Adaptive system and method for responding to computer network security attacks
First Claim
1. A dynamic network security system for responding to a security attack on a computer network, said computer network having a multiplicity of computer nodes, and said system comprising:
- a plurality of security agents, each security agent being associated with at least one of the computer nodes and located at the associated computer node, each security agent being configured to detect occurrences of security events on the associated ones of said computer nodes, said security events characterizing said attack, said security events comprising at least one the group consisting of performing of an unauthorized action on the associated computer node, performing port scans on the associated node, operating malicious software on the associated computer node, and initiating unauthorized penetration attempts on the associated computer node, wherein each security agent is configured to transfer data about the security events on the associated computer nodes;
a self-organizing map (SOM) processor in data communication with each of said security agents and configured to process said data about said security events to form an attack signature; and
a network status display in communication with said processor and configured to display attack status information in response to said attack signature, said attack status information graphically representing a severity of said attack,wherein the SOM processor is configured to compare the attack signature with a plurality of training signatures and respond to the security attack.
6 Assignments
0 Petitions
Accused Products
Abstract
A dynamic network security system (20) responds to a security attack (92) on a computer network (22) having a multiplicity of computer nodes (24). The security system (20) includes a plurality of security agents (36) that concurrently detect occurrences of security events (50) on associated computer nodes (24). A processor (40) processes the security events (50) that are received from the security agents (36) to form an attack signature (94) of the attack (92). A network status display (42) displays multi-dimensional attack status information representing the attack (92) in a two dimensional image to indicate the overall nature and severity of the attack (92). The network status display (42) also includes a list of recommended actions (112) for mitigating the attack. The security system (20) is adapted to respond to a subsequent attack that has a subsequent signature most closely resembling the attack signature (94).
-
Citations
19 Claims
-
1. A dynamic network security system for responding to a security attack on a computer network, said computer network having a multiplicity of computer nodes, and said system comprising:
-
a plurality of security agents, each security agent being associated with at least one of the computer nodes and located at the associated computer node, each security agent being configured to detect occurrences of security events on the associated ones of said computer nodes, said security events characterizing said attack, said security events comprising at least one the group consisting of performing of an unauthorized action on the associated computer node, performing port scans on the associated node, operating malicious software on the associated computer node, and initiating unauthorized penetration attempts on the associated computer node, wherein each security agent is configured to transfer data about the security events on the associated computer nodes; a self-organizing map (SOM) processor in data communication with each of said security agents and configured to process said data about said security events to form an attack signature; and a network status display in communication with said processor and configured to display attack status information in response to said attack signature, said attack status information graphically representing a severity of said attack, wherein the SOM processor is configured to compare the attack signature with a plurality of training signatures and respond to the security attack. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A dynamic network security system for responding to a security attack on a computer network, said computer network having a multiplicity of computer nodes, and said system comprising:
-
a plurality of security agents configured to concurrently detect occurrences of security events on associated ones of said computer nodes, said security events characterizing said attack; a processor in data communication with said security agents and configured to process said security events to form an attack signature; and a network status display in communication with said processor and configured to display attack status information in response to said attack signature, said attack status information being representative of said attack, wherein said processor is trained to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks; and said processor is further configured to compare said attack signature to each of said training signatures to determine which of said simulated attacks most closely matches said attack, and wherein; said network status display presents a display map divided into a plurality of display cells; and each of said training signatures is mapped into said display cells prior to said attack, and wherein said display cells are divided into a plurality of regions, said regions being configured to indicate an attack type and severity of said attack.
-
-
8. A method of operating a dynamic network security system to respond to a plurality of attacks on a computer network, said method comprising the steps of:
-
training said security system to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks; receiving a first attack signature, said first attack signature being configured to characterize a first one of said plurality of attacks; comparing said first attack signature to each of said training signatures to determine which of said training signatures most closely matches said first attack signature; displaying attack status information in a network status display in response to said first attack signature and a most closely matching training signature; and adapting said security system to respond to a second one of said plurality of attacks, said second attack being characterized by a second attack signature that resembles said first attack signature, wherein said network status display provides a two dimensional image of said computer network, said network status display being divided into a plurality of display cells, and said training step comprises the steps of; performing a first one of said simulated attacks on said network, said first simulated attack having a first training signature; mapping said first training signature into one of said display cells in response to said first simulated attack; and repeating said performing and mapping steps for the remaining ones of said training signatures. - View Dependent Claims (9)
-
-
10. A method of operating a dynamic network security system to respond to a plurality of attacks on a computer network, said method comprising the steps of:
-
training said security system to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks; receiving a first attack signature, said first attack signature being configured to characterize a first one of said plurality of attacks; comparing said first attack signature to each of said training signatures to determine which of said training signatures most closely matches said first attack signature; displaying attack status information in a network status display in response to said first attack signature and a most closely matching training signature; and adapting said security system to respond to a second one of said plurality of attacks, said second attack being characterized by a second attack signature that resembles said first attack signature, wherein said displaying step further comprises the step of tracking a change in said at least one security event type and said attack severity of said first attack. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A method of operating a dynamic network security system to respond to a plurality of attacks on a computer network, said method comprising the steps of:
-
training said security system to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks; receiving a first attack signature, said first attack signature being configured to characterize a first one of said plurality of attacks; comparing said first attack signature to each of said training signatures to determine which of said training signatures most closely matches said first attack signature; displaying attack status information in a network status display in response to said first attack signature and a most closely matching training signature; and adapting said security system to respond to a second one of said plurality of attacks, said second attack being characterized by a second attack signature that resembles said first attack signature, wherein said adapting step comprises the steps of; introducing said first attack signature to said security system as a new training signature; and mapping said new training signature into said network status display.
-
-
18. A method of operating a dynamic network security system to respond to a first and a second attack on a computer network, said computer network having a multiplicity of nodes, said method comprising the steps of:
-
training said security system to respond to a plurality of training signatures, each of said training signatures representing one of a plurality of simulated attacks; detecting security events on said nodes to form a first attack signature representing said first attack, each of said security events causing an anti-security effect on said computer network; comparing said first attack signature to each of said training signatures to determine which of said training signatures most closely resembles said first attack signature; generating a mitigation list, said mitigation list being a catalogue of actions to take to mitigate said first attack; displaying attack status information and said mitigation list in a network status display in response to said first attack signature and a most closely matching training signature, said attack status information being configured to include location identifiers and a security event type for each of said security events; mitigating said attack; and adapting said security system to respond to said second attack, said second attack being characterized by a second attack signature that most closely resembles said first attack signature, wherein said network status display provides a two dimensional image of said computer network, said network status display being divided into a plurality of display cells, and said training step comprises the steps of; performing a first one of said simulated attacks on said network, said first simulated attack having a first training signature; mapping said first training signature into one of said display cells in response to at least one security event type and an attack severity for said first training signature, said at least one security event type being at least one of a plurality of known security event types, each of said known security event types being configured to cause an anti-security effect on said computer network, and said attack severity being a level of security breach said simulated attack causes said computer network; and repeating said performing and mapping steps for remaining ones of said training signatures. - View Dependent Claims (19)
-
Specification