the second processor to monitor the second detection criterion.
  - 5. The system of claim 1, wherein the operations further comprise:
    - instantiating a first defense agent based on a set of available defense actions, wherein the first defense agent includes third program code executable by the second processor to mitigate suspect network activity; and
      
      sending the third program code of the first defense agent to the remote computing device for execution to mitigate particular suspect network activity that is detected by a particular detection agent.
  - 6. The system of claim 5, wherein the operations further comprise:
    - instantiating a second defense agent based on the updated detection criteria after the processing system generates updated detection criteria; and
      
      sending fourth program code of the second defense agent to the remote computing device for execution.
  - 7. The system of claim 5, wherein, when the first defense agent is executed at the remote computing device, the first defense agent causes suspect network activity mitigation data to be transmitted to the processing system, and wherein the processing system updates the detection criteria to generate the updated detection criteria further based on the suspect network activity mitigation data.
  - 8. The system of claim 5, wherein, when the first defense agent is executed at the remote computing device, the first defense agent causes suspect network activity mitigation data to be transmitted to the processing system, and wherein the processing system updates the set of available defense actions to generate an updated set of available defense actions based on the suspect network activity mitigation data.
  - 9. The system of claim 5, wherein the first detection agent is configured to communicate detection data to the first defense agent at the remote computing device, wherein the detection data identifies suspect network activity detected by the first detection agent, and wherein the first defense agent is configured to automatically select and execute a particular defense action, independently of the processing system, based on the detection data.
  - 10. The system of claim 5, wherein the set of available defense actions includes a first subset of available defense actions and a second subset of available defense actions, and wherein the third program code of the first defense agent is configured to execute the first subset of available defense actions and is not configured to execute the second subset of available defense actions.
  - 11. The system of claim 10, wherein the operations further comprise:
    - instantiating a second defense agent including fourth program code executable by the second processor to execute one or more defense actions of the second subset of defense actions; and
      
      sending the fourth program code of the second defense agent to the remote computing device.
  - 12. The system of claim 1, wherein the operations further comprise:
    - instantiating a first attack agent based on a set of available counterattack actions, wherein the first attack agent includes fifth program code executable by the second processor to execute a counterattack based on suspect network activity; and
      
      sending the fifth program code of the first attack agent to the remote computing device for execution based on the suspect network activity detected by a particular detection agent.
  - 13. The system of claim 12, wherein the operations further comprise:
    - instantiating a second attack agent based on the updated detection criteria after the processing system generates updated detection criteria; and
      
      sending sixth program code of the second attack agent to the remote computing device for execution.
  - 14. The system of claim 12, wherein, when the first attack agent is executed at the remote computing device, the first attack agent causes counterattack activity data to be transmitted to the processing system, and wherein the processing system updates the set of available counterattack actions to generate an updated set of available counterattack actions based on the counterattack activity data.

15. A method comprising:
- instantiating, at a first computing device, a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second computing device to monitor network activity;
  
  sending the first program code of the first detection agent to the second computing device for execution, wherein, when the first program code of the first detection agent is executed at the second computing device, the first detection agent causes network activity data to be transmitted to a processing system, and wherein the processing system updates the detection criteria based on the network activity data to generate updated detection criteria;
  
  instantiating, at the first computing device, a second detection agent based on the updated detection criteria; and
  
  sending second program code of the second detection agent to the second computing device for execution.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further comprising:
    - instantiating at least one additional agent, the at least one additional agent including a defense agent, an attack agent, or both; and
      
      sending program code of the at least one additional agent to the second computing device for execution.
  - 17. The method of claim 16, further comprising, before instantiating the at least one additional agent, selecting operations to be performed by the at least one additional agent based on the network activity data, wherein the program code of the at least one additional agent includes instructions executable by the second computing device to perform the selected operations.

18. A computer-readable storage device storing instructions that are executable by a processor to cause the processor to perform operations comprising:
- instantiating a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a remote computing device to monitor network activity;
  
  sending the first program code of the first detection agent to the remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent causes network activity data to be transmitted to a processing system, and wherein the processing system updates the detection criteria based on the network activity data to generate updated detection criteria;
  
  instantiating a second detection agent based on the updated detection criteria; and
  
  sending second program code of the second detection agent to the remote computing device for execution.
- View Dependent Claims (19, 20)
- - 19. The computer-readable storage device of claim 18, wherein the operations further comprise executing at supervisor application, wherein the supervisor application is executable to perform operations comprising:
    - performing analysis of data received from one or more agents executing at one or more remote computing devices;
      
      initiating one or more actions automatically, without human intervention, based on the analysis; and
      
      notifying a human operator of results of the data, results of the analysis, actions taken, or a combination thereof.
  - 20. The computer-readable storage device of claim 18, wherein the first program code of the first detection agent further includes instructions to authenticate other agents, to exchange secure messages with the other agents, and to send the network activity data as one or more encrypted messages to the processing system and to one or more other agents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Purpura, William J.

Granted Patent

US 9,591,022 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

COMPUTER DEFENSES AND COUNTERATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER DEFENSES AND COUNTERATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links