Adaptive system and method for responding to computer network security attacks

US 6,088,804 A
Filed: 01/12/1998
Issued: 07/11/2000
Est. Priority Date: 01/12/1998
Status: Expired due to Term

First Claim

Patent Images

1. A dynamic network security system for responding to a security attack on a computer network, said computer network having a multiplicity of computer nodes, and said system comprising:

a plurality of security agents, each security agent being associated with at least one of the computer nodes and located at the associated computer node, each security agent being configured to detect occurrences of security events on the associated ones of said computer nodes, said security events characterizing said attack, said security events comprising at least one the group consisting of performing of an unauthorized action on the associated computer node, performing port scans on the associated node, operating malicious software on the associated computer node, and initiating unauthorized penetration attempts on the associated computer node, wherein each security agent is configured to transfer data about the security events on the associated computer nodes;

a self-organizing map (SOM) processor in data communication with each of said security agents and configured to process said data about said security events to form an attack signature; and

a network status display in communication with said processor and configured to display attack status information in response to said attack signature, said attack status information graphically representing a severity of said attack,wherein the SOM processor is configured to compare the attack signature with a plurality of training signatures and respond to the security attack.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic network security system (20) responds to a security attack (92) on a computer network (22) having a multiplicity of computer nodes (24). The security system (20) includes a plurality of security agents (36) that concurrently detect occurrences of security events (50) on associated computer nodes (24). A processor (40) processes the security events (50) that are received from the security agents (36) to form an attack signature (94) of the attack (92). A network status display (42) displays multi-dimensional attack status information representing the attack (92) in a two dimensional image to indicate the overall nature and severity of the attack (92). The network status display (42) also includes a list of recommended actions (112) for mitigating the attack. The security system (20) is adapted to respond to a subsequent attack that has a subsequent signature most closely resembling the attack signature (94).

Citations

19 Claims

1. A dynamic network security system for responding to a security attack on a computer network, said computer network having a multiplicity of computer nodes, and said system comprising:
- a plurality of security agents, each security agent being associated with at least one of the computer nodes and located at the associated computer node, each security agent being configured to detect occurrences of security events on the associated ones of said computer nodes, said security events characterizing said attack, said security events comprising at least one the group consisting of performing of an unauthorized action on the associated computer node, performing port scans on the associated node, operating malicious software on the associated computer node, and initiating unauthorized penetration attempts on the associated computer node, wherein each security agent is configured to transfer data about the security events on the associated computer nodes;
  
  a self-organizing map (SOM) processor in data communication with each of said security agents and configured to process said data about said security events to form an attack signature; and
  
  a network status display in communication with said processor and configured to display attack status information in response to said attack signature, said attack status information graphically representing a severity of said attack,wherein the SOM processor is configured to compare the attack signature with a plurality of training signatures and respond to the security attack.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A system as claimed in claim 1 wherein said SOM processor is a linear vector quantization (LVQ) processor.
  - 3. A system as claimed in claim 1 wherein:
    - said SOM processor is trained to respond to the plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks; and
      
      said processor is further configured to compare said attack signature to each of said training signatures to determine which of said simulated attacks most closely matches said attack.
  - 4. A system as claimed in claim 1 wherein said network status display provides a two dimensional image of said computer network, and said network status display is configured to link said attack status information to said two dimensional image.
  - 5. A system as claimed in claim 4 wherein said attack status information includes a location identifier and a security event type for each of said security events characterizing said attack.
  - 6. A system as claimed in claim 1 wherein said network status display further comprises an attack mitigation list, said attack mitigation list being a catalogue of actions to take to mitigate said attack.

7. A dynamic network security system for responding to a security attack on a computer network, said computer network having a multiplicity of computer nodes, and said system comprising:
- a plurality of security agents configured to concurrently detect occurrences of security events on associated ones of said computer nodes, said security events characterizing said attack;
  
  a processor in data communication with said security agents and configured to process said security events to form an attack signature; and
  
  a network status display in communication with said processor and configured to display attack status information in response to said attack signature, said attack status information being representative of said attack,wherein said processor is trained to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks; and
  
  said processor is further configured to compare said attack signature to each of said training signatures to determine which of said simulated attacks most closely matches said attack, and wherein;
  
  said network status display presents a display map divided into a plurality of display cells; and
  
  each of said training signatures is mapped into said display cells prior to said attack, andwherein said display cells are divided into a plurality of regions, said regions being configured to indicate an attack type and severity of said attack.

8. A method of operating a dynamic network security system to respond to a plurality of attacks on a computer network, said method comprising the steps of:
- training said security system to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks;
  
  receiving a first attack signature, said first attack signature being configured to characterize a first one of said plurality of attacks;
  
  comparing said first attack signature to each of said training signatures to determine which of said training signatures most closely matches said first attack signature;
  
  displaying attack status information in a network status display in response to said first attack signature and a most closely matching training signature; and
  
  adapting said security system to respond to a second one of said plurality of attacks, said second attack being characterized by a second attack signature that resembles said first attack signature,wherein said network status display provides a two dimensional image of said computer network, said network status display being divided into a plurality of display cells, and said training step comprises the steps of;
  
  performing a first one of said simulated attacks on said network, said first simulated attack having a first training signature;
  
  mapping said first training signature into one of said display cells in response to said first simulated attack; and
  
  repeating said performing and mapping steps for the remaining ones of said training signatures.
- View Dependent Claims (9)
- - 9. A method as claimed in claim 8 wherein:
    - each of said training signatures represents at least one security event type and an attack severity for each of said simulated attacks, said at least one security event type being at least one of a plurality of known security event types, each of said known security event types causing an anti-security effect on said computer network, and said attack severity being a level of security breach said simulated attack causes said computer network; and
      
      said mapping step positions said first training signature into said one of said display cells in response to said at least one security event type and said attack severity.

10. A method of operating a dynamic network security system to respond to a plurality of attacks on a computer network, said method comprising the steps of:
- training said security system to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks;
  
  receiving a first attack signature, said first attack signature being configured to characterize a first one of said plurality of attacks;
  
  comparing said first attack signature to each of said training signatures to determine which of said training signatures most closely matches said first attack signature;
  
  displaying attack status information in a network status display in response to said first attack signature and a most closely matching training signature; and
  
  adapting said security system to respond to a second one of said plurality of attacks, said second attack being characterized by a second attack signature that resembles said first attack signature,wherein said displaying step further comprises the step of tracking a change in said at least one security event type and said attack severity of said first attack.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. A method as claimed in claim 10 wherein said computer network has a multiplicity of nodes and said method further comprises the steps of:
    - detecting security events on said nodes to form said first attack signature for said first attack;
      
      repulsing said security events at said nodes in response to said detecting step; and
      
      notifying said security system of an outcome of said repulsing step.
  - 12. A method as claimed in claim 11 further comprising the step of:
    - compiling said attack status information in response to said receiving step, said attack status information being configured to include location identifiers and security event type identifiers for each of said security events in said first attack.
  - 13. A method as claimed in claim 10 further comprising the steps of:
    - generating a mitigation list in response to said comparing step, said mitigation list being a catalogue of actions to take to mitigate said first attack; and
      
      displaying said mitigation list.
  - 14. A method as claimed in claim 10 further comprising the step of mitigating said first attack in response to said comparing step.
  - 15. A method as claimed in claim 10 wherein:
    - said first attack signature identifies at least one security event type and severity of said attack; and
      
      said displaying step displays said attack status information in response to said at least one security event type and said attack severity.
  - 16. A method as claimed in claim 10 wherein said adapting step further comprises the step of predicting a pattern of subsequent attacks, said subsequent attacks being characterized by subsequent signatures that resemble said first attack signature.

17. A method of operating a dynamic network security system to respond to a plurality of attacks on a computer network, said method comprising the steps of:
- training said security system to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks;
  
  receiving a first attack signature, said first attack signature being configured to characterize a first one of said plurality of attacks;
  
  comparing said first attack signature to each of said training signatures to determine which of said training signatures most closely matches said first attack signature;
  
  displaying attack status information in a network status display in response to said first attack signature and a most closely matching training signature; and
  
  adapting said security system to respond to a second one of said plurality of attacks, said second attack being characterized by a second attack signature that resembles said first attack signature,wherein said adapting step comprises the steps of;
  
  introducing said first attack signature to said security system as a new training signature; and
  
  mapping said new training signature into said network status display.

18. A method of operating a dynamic network security system to respond to a first and a second attack on a computer network, said computer network having a multiplicity of nodes, said method comprising the steps of:
- training said security system to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks;
  
  detecting security events on said nodes to form a first attack signature representing said first attack, each of said security events causing an anti-security effect on said computer network;
  
  comparing said first attack signature to each of said training signatures to determine which of said training signatures most closely resembles said first attack signature;
  
  generating a mitigation list, said mitigation list being a catalogue of actions to take to mitigate said first attack;
  
  displaying attack status information and said mitigation list in a network status display in response to said first attack signature and a most closely matching training signature, said attack status information being configured to include location identifiers and a security event type for each of said security events;
  
  mitigating said attack; and
  
  adapting said security system to respond to said second attack, said second attack being characterized by a second attack signature that most closely resembles said first attack signature,wherein said network status display provides a two dimensional image of said computer network, said network status display being divided into a plurality of display cells, and said training step comprises the steps of;
  
  performing a first one of said simulated attacks on said network, said first simulated attack having a first training signature;
  
  mapping said first training signature into one of said display cells in response to at least one security event type and an attack severity for said first training signature,said at least one security event type being at least one of a plurality of known security event types, each of said known security event types being configured to cause an anti-security effect on said computer network, and said attack severity being a level of security breach said simulated attack causes said computer network; and
  
  repeating said performing and mapping steps for remaining ones of said training signatures.
- View Dependent Claims (19)
- - 19. A method as claimed in claim 18 further comprising the steps of:
    - repulsing said security events at said nodes in response to said detecting step; and
      
      notifying an operator of an outcome of said repulsing step.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
General Dynamics Mission Systems Inc. (General Dynamics Corporation)
Original Assignee
Motorola, Inc. (Motorola Solutions, Inc.)
Inventors
Lynn, James T., Hill, Douglas W.
Primary Examiner(s)
HUA, LY

Application Number

US09/006,056
Time in Patent Office

911 Days
Field of Search

713/201, 713/200, 714/38, 714/47, 714/48, 714/57, 380/4
US Class Current

726/25
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 2211/005   Network, LAN, Remote Access...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Adaptive system and method for responding to computer network security attacks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive system and method for responding to computer network security attacks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links