System and method for intruder tracking using advanced correlation in a network security system

US 7,352,280 B1
Filed: 09/01/2005
Issued: 04/01/2008
Est. Priority Date: 09/01/2005
Status: Active Grant

First Claim

Patent Images

1. A method for correlating event information, comprising:

receiving event information for a plurality of detected events wherein;

the event information for a particular detected event comprises a plurality of attributes associated with the particular detected event; and

the particular detected event is associated with at least one data packet in an enterprise network;

assigning a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space;

storing the event information for each detected event in accordance with the attribute values assigned to that detected event;

receiving a target event comprising a plurality of attributes wherein;

the target event is associated with at least one data packet that threatens the enterprise network;

the attributes of the target event are associated with attribute values; and

the attribute values of the target event define a target point in n-dimensional space;

receiving a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point; and

identifying a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for correlating event information comprises receiving event information for a plurality of detected events wherein the event information for a particular detected event comprises a plurality of attributes associated with that detected event. The method continues by assigning a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space. The method continues by storing the event information for each detected event in accordance with the attribute values assigned to that detected event. The method continues by receiving a target event comprising a plurality of attributes wherein the attributes of the target event are associated with attribute values and the attribute values of the target event define a target point in n-dimensional space. The method continues by receiving a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point. The method concludes by identifying a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits.

Citations

31 Claims

1. A method for correlating event information, comprising:
- receiving event information for a plurality of detected events wherein;
  
  the event information for a particular detected event comprises a plurality of attributes associated with the particular detected event; and
  
  the particular detected event is associated with at least one data packet in an enterprise network;
  
  assigning a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space;
  
  storing the event information for each detected event in accordance with the attribute values assigned to that detected event;
  
  receiving a target event comprising a plurality of attributes wherein;
  
  the target event is associated with at least one data packet that threatens the enterprise network;
  
  the attributes of the target event are associated with attribute values; and
  
  the attribute values of the target event define a target point in n-dimensional space;
  
  receiving a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point; and
  
  identifying a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - correlating the event information of the identified detected events with at least one attacker profile, the at least one attacker profile comprising a plurality of characteristics of an attacker of an enterprise network;
      
      storing the event information of the identified detected events with the at least one attacker profile; and
      
      displaying to an operator the at least one attacker profile.
  - 3. The method of claim 2, further comprising generating a new attacker profile if the event information of the identified detected events does not correlate with at least one attacker profile, the new attacker profile based at least in part on the event information of the identified detected events.
  - 4. The method of claim 2, wherein the correlation is performed using at least one Bayesian network or at least one neural network.
  - 5. The method of claim 1, wherein the event information is received by a plurality of sensors operable to receive data associated with potential attacks on at least one enterprise network.
  - 6. The method of claim 1, wherein:
    - each attribute value of a particular detected event corresponds to a particular attribute value of the target event; and
      
      each proximity limit corresponds to a particular attribute value of the target event.
  - 7. The method of claim 1, wherein:
    - a first attribute of the detected event is a source IP address;
      
      a second attribute of the detected event is a destination IP address; and
      
      a third attribute of the detected event is a time of detection.
  - 8. The method of claim 1, wherein:
    - a first axis of the n-dimensional space corresponds to source IP addresses of the plurality of detected events; and
      
      a second axis of the n-dimensional space corresponds to destination IP addresses of the plurality of detected events.
  - 9. The method of claim 1, wherein the target event is at least one of the following:
    - a computer virus;
      
      a trojan horse;
      
      a computer worm; and
      
      at least a portion of malicious computer code.
  - 10. The method of claim 1, wherein the target event and the attribute values associated with the target event are received from an operator.
  - 11. The method of claim 1, wherein the plurality of proximity limits are received from an operator.

12. A system for correlating event information, comprising:
- at least one sensor operable to receive event information for a plurality of detected events wherein;
  
  the event information for a particular detected event comprises a plurality of attributes associated with the particular detected event; and
  
  the particular detected event is associated with at least one data packet in an enterprise network;
  
  at least one processor operable to;
  
  assign a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space;
  
  receive a target event comprising a plurality of attributes wherein;
  
  the target event is associated with at least one data packet that threatens the enterprise network;
  
  the attributes of the target event are associated with attribute values; and
  
  the attribute values of the target event define a target point in n-dimensional space;
  
  receive a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point; and
  
  identify a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits; and
  
  at least one memory module operable to store the event information for each detected event in accordance with the attribute values assigned to that detected event.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The system of claim 12, further comprising a graphical user interface and wherein:
    - the processor is further operable to correlate the event information of the identified detected events with at least one attacker profile, the at least one attacker profile comprising a plurality of characteristics of an attacker of an enterprise network;
      
      the memory module is further operable to store the event information of the identified detected events with the at least one attacker profile; and
      
      the graphical user interface is operable to display to an operator the at least one attacker profile.
  - 14. The system of claim 13, wherein the processor is further operable to generate a new attacker profile if the event information of the identified detected events does not correlate with at least one attacker profile, the new attacker profile based at least in part on the event information of the identified detected events.
  - 15. The system of claim 13, wherein the processor is operable to perform the correlation using at least one Bayesian network or at least one neural network.
  - 16. The system of claim 12, wherein:
    - each attribute value of a particular detected event corresponds to a particular attribute value of the target event; and
      
      each proximity limit corresponds to a particular attribute value of the target event.
  - 17. The system of claim 12, wherein:
    - a first attribute of the detected event is a source IP address;
      
      a second attribute of the detected event is a destination IP address; and
      
      a third attribute of the detected event is a time of detection.
  - 18. The system of claim 12, wherein:
    - a first axis of the n-dimensional space corresponds to source IP addresses of the plurality of detected events; and
      
      a second axis of the n-dimensional space corresponds to destination IP addresses of the plurality of detected events.
  - 19. The system of claim 12, wherein the target event is an attack on at least one enterprise network, the attack detected by an intrusion detection system the target event is at least one of the following:
    - a computer virus;
      
      a trojan horse;
      
      a computer worm; and
      
      at least a portion of malicious computer code.
  - 20. The system of claim 12, wherein the target event and the attribute values associated with the target event are received from an operator.
  - 21. The system of claim 12, wherein the plurality of proximity limits are received from an operator.

22. An apparatus for correlating event information, comprising:
- at least one processor operable to;
  
  receive event information for a plurality of detected events wherein;
  
  the event information for a particular detected event comprises a plurality of attributes associated with the particular detected event; and
  
  the particular detected event is associated with at least one data packet in an enterprise network;
  
  assign a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space;
  
  receive a target event comprising a plurality of attributes wherein;
  
  the target event is associated with at least one data packet that threatens the enterprise network;
  
  the attributes of the target event are associated with attribute values; and
  
  the attribute values of the target event define a target point in n-dimensional space;
  
  receive a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point; and
  
  identify a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits; and
  
  at least one memory module operable to store the event information for each detected event in accordance with the attribute values assigned to that detected event.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The apparatus of claim 22, further comprising a graphical user interface and wherein:
    - the processor is further operable to correlate the event information of the identified detected events with at least one attacker profile, the at least one attacker profile comprising a plurality of characteristics of an attacker of an enterprise network;
      
      the memory module is further operable to store the event information of the identified detected events with the at least one attacker profile; and
      
      the graphical user interface is operable to display to an operator the at least one attacker profile.
  - 24. The apparatus of claim 23, wherein the processor is further operable to generate a new attacker profile if the event information of the identified detected events does not correlate with at least one attacker profile, the new attacker profile based at least in part on the event information of the identified detected events.
  - 25. The apparatus of claim 23, wherein the processor is operable to perform the correlation using at least one Bayesian network or at least one neural network.
  - 26. The apparatus of claim 22, wherein:
    - each attribute value of a particular detected event corresponds to a particular attribute value of the target event; and
      
      each proximity limit corresponds to a particular attribute value of the target event.
  - 27. The apparatus of claim 22, wherein:
    - a first attribute of the detected event is a source IP address;
      
      a second attribute of the detected event is a destination IP address; and
      
      a third attribute of the detected event is a time of detection.
  - 28. The apparatus of claim 22, wherein:
    - a first axis of the n-dimensional space corresponds to source IP addresses of the plurality of detected events; and
      
      a second axis of the n-dimensional space corresponds to destination IP addresses of the plurality of detected events.
  - 29. The apparatus of claim 22, wherein the target event is at least one of the following:
    - a computer virus;
      
      a trojan horse;
      
      a computer worm; and
      
      at least a portion of malicious computer code.
  - 30. The apparatus of claim 22, wherein the target event and the attribute values associated with the target event are received from an operator.
  - 31. The apparatus of claim 22, wherein the plurality of proximity limits are received from an operator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Francisco Partners Management LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Rockwood, Troy Dean
Primary Examiner(s)
TRIEU, VAN THANH

Application Number

US11/219,595
Time in Patent Office

943 Days
Field of Search

340/521, 340/522, 340/524, 340/546, 340/945, 340/961, 342/36, 342/90, 342/96, 342/175, 345/419, 713/163, 709/238, 709/245
US Class Current

340/521
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for intruder tracking using advanced correlation in a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for intruder tracking using advanced correlation in a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links