Agent-based intrusion detection system

DC CAFC

US 7,370,358 B2
Filed: 09/10/2002
Issued: 05/06/2008
Est. Priority Date: 09/28/2001
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A computer security system comprising:

a plurality of inter-communicating computers including software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags;

means for maintaining and tracking groupwide measures of agent status or behavior; and

means for comparing actual behavior patterns of the measure for a given group with known normal behavior patterns and determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

2 Petitions

Accused Products

Abstract

A computer security system uses a plurality of co-operating software agents to protect a network against attack. Individual agents at each node the network co-operatively act to detect attacks and to share attack signatures and solutions via a message exchange mechanism. A global internal measurement of the overall health of the group of agents may be used as an indicator of a possible attack. In larger networks, the agents may be formed a plurality of separate autonomous groups, with a common group identity being automatically maintained by the message passing mechanism. Individual groups may be located by a system designer in separate cells or domains within the network, so that if one cell becomes compromised the rest of the network is not affected.

43 Citations

View as Search Results

50 Claims

1. A computer security system comprising:
- a plurality of inter-communicating computers including software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags;
  
  means for maintaining and tracking groupwide measures of agent status or behavior; and
  
  means for comparing actual behavior patterns of the measure for a given group with known normal behavior patterns and determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23)
- - 2. A computer security system as in claim 1 in which the measure for each group is a value indicative of a collective variable for that group, or an average value for the agents within that group.
  - 3. A computer security system as in claim 2 in which the system determines that a security threat does or may exist if the value for a group moves outside a range of normal values.
  - 4. A computer security system as in claim 2 in which the value for each group is indicative of a notional metabolic rate of the agents within that respective group.
  - 5. A computer security system as in claim 2 in which the value for each group is indicative of a notional life expectancy of the agents within that group.
  - 6. A computer security system as in claim 2 in which the value for each group is indicative of a notional energy level of agents within that group.
  - 7. A computer security system as in claim 2 in which the value for each group is indicative of inter-agent communication traffic.
  - 8. A computer security system as in claim 2 in which the value for each group is indicative of agents'"'"' success in attempting to communicate with other agents within that group.
  - 9. A computer security system as in claim 2 in which the value for each group is indicative of a combination of at least two of:
    - notional metabolic rate, notional life expectancy, notional energy level, inter-agent communication traffic and success in attempting to communicate with other agents.
  - 10. A computer security system as in claim 1 in which the agents reside on a virtual private network and communicate on a separate channel from that used by devices on a computer network being protected by the security system.
  - 11. A computer security system as in claim 10 in which each agent includes respective sensors, or is arranged to receive information for external sensors, which provide it with network measures indicative of a network being protected.
  - 12. A computer security system as in claim 11 in which the network measures include measures of at least one of:
    - memory utilization, network traffic, network writes, network reads, port probes, memory addresses, email activity or any combination thereof.
  - 13. A computer security system as in claim 10 in which the system determines that a security threat does or may exist in dependence upon a combination of the network measures and the actual behavior patterns of a groupwise measure.
  - 14. A computer security system as in claim 1 in which each agent, individually, attempts to detect anomalous behavior.
  - 15. A computer security system as in claim 14 in which detected anomalous behavior is converted into an anomaly pattern which an agent attempts to match against a local record of known anomaly patterns.
  - 17. A computer security system as in claim 14 in which an agent mutates the anomaly pattern, or the known anomaly patterns in its local record, as part of its attempts to match.
  - 18. A computer security system as in claim 1 in which the total number of agents within a group is dynamic, with agents dying and new agents automatically being created.
  - 19. A computer security system as in claim 1 in which the total number of agents within a group is fixed.
  - 20. A computer security system as in claim 19 in which there is exactly one agent per node of a computer network being protected by the system.
  - 21. A computer security system as in claim 6, in which each agent expends notional energy according to local computer resources it uses to perform its functions.
  - 22. A computer security system as in claim 6, in which during communication between agents, a quantity of notional energy is transferred from a transmitting agent to a receiving agent.
  - 23. A computer security system as in claim 1 including a system controller connected to be notified that a security threat does or may exist only when a given plurality of agents within a group determines that the threat does or may exist.

16. A computer security system comprising:
- a plurality of inter-communicating computers including software agents together forming an agent group;
  
  means for maintaining and tracking a groupwide measure of agent status or behavior;
  
  means for comparing actual behavior patterns of the measure with known normal behavior patterns; and
  
  means for determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns;
  
  wherein each agent, individually. attempts to detect anomalous behavior;
  
  wherein detected anomalous behavior is converted into an anomaly pattern which the agent attempts to match against a local record of known anomaly patterns;
  
  wherein the value is indicative of a notional metabolic rate of the agents within the group; and
  
  wherein, if the match fails and the agent cannot recognize the anomaly pattern its metabolic rate is increased, or its life expectancy or notional energy is decreased.

24. A computer security system comprising:
- a plurality of inter-communicating computers having software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags;
  
  each agent including means for comparing an actual behavior pattern of its respective group with stored expected behavior patterns and co-operatively determining when a security threat does or may exist, the agents communicating by a message-exchange system in which, as messages pass between a first agent and a second agent, the ability of the first agent to recognize the second as friendly increases.

25. A computer security system comprising:
- a plurality of inter-communicating computers having software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags;
  
  the agents each including means for comparing an actual behavior pattern of its respective group with stored expected behavior patterns and for communicating by a message-exchange system in which, when one agent determines that a security threat does or may exist, that agent sends a warning message, including an anomaly pattern indicative of the threat, to other agents in its group.

26. A method providing computer security among a plurality of inter-communicating computers having associated software agents, said method comprising:
- dividing a plurality of said agents into plural groups, each agent corresponding with other agents in its respective group but not with agents in other groups, a message-exchange system including the exchange of group specific tags;
  
  maintaining and tracking groupwide measures of agent status or behavior comparing actual behavior patterns of the measure for a given group with known normal behavior patterns; and
  
  determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 42, 43, 44, 45, 46, 47, 48)
- - 27. A method as in claim 26 in which the measure for each group is a value indicative of a collective variable for that group, or an average value for the agents within that group.
  - 28. A method as in claim 27 in which it is determined that that a security threat does or may exist if the value for a group moves outside a range of normal values.
  - 29. A method as in claim 27 in which the value for each group is indicative of a notional metabolic rate of the agents within that respective group.
  - 30. A method as in claim 27 in which the value for each group is indicative of a notional life expectancy of the agents within that group.
  - 31. A method as in claim 27 in which the value for each group is indicative of a notional energy level of agents within that group.
  - 32. A method as in claim 27 in which the value for each group is indicative of inter-agent communication traffic.
  - 33. A method as in claim 27 in which the value for each group is indicative of agents'"'"' success in attempting to communicate with out agents with that group.
  - 34. A method as in claim 27 in which the value for each group is indicative of a combination of at least two of:
    - notional metabolic rate, notional life expectancy, notional energy level, inter-agent communication traffic and success in attempting to communicate with other agents.
  - 35. A method as in claim 26 in which the agents reside on a virtual private network and communicate on a separate channel from that used by devices on a computer network being protected by the security system.
  - 36. A method as in claim 35 in which each agent includes respective sensors, or is arranged to receive information for external sensors, which provide it with network measures indicative of a network being protected.
  - 37. A method as in claim 36 in which the network measures include measures of at least one of:
    - memory utilization, network traffic, network writes, network reads, port probes, memory addresses, email activity or any combination thereof.
  - 38. A method as in claim 35 in which it is determined that a security threat does or may exist in dependence upon a combination of the network measures and the actual behavior patterns of a groupwise measure.
  - 39. A method as in claim 26 in which each agent, individually, attempts to detect anomalous behavior.
  - 40. A method as in claim 39 in which detected anomalous behavior is converted into an anomaly pattern which an agent attempts to match against a local record of known anomaly patterns.
  - 42. A method as in claim 39 in which an agent mutates the anomaly pattern, or the known anomaly patterns in its local record, as part of its attempts to match.
  - 43. A method as in claim 26 in which the total number of agents within a group is dynamic, with agents dying and new agents automatically being created.
  - 44. A method as in claim 26 in which the total number of agents within a group is fixed.
  - 45. A method as in claim 44 in which there is exactly one agent per node of a computer network being protected.
  - 46. A method as in claim 31 in which each agent expends notional energy according to local computer resources it uses to perform its functions.
  - 47. A method as in claim 31 in which during communication between agents, a quantity of notional energy is transferred from a transmitting agent to a receiving agent.
  - 48. A method as in claim 26 including notifying a system controller that a security threat does or may exist only when a given plurality of agents within a group determines that the threat does or may exist.

41. A method providing computer security among a plurality of inter-communicating software agents together forming an agent group, said method comprising:
- maintaining and tracking a groupwide measure of agent status or behavior;
  
  comparing actual behavior patterns of the measure with known normal behavior patterns; and
  
  determining that a security threat does or may exist when the actual behavior patterns diverge from normal behavior patterns;
  
  wherein each agent, individually, attempts to detect anomalous behavior;
  
  wherein detected anomalous behavior is converted into an anomaly pattern which the agent attempts to match against a local record of known anomaly patterns; and
  
  wherein, if the match fails and the agent cannot recognize the anomaly pattern its metabolic rate is increased, or its life expectancy or notional energy is decreased.

49. A method providing a computer security for a plurality of inter-communicating software agents which together form a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a mess-exchange system including the exchange of group specific tags, said agents cooperating to perform said method comprising:
- comparing at each agent actual behavior patterns of an agent'"'"'s own group with stored expected behavior patterns; and
  
  determining at each agent when a security threat does or may exist based on said comparing step,the agents communicating by a message-exchange system in which, as messages pass between a first agent and second agent, the ability of the first agent to recognize the second as friendly increases.

50. A method comprising computer security for a plurality of inter-communicating software agents together forming a plurality of agent groups, each agent corresponding with other agents in its respective group but not with agents in other groups via a message-exchange system including the exchange of group specific tags, the agents cooperating to perform said method comprising:
- comparing at each agent actual behavior patterns of an agent'"'"'s own group with stored expected behavior patterns; and
  
  each agent communicating by a message-exchange system in which, when one agent determines that a security threat does or may exist, that agent sends a warning message, including an anomaly pattern indicative of the threat, to other agents in its group.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Ghanea-Hercock, Robert A
Primary Examiner(s)
Barron; Gilberto
Assistant Examiner(s)
LEMMA, SAMSON B

Application Number

US10/488,943
Publication Number

US 20040255157A1
Time in Patent Office

2,065 Days
Field of Search

726/23, 726/22, 726/24, 726/25
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/1408   by monitoring network traff...

Agent-based intrusion detection system

First Claim

1 Assignment

Litigations

2 Petitions

Accused Products

Abstract

43 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Agent-based intrusion detection system

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links