Agent-based intrusion detection system
DC CAFCFirst Claim
1. A computer security system comprising:
- a plurality of inter-communicating computers including software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags;
means for maintaining and tracking groupwide measures of agent status or behavior; and
means for comparing actual behavior patterns of the measure for a given group with known normal behavior patterns and determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns.
1 Assignment
Litigations
2 Petitions
Accused Products
Abstract
A computer security system uses a plurality of co-operating software agents to protect a network against attack. Individual agents at each node the network co-operatively act to detect attacks and to share attack signatures and solutions via a message exchange mechanism. A global internal measurement of the overall health of the group of agents may be used as an indicator of a possible attack. In larger networks, the agents may be formed a plurality of separate autonomous groups, with a common group identity being automatically maintained by the message passing mechanism. Individual groups may be located by a system designer in separate cells or domains within the network, so that if one cell becomes compromised the rest of the network is not affected.
43 Citations
50 Claims
-
1. A computer security system comprising:
-
a plurality of inter-communicating computers including software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags; means for maintaining and tracking groupwide measures of agent status or behavior; and means for comparing actual behavior patterns of the measure for a given group with known normal behavior patterns and determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23)
-
-
16. A computer security system comprising:
-
a plurality of inter-communicating computers including software agents together forming an agent group; means for maintaining and tracking a groupwide measure of agent status or behavior; means for comparing actual behavior patterns of the measure with known normal behavior patterns; and means for determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns; wherein each agent, individually. attempts to detect anomalous behavior; wherein detected anomalous behavior is converted into an anomaly pattern which the agent attempts to match against a local record of known anomaly patterns; wherein the value is indicative of a notional metabolic rate of the agents within the group; and wherein, if the match fails and the agent cannot recognize the anomaly pattern its metabolic rate is increased, or its life expectancy or notional energy is decreased.
-
-
24. A computer security system comprising:
-
a plurality of inter-communicating computers having software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags; each agent including means for comparing an actual behavior pattern of its respective group with stored expected behavior patterns and co-operatively determining when a security threat does or may exist, the agents communicating by a message-exchange system in which, as messages pass between a first agent and a second agent, the ability of the first agent to recognize the second as friendly increases.
-
-
25. A computer security system comprising:
-
a plurality of inter-communicating computers having software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags; the agents each including means for comparing an actual behavior pattern of its respective group with stored expected behavior patterns and for communicating by a message-exchange system in which, when one agent determines that a security threat does or may exist, that agent sends a warning message, including an anomaly pattern indicative of the threat, to other agents in its group.
-
-
26. A method providing computer security among a plurality of inter-communicating computers having associated software agents, said method comprising:
-
dividing a plurality of said agents into plural groups, each agent corresponding with other agents in its respective group but not with agents in other groups, a message-exchange system including the exchange of group specific tags; maintaining and tracking groupwide measures of agent status or behavior comparing actual behavior patterns of the measure for a given group with known normal behavior patterns; and determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 42, 43, 44, 45, 46, 47, 48)
-
-
41. A method providing computer security among a plurality of inter-communicating software agents together forming an agent group, said method comprising:
-
maintaining and tracking a groupwide measure of agent status or behavior; comparing actual behavior patterns of the measure with known normal behavior patterns; and determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns; wherein each agent, individually, attempts to detect anomalous behavior; wherein detected anomalous behavior is converted into an anomaly pattern which the agent attempts to match against a local record of known anomaly patterns; and wherein, if the match fails and the agent cannot recognize the anomaly pattern its metabolic rate is increased, or its life expectancy or notional energy is decreased.
-
-
49. A method providing a computer security for a plurality of inter-communicating software agents which together form a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a mess-exchange system including the exchange of group specific tags, said agents cooperating to perform said method comprising:
-
comparing at each agent actual behavior patterns of an agent'"'"'s own group with stored expected behavior patterns; and determining at each agent when a security threat does or may exist based on said comparing step, the agents communicating by a message-exchange system in which, as messages pass between a first agent and second agent, the ability of the first agent to recognize the second as friendly increases.
-
-
50. A method comprising computer security for a plurality of inter-communicating software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags, the agents cooperating to perform said method comprising:
-
comparing at each agent actual behavior patterns of an agent'"'"'s own group with stored expected behavior patterns; and each agent communicating by a message-exchange system in which, when one agent determines that a security threat does or may exist, that agent sends a warning message, including an anomaly pattern indicative of the threat, to other agents in its group.
-
Specification