Method and apparatus for predicting and preventing attacks in communications networks

US 7,603,709 B2
Filed: 05/03/2002
Issued: 10/13/2009
Est. Priority Date: 05/03/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A system for security management in a data, voice, or video network, comprising:

a data collector coupled to the network and configured to collect one or more datasets from the network, wherein the collected datasets include at least one dataset collected from the network during a real or simulated attack on the network, and wherein the collected datasets further include at least one dataset collected from the network during an attack-free time period;

a temporal correlation engine communicatively coupled to the data collector, wherein temporal correlation engine is configured to;

identify one or more variables at a target of the real or simulated attack on the network, wherein the variables identified at the target characterize the real or simulated attack on the network;

identify one or more key variables among the variables that characterize the real or simulated attack on the network, wherein the key variables are identified as containing precursors of the real or simulated attack on the network;

use the dataset collected during the attack-free time period to construct one or more normal profiles for the network;

extract a time series of precursor events that occurred prior to the real or simulated attack on the network from the dataset collected during the real or simulated attack on the network, wherein extracting the time series of precursor events includes comparing a time series evolution for the key variables during the real or simulated attack with the normal profiles constructed from the dataset collected during the attack-free time period;

extract at least one temporal rule for a scenario associated with the real or simulated attack on the network, wherein the temporal rule includes the extracted time series of precursor events; and

verify that the extracted time series of precursor events consistently occurred in the network prior to the real or simulated attack on the network; and

a network management system executing on at least one device coupled to the network, wherein the network management system is configured to;

monitor subsequent activity in the network to detect an occurrence of one or more of the precursor events in the monitored network activity; and

take protective action to prevent an imminent attack on the network in response to detecting one or more of the precursor events in the monitored network activity, wherein the temporal rule defines the protective action to be taken.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment of a method and apparatus for predicting and preventing network attacks, data is collected from network devices during an attack. The collected data is analyzed to identify specific temporal precursors of the attack. The future network activity is then monitored for the presence of the identified temporal attack precursors. When the presence of a precursor is detected, appropriate protective action is taken. Preferably, all steps in this process occur automatically. In the preferred embodiment, the process is performed under the control of one or more network or element management systems. The possible network domain includes data, voice, and video networks and multiple, interconnected network technologies. In one embodiment, triggers responsive to the presence of the identified precursors are placed into a network or element management system. The preferred embodiment of the invention utilizes machine-learning algorithms for discovering precursors of attacks, but any suitable algorithm may be used. The invention may be used in “attack autopsy” mode only, monitoring mode only, or both. Among other uses, the invention allows integration of Intrusion Detection Systems with Network Management Systems.

Citations

14 Claims

1. A system for security management in a data, voice, or video network, comprising:
- a data collector coupled to the network and configured to collect one or more datasets from the network, wherein the collected datasets include at least one dataset collected from the network during a real or simulated attack on the network, and wherein the collected datasets further include at least one dataset collected from the network during an attack-free time period;
  
  a temporal correlation engine communicatively coupled to the data collector, wherein temporal correlation engine is configured to;
  
  identify one or more variables at a target of the real or simulated attack on the network, wherein the variables identified at the target characterize the real or simulated attack on the network;
  
  identify one or more key variables among the variables that characterize the real or simulated attack on the network, wherein the key variables are identified as containing precursors of the real or simulated attack on the network;
  
  use the dataset collected during the attack-free time period to construct one or more normal profiles for the network;
  
  extract a time series of precursor events that occurred prior to the real or simulated attack on the network from the dataset collected during the real or simulated attack on the network, wherein extracting the time series of precursor events includes comparing a time series evolution for the key variables during the real or simulated attack with the normal profiles constructed from the dataset collected during the attack-free time period;
  
  extract at least one temporal rule for a scenario associated with the real or simulated attack on the network, wherein the temporal rule includes the extracted time series of precursor events; and
  
  verify that the extracted time series of precursor events consistently occurred in the network prior to the real or simulated attack on the network; and
  
  a network management system executing on at least one device coupled to the network, wherein the network management system is configured to;
  
  monitor subsequent activity in the network to detect an occurrence of one or more of the precursor events in the monitored network activity; and
  
  take protective action to prevent an imminent attack on the network in response to detecting one or more of the precursor events in the monitored network activity, wherein the temporal rule defines the protective action to be taken.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the datasets collected from the network include Management Information Base (MIB) variables collected using Simple Network Management Protocol (SNMP).
  - 3. The system of claim 1, wherein identifying the variables that characterize the real or simulated attack on the network includes using domain knowledge about the real or simulated attack.
  - 4. The system of claim 1, wherein identifying the variables that characterize the real or simulated attack on the network includes comparing a time series evolution for each variable collected during the real or simulated attack to the normal profiles constructed from the dataset collected during the attack-free time period.
  - 5. The system of claim 4, wherein a variable having a time series evolution that statistically varies from the normal profiles is identified as characterizing the real or simulated attack on the network.
  - 6. The system of claim 1, wherein identifying the key variables that contain the precursors of the real or simulated attack further includes using the Granger Causality Test (GCT) to measure relative causality strengths between a plurality of candidate key variables and the variables that characterize the real or simulated attack on the network.
  - 7. The system of claim 1, wherein the extracted temporal rule further includes a statistical signature of behavior likely to occur prior to an attack on the network.

8. A method for security management in a data, voice, or video network, comprising:
- collecting one or more datasets from the network using a data collector coupled to the network, wherein the collected datasets include at least one dataset collected from the network during a real or simulated attack on the network, and wherein the collected datasets further include at least one dataset collected from the network during an attack-free time period;
  
  identifying one or more variables at a target of the real or simulated attack on the network using a temporal correlation engine communicatively coupled to the data collector, wherein the variables identified at the target characterize the real or simulated attack on the network;
  
  identifying one or more key variables among the variables that characterize the real or simulated attack on the network using the temporal correlation engine, wherein the key variables are identified as containing precursors of the real or simulated attack on the network;
  
  using the dataset collected during the attack-free time period to construct one or more normal profiles for the network, wherein the one or more normal profiles are constructed using the temporal correlation engine;
  
  extracting a time series of precursor events that occurred prior to the real or simulated attack on the network from the dataset collected during the real or simulated attack on the network, wherein extracting the precursor events includes the temporal correlation engine comparing a time series evolution for the key variables during the real or simulated attack with the normal profiles constructed from the dataset collected during the attack-free time period;
  
  extracting at least one temporal rule for a scenario associated with the real or simulated attack on the network using the temporal correlation engine, wherein the temporal rule includes the extracted time series of precursor events;
  
  verifying that the extracted time series of precursor events consistently occurred in the network prior to the real or simulated attack on the network using the temporal correlation engine;
  
  monitoring subsequent activity in the network to detect an occurrence of one or more of the precursor events in the monitored network activity, wherein a network management system executing on at least one device coupled to the network is configured to monitor the subsequent activity in the network; and
  
  taking protective action to prevent an imminent attack on the network in response to the network management system detecting one or more of the precursor events in the monitored network activity, wherein the temporal rule defines the protective action to be taken.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the datasets collected from the network include Management Information Base (MIB) variables collected using Simple Network Management Protocol (SNMP).
  - 10. The method of claim 8, wherein identifying the variables that characterize the real or simulated attack on the network includes using domain knowledge about the real or simulated attack.
  - 11. The method of claim 8, wherein identifying the variables that characterize the real or simulated attack on the network includes comparing a time series evolution for each variable collected during the real or simulated attack to the normal profiles constructed from the dataset collected during the attack-free time period.
  - 12. The method of claim 11, wherein a variable having a time series evolution that statistically varies from the normal profiles is identified as characterizing the real or simulated attack on the network.
  - 13. The method of claim 8, wherein identifying the key variables that contain the precursors of the real or simulated attack further includes using the Granger Causality Test (GCT) to measure relative causality strengths between a plurality of candidate key variables and the variables that characterize the real or simulated attack on the network.
  - 14. The method of claim 8, wherein the extracted temporal rule further includes statistical signatures of behavior likely to occur prior to an attack on the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.), Scientific Systems Co., Inc.
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Cabrera, Joao B. D., Lewis, Lundy M., Mehra, Raman K.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Nobahar; Abdulhakim

Application Number

US10/138,836
Publication Number

US 20030110396A1
Time in Patent Office

2,720 Days
Field of Search

726/22, 726/23
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Method and apparatus for predicting and preventing attacks in communications networks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for predicting and preventing attacks in communications networks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links