Dynamic system defense for information warfare

US 6,408,391 B1
Filed: 05/06/1998
Issued: 06/18/2002
Est. Priority Date: 05/06/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for computer network use, comprising:

receiving audit information from an audited computer on a network, at a security computer;

wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and

initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received;

wherein said initiating a countermeasure step includes the step of sending a transferable self-contained set of executable code instructions for implementing the countermeasure from the security computer to the computer on which the determined unauthorized operation occurred.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method and apparatus which includes a security computer system capable of deploying and monitoring software agents on one or more nodes of a network of computers. The agents on each node include a framework agent and either a misdirection mission or a defensive mission. Upon an intrusion detection mission sending information to the security computer system indicative of an actual or suspected misuse or intrusion, the security computer system can automatically take countermeasures against the suspected or actual intrusion or misuse. Automatic countermeasures include using a defensive countermeasure to increase an auditing level conducted by the intrusion detection mission. A misdirection countermeasure mission is used to misdirect requests of the suspected or actual intruder or misuser. An offensive countermeasure is used to send a chase mission to the suspected or actual intruder. The offensive chase mission can either be automatically dispatched or dispatched with human intervention. The computer system includes a monitor for monitoring by a human system administrator.

Citations

21 Claims

1. A method for computer network use, comprising:
- receiving audit information from an audited computer on a network, at a security computer;
  
  wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
  
  initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received;
  
  wherein said initiating a countermeasure step includes the step of sending a transferable self-contained set of executable code instructions for implementing the countermeasure from the security computer to the computer on which the determined unauthorized operation occurred.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein said transferable self-contained set of executable code is an agent.
  - 3. The method of claim 1, wherein auditing is performed by an audit and intrusion detection mission on a computer on the network which provides audit information to the security computer that an unauthorized operation has occurred.

4. A method for computer network use, comprising:
- receiving audit information from an audited computer on a network, at a security computer;
  
  wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
  
  initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received;
  
  wherein said initiating a countermeasure step includes deploying a transferable self-contained set of executable code instructions at the computer on which a determined unauthorized operation occurred for misdirecting further unauthorized operation to a dummy database on the computer.
- View Dependent Claims (5, 6, 7)
- - 5. The method of claim 4, wherein the transferable self-contained executable code instruction is a misdirection agent.
  - 6. The method of claim 5, wherein the misdirection agent includes a Trojan horse which can be downloaded by an actual or suspected intruder which performed the unauthorized operation.
  - 7. The method of claim 6, wherein the Trojan horse comprises transferable self-contained executable code instructions which can be instantiated at the actual or suspected intruder'"'"'s computer under instructions from the security computer.

8. A method for computer network use, comprising:
- receiving audit information from an audited computer on a network, at a security computer;
  
  wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
  
  initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received;
  
  wherein the unauthorized operation is initiated by a computer outside the network; and
  
  wherein said initiating a countermeasure step includes deploying a transferable self-contained set of executable code instructions for implementing the countermeasure at the computer of the intruder.

9. A method for computer network use, comprising:
- instantiating defensive and offensive agents at each of one or more computers;
  
  receiving audit information from an audited computer on a network, at a security computer;
  
  wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
  
  initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, auditing computers on the computer network and providing information from the one or more audits to a security computer on the network, and determining, based upon information provided by the auditing step, that an unauthorized intrusion has occurred at an identified audited computer.
  - 11. The method of claim 9, wherein the taking a countermeasures step occurs automatically.

12. A method for computer network use, comprising:
- receiving information, at a security computer, that an unauthorized operation has occurred at a computer or the network; and
  
  taking a countermeasure, from the security computer, against the intrusion including dispatching a transferable self-contained set of executable instructions to the identified audited computer, and automatically executing the set of executable instructions on the identified audited computer to implement the countermeasure.

13. A computer network comprising:
- a security computer including one or more software modules for deploying, controlling and monitoring agents on one or more computers of the computer network;
  
  each of said one or more computers on the computer network including a security operative which includes;
  
  at least one offensive mission for taking countermeasures against an unauthorized operation, and a misdirection mission for misdirecting further unauthorized operations.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The network of claim 13, wherein the one or more software modules comprise:
    - a response engine module for analyzing collected data reported by the defensive mission, for detecting and characterizing intrusions and misuses, for searching a countermeasure data base and for profiling user data; and
      
      a for deploying missions for tracking and controlling missions, for storing data collected by the defensive mission and for providing for system protection when a suspected or actual intrusion or misuse occurs, wherein the response engine module instructs the to take countermeasures including deploying missions and shutting down computers on the network.
  - 15. The network of claim 13, wherein each computer includes a transferable self-contained set of executable code instructions representing a framework agent.
  - 16. The network of claim 13, wherein said misdirection mission includes a Trojan horse.
  - 17. The network of claim 13, wherein said defensive mission is a transferable self-contained set of executable code instructions and includes a change audit mission.
  - 18. The network of claim 13, wherein said offensive mission is a transferable self-contained set of executable code instructions and includes a chase mission for being transferred to the suspected or actual intruder.

19. A security system comprising:
- a processor;
  
  a network interface coupling computers on a computer network; and
  
  a memory coupled to said processor storing executable code for taking countermeasures, the memory having stored therein sequences of instructions, which, when executed by said processor, cause said processor to perform the steps of;
  
  receiving information that an unauthorized operation has occurred on a computer on the network;
  
  taking countermeasures against the unauthorized operation including dispatching a transferable self-contained set of executable instructions to the determined computer; and
  
  executing the set of executable instructions on the determined audited computer to implement the countermeasure.

20. A computer readable medium having agents stored thereon, the agents comprising:
- at least one defensive agent for monitoring for unauthorized operations on a computer within a computer network and reporting back to a security computer;
  
  at least one misdirection agent for misdirecting requests by an actual or suspected intruder or misuser to a location in a monitored computer where the actual or suspected intruder obtains false information; and
  
  at least one offensive agent for taking countermeasures against an actual or suspected intruder to prevent or suppress further intrusion by the actual or suspected intruder.
- View Dependent Claims (21)
- - 21. A computer readable medium as in claim 20, further having executable code for:

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
PRC, Inc. (Arthur D. Little, Inc.)
Inventors
Huff, Julie Lynn, Jackson, Sheila Ann, Shelanskey, Tracy Glenn
Primary Examiner(s)
Beausoleil, Robert
Assistant Examiner(s)
Bonzo, Bryce P.

Application Number

US09/073,648
Time in Patent Office

1,504 Days
Field of Search

713/200, 713/201, 713/202, 709/223, 709/224, 709/225
US Class Current

726/22
CPC Class Codes

G06F 11/3495   for systems

G06F 21/305   by remotely controlling dev...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

H04L 41/046   comprising network manageme...

H04L 41/0806   for initial configuration o...

H04L 63/0218   Distributed architectures, ...

H04L 63/0435   wherein the sending and rec...

H04L 63/1408   by monitoring network traff...

H04L 9/40   Network security protocols

Dynamic system defense for information warfare

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic system defense for information warfare

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links