Method and system for encrypted network management and intrusion detection
First Claim
Patent Images
1. A network security system, the system comprising:
- a) a system data store capable of storing risk criteria data, network default data, historical data regarding an encrypted computer network, and network performance and usage data;
b) a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;
c) a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising of;
i) receiving data corresponding to a communication transmitted over an encrypted computer network and a signal used to transmit the communication via the communication, interface;
ii) detecting a violation within an encrypted data stream by applying a plurality of tests, wherein the plurality of tests comprise a statistical anomaly test that compares the received data with statistical data in the system data store or information derived therefrom and performs anomaly-based detection based on the comparison between the received data and the statistical data, wherein the plurality of tests further comprise a policy test that compares the received data to predetermined policy, and wherein the statistical data comprises any of mean, non-zero mean, standard deviation, autocorrelation, and peak for each time slice for a plurality of thresholds;
iii) generating an alarm signal if a violation was detected.
9 Assignments
0 Petitions
Accused Products
Abstract
A network security system includes a system data store capable of storing a variety of data associated with an encrypted computer network and communications transmitted thereon, a communication interface supporting communication over a communication channel and a system processor. Data corresponding to communications transmitted over the encrypted communication network are received. One or more tests are applied to the received data to determine whether a particular communication represents a potential security violation. An alarm may be generated based upon the results of the applied test or tests.
-
Citations
23 Claims
-
1. A network security system, the system comprising:
-
a) a system data store capable of storing risk criteria data, network default data, historical data regarding an encrypted computer network, and network performance and usage data; b) a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface; c) a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising of; i) receiving data corresponding to a communication transmitted over an encrypted computer network and a signal used to transmit the communication via the communication, interface; ii) detecting a violation within an encrypted data stream by applying a plurality of tests, wherein the plurality of tests comprise a statistical anomaly test that compares the received data with statistical data in the system data store or information derived therefrom and performs anomaly-based detection based on the comparison between the received data and the statistical data, wherein the plurality of tests further comprise a policy test that compares the received data to predetermined policy, and wherein the statistical data comprises any of mean, non-zero mean, standard deviation, autocorrelation, and peak for each time slice for a plurality of thresholds; iii) generating an alarm signal if a violation was detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A network security method, the method comprising the steps of:
-
a) receiving configuration information comprising one or more risk criteria, network default data, network policy, performance and usage data from a configuration file, an interactive data entry interface or a command line; b) receiving data corresponding to a communication transmitted over an encrypted computer network and a signal used to transmit the communication; c) updating a database containing data corresponding to stations in the encrypted computer network based upon the received data; d) updating state information associated with the encrypted computer network based upon the received data; e) if a statistical interval has ended based upon the received data or a fixed time interval, updating a database of statistics associated with the encrypted computer network, wherein the database of statistics comprises any of mean, non-zero mean, standard deviation, autocorrelation, and peak values for each time slice for a plurality of thresholds; f) testing the received data to determine if it represents a signature violation by comparing the received data with configuration information or information derived therefrom of known attack patterns; g) testing the received data to determine if it represents a protocol violation by comparing the received data with configuration information or information derived therefrom comprising an authorized protocol set; h) testing the received data to determine if it represents a statistical anomaly by comparing the received data with configuration, information, information derived therefrom, or information in the database of statistics associated with the encrypted computer network, wherein the statistical anomaly comprises a difference between the received data and corresponding information in the database of statistics larger than a threshold; i) testing the received data to determine if it represents a policy violation by comparing the received data with a configurable set of activity rules comprising predetermined policy; j) generating an alarm signal if the received data represents a signature violation, a protocol violation, a statistical anomaly or a policy violation, wherein, the generated alarm signal comprises a type and a severity; k) in response to the generated alarm, i) notifying an administrator of the generated alarm, its type and its seventy; or ii) actively defending the encrypted computer network based upon the generated alarm'"'"'s type and seventy by; 1) CRC errors; 2) transmitting communications comprising random data;
or3) locking-down the encrypted computer network; and 1) mapping station identity. - View Dependent Claims (22)
-
-
23. A network security system, the system comprising:
-
a) storing means for receiving and storing risk criteria data, network default data, and network performance and usage data; b) configuration means for receiving configuration information and forwarding the received configuration information to the storing means; c) communication data receiving means for receiving data corresponding to a communication transmitted over an encrypted computer network and a signal used to transmit the communication; d) database update means for transferring updated data to the storing means based upon data received by the communication data receiving means; e) testing means for applying a plurality of tests to data received by the communication data receiving means, wherein each of the plurality of tests comprise a signature test, a protocol test, a statistical anomaly test and a policy test and wherein each test compares data received by the communication data receiving means with data in the storing means or information derived therefrom; f) alarm means for generating an alarm signal if the data received by the communication data receiving means represents a signature violation, a protocol violation, a statistical anomaly or a policy violation as determined by the testing means, wherein the generated alarm signal comprises a type and a severity; g) notification means for notifying an administrator of an alarm generated by the alarm means, its type and its severity; h) active defense means for actively defending the encrypted computer network based upon the type and severity of an alarm generated by the alarm means by; i) CRC errors;
orii) transmitting communications comprising random data; and i) mapping means for mapping station identity.
-
Specification