Intrusion detection system

DC CAFC

US 7,260,846 B2
Filed: 03/03/2006
Issued: 08/21/2007
Est. Priority Date: 07/30/2002
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. An intrusion detection system (IDS) comprising:

a traffic sniffer executing in a computing system for extracting network packets from passing network traffic;

a traffic parser executing in a computing system configured to extract individual data from defined packet fields of said network packets;

a traffic logger executing in a computing system configured to store individual packet fields of said network packets in a database;

a vector builder executing in a computing system configured to generate multi-dimensional vectors from selected features of said stored packet fields;

at least one self-organizing clustering module executing in a computing system configured to process said multi-dimensional vectors to produce a self-organized map of clusters;

an anomaly detector executing in a computing system able to detect anomalous correlations between individual ones of said clusters in said self-organized map based upon at least one configurable correlation metric; and

a classifier executing in a computing system configured to classify detected anomalous correlations as one of an alarm behavior.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Reexamination

Accused Products

Abstract

An intrusion detection system (IDS). An IDS which has been configured in accordance with the present invention can include a traffic sniffer for extracting network packets from passing network traffic; a traffic parser configured to extract individual data from defined packet fields of the network packets; and, a traffic logger configured to store individual packet fields of the network packets in a database. A vector builder can be configured to generate multi-dimensional vectors from selected features of the stored packet fields. Notably, at least one self-organizing clustering module can be configured to process the multi-dimensional vectors to produce a self-organized map of clusters. Subsequently, an anomaly detector can detect anomalous correlations between individual ones of the clusters in the self-organized map based upon at least one configurable correlation metric. Finally, a classifier can classify detected anomalous correlations as one of an alarm and normal behavior.

147 Citations

12 Claims

1. An intrusion detection system (IDS) comprising:
- a traffic sniffer executing in a computing system for extracting network packets from passing network traffic;
  
  a traffic parser executing in a computing system configured to extract individual data from defined packet fields of said network packets;
  
  a traffic logger executing in a computing system configured to store individual packet fields of said network packets in a database;
  
  a vector builder executing in a computing system configured to generate multi-dimensional vectors from selected features of said stored packet fields;
  
  at least one self-organizing clustering module executing in a computing system configured to process said multi-dimensional vectors to produce a self-organized map of clusters;
  
  an anomaly detector executing in a computing system able to detect anomalous correlations between individual ones of said clusters in said self-organized map based upon at least one configurable correlation metric; and
  
  a classifier executing in a computing system configured to classify detected anomalous correlations as one of an alarm behavior.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. IDS of claim 1, wherein said database is a relational database.
  - 3. The IDS of claim 1, wherein said at least one self-organizing clustering module is configured to perform at least one of a Kohenen self-organizing map analysis, a principal component analysis, an multi-dimensional scaling analysis, a principal curve analysis, a wavelet analysis, and a neural network analysis.
  - 4. The IDS of claim 1, wherein said at least one configurable correlation metric is selected from the group consisting of a heuristically determined metric and a manually specified metric.
  - 5. The IDS of claim 1, wherein said at least one configurable correlation metric is a distance metric selected from the group consisting of a Euclidean distance metric and a non-Euclidean distance metric.
  - 6. The IDS of claim 1, wherein said classifier is a weighted classifier configured to weight individual ones of said anomalous correlations according to a corresponding self-organizing clustering module used to produce particular clusters between which said individual ones of said anomalous correlations are detected.

7. An intrusion detection method comprising the steps of:
- monitoring network traffic passing across a network communications path;
  
  extracting network packets from said passing traffic;
  
  storing individual components of said network packets in a database;
  
  constructing multi-dimensional vectors from at least two of said stored individual components and applying at least one multi-variate analysis to said constructed multi-dimensional vectors, said at least one multi-variate analysis producing a corresponding output set;
  
  establishing a correlation between individual output sets based upon a selected metric to identify anomalous behavior; and
  
  ,classifying said anomalous behavior as an event selected from the group consisting of a network fault, a change in network performance and a network attack.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein said storing step comprises the steps of:
    - identifying protocol boundaries in each extracted network packet; and
      
      ,storing data from each field separated by said identified protocol boundaries in a separate record in said database.
  - 9. The method of claim 8, further comprising the step of storing with each said individual component in said separate record in said database, data associating said individual component with at least one of a corresponding target network device, a corresponding network socket, and a corresponding customer.
  - 10. The method of claim 7, wherein said step of applying at least one multi-variate analysis to said constructed multi-dimensional vectors comprises the steps of:
    - reducing said constructed multi-dimensional vectors; and
      
      ,applying at least one self-organizing clustering methodology to said reduced multi-dimensional vectors, said application of said at least one self-organizing clustering methodology producing a corresponding output set of clusters.
  - 11. The method of claim 10, wherein said establishing step comprises the steps of:
    - loading at least one selectable metric;
      
      correlating individual ones of said clusters in said output set;
      
      determining whether any of said correlations deviate from said loaded at least one selectable metric; and
      
      ,for each one of said correlated clusters in said output set which deviates from said loaded at least one selectable metric, labeling said deviating correlated cluster as exhibiting anomalous behavior.

12. An intrusion detection method comprising the steps of:
- monitoring network traffic passing across a network communications path destined for multiple target devices in multiple independent network domains and extracting network packets from said passing traffic;
  
  identifying protocol boundaries in each extracted network packet and storing data from each field separated by said identified protocol boundaries in a database;
  
  associating said data in said database with at least one of a corresponding target device, a target network domain, a target customer, and a target customer sub-net;
  
  processing said stored data using at least one self-organizing clustering method to establish correlations between fields of different network packets destined for different ones of said multiple independent network domains; and
  
  ,identifying a network attack, a network fault, or a change in network performance based upon said established correlations.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Longhorn HD LLC (Alpha Alpha Intellectual Partners LLC)
Original Assignee
STEELCLOUD, INC.
Inventors
Day, Christopher W.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
KLIMACH, PAULA W

Application Number

US11/367,950
Publication Number

US 20060156404A1
Time in Patent Office

536 Days
Field of Search

726/23, 726/11, 726 13- 14, 726/25, 726/27, 713/194, 709/223
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Intrusion detection system

First Claim

5 Assignments

Litigations

2 Petitions

Reexamination

Accused Products

Abstract

147 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

147 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links