Method and apparatus for predicting and preventing attacks in communications networks
First Claim
1. A system for security management in a data, voice, or video network, comprising:
- a data collector coupled to the network and configured to collect one or more datasets from the network, wherein the collected datasets include at least one dataset collected from the network during a real or simulated attack on the network, and wherein the collected datasets further include at least one dataset collected from the network during an attack-free time period;
a temporal correlation engine communicatively coupled to the data collector, wherein temporal correlation engine is configured to;
identify one or more variables at a target of the real or simulated attack on the network, wherein the variables identified at the target characterize the real or simulated attack on the network;
identify one or more key variables among the variables that characterize the real or simulated attack on the network, wherein the key variables are identified as containing precursors of the real or simulated attack on the network;
use the dataset collected during the attack-free time period to construct one or more normal profiles for the network;
extract a time series of precursor events that occurred prior to the real or simulated attack on the network from the dataset collected during the real or simulated attack on the network, wherein extracting the time series of precursor events includes comparing a time series evolution for the key variables during the real or simulated attack with the normal profiles constructed from the dataset collected during the attack-free time period;
extract at least one temporal rule for a scenario associated with the real or simulated attack on the network, wherein the temporal rule includes the extracted time series of precursor events; and
verify that the extracted time series of precursor events consistently occurred in the network prior to the real or simulated attack on the network; and
a network management system executing on at least one device coupled to the network, wherein the network management system is configured to;
monitor subsequent activity in the network to detect an occurrence of one or more of the precursor events in the monitored network activity; and
take protective action to prevent an imminent attack on the network in response to detecting one or more of the precursor events in the monitored network activity, wherein the temporal rule defines the protective action to be taken.
6 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment of a method and apparatus for predicting and preventing network attacks, data is collected from network devices during an attack. The collected data is analyzed to identify specific temporal precursors of the attack. The future network activity is then monitored for the presence of the identified temporal attack precursors. When the presence of a precursor is detected, appropriate protective action is taken. Preferably, all steps in this process occur automatically. In the preferred embodiment, the process is performed under the control of one or more network or element management systems. The possible network domain includes data, voice, and video networks and multiple, interconnected network technologies. In one embodiment, triggers responsive to the presence of the identified precursors are placed into a network or element management system. The preferred embodiment of the invention utilizes machine-learning algorithms for discovering precursors of attacks, but any suitable algorithm may be used. The invention may be used in “attack autopsy” mode only, monitoring mode only, or both. Among other uses, the invention allows integration of Intrusion Detection Systems with Network Management Systems.
-
Citations
14 Claims
-
1. A system for security management in a data, voice, or video network, comprising:
-
a data collector coupled to the network and configured to collect one or more datasets from the network, wherein the collected datasets include at least one dataset collected from the network during a real or simulated attack on the network, and wherein the collected datasets further include at least one dataset collected from the network during an attack-free time period; a temporal correlation engine communicatively coupled to the data collector, wherein temporal correlation engine is configured to; identify one or more variables at a target of the real or simulated attack on the network, wherein the variables identified at the target characterize the real or simulated attack on the network; identify one or more key variables among the variables that characterize the real or simulated attack on the network, wherein the key variables are identified as containing precursors of the real or simulated attack on the network; use the dataset collected during the attack-free time period to construct one or more normal profiles for the network; extract a time series of precursor events that occurred prior to the real or simulated attack on the network from the dataset collected during the real or simulated attack on the network, wherein extracting the time series of precursor events includes comparing a time series evolution for the key variables during the real or simulated attack with the normal profiles constructed from the dataset collected during the attack-free time period; extract at least one temporal rule for a scenario associated with the real or simulated attack on the network, wherein the temporal rule includes the extracted time series of precursor events; and verify that the extracted time series of precursor events consistently occurred in the network prior to the real or simulated attack on the network; and a network management system executing on at least one device coupled to the network, wherein the network management system is configured to; monitor subsequent activity in the network to detect an occurrence of one or more of the precursor events in the monitored network activity; and take protective action to prevent an imminent attack on the network in response to detecting one or more of the precursor events in the monitored network activity, wherein the temporal rule defines the protective action to be taken. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for security management in a data, voice, or video network, comprising:
-
collecting one or more datasets from the network using a data collector coupled to the network, wherein the collected datasets include at least one dataset collected from the network during a real or simulated attack on the network, and wherein the collected datasets further include at least one dataset collected from the network during an attack-free time period; identifying one or more variables at a target of the real or simulated attack on the network using a temporal correlation engine communicatively coupled to the data collector, wherein the variables identified at the target characterize the real or simulated attack on the network; identifying one or more key variables among the variables that characterize the real or simulated attack on the network using the temporal correlation engine, wherein the key variables are identified as containing precursors of the real or simulated attack on the network; using the dataset collected during the attack-free time period to construct one or more normal profiles for the network, wherein the one or more normal profiles are constructed using the temporal correlation engine; extracting a time series of precursor events that occurred prior to the real or simulated attack on the network from the dataset collected during the real or simulated attack on the network, wherein extracting the precursor events includes the temporal correlation engine comparing a time series evolution for the key variables during the real or simulated attack with the normal profiles constructed from the dataset collected during the attack-free time period; extracting at least one temporal rule for a scenario associated with the real or simulated attack on the network using the temporal correlation engine, wherein the temporal rule includes the extracted time series of precursor events; verifying that the extracted time series of precursor events consistently occurred in the network prior to the real or simulated attack on the network using the temporal correlation engine; monitoring subsequent activity in the network to detect an occurrence of one or more of the precursor events in the monitored network activity, wherein a network management system executing on at least one device coupled to the network is configured to monitor the subsequent activity in the network; and taking protective action to prevent an imminent attack on the network in response to the network management system detecting one or more of the precursor events in the monitored network activity, wherein the temporal rule defines the protective action to be taken. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification