System and method for attacker attribution in a network security system

US 7,849,185 B1
Filed: 01/10/2006
Issued: 12/07/2010
Est. Priority Date: 01/10/2006
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one sensor operable to receive one or more detected events, each detected event associated with at least one data packet in an enterprise network;

at least one memory module operable to store one or more rules and a plurality of tables;

at least one processor operable to;

receive a query associated with an attribute value of a detected event;

identify a rule for determining the attribute value, the rule associated with a rule identifier;

identify in a first table a rule update time associated with the rule;

apply the rule to determine attribute values for a plurality of detected events stored in a second table, wherein;

the plurality of detected events in the second table occurred after the rule update time such that the rule is applied only to the plurality of detected events occurring after the rule update time and not to any detected events occurring before the rule update time;

the plurality of detected events are associated with event identifiers; and

each of the plurality of detected events is associated with a plurality of attribute values, the attribute values of each detected event defining a respective point in n-dimensional space;

send to a third table the determined attribute values and the event identifiers;

identify in the third table one or more event identifiers associated with one or more attribute values that satisfy the query;

display to a user a set of query results, wherein the set of query results include one or more event identifiers associated with detected events occurring after the rule update time and one or more event identifiers associated with a cached query result of at least one detected event occurring prior to the rule update time;

correlate the target event and one or more similar detected events of the second table, the correlation based at least in part on a distance between the respective points defined by the respective attribute values of the target event and the one or more similar detected events of the second table, wherein the distance between the respective points defined by the respective attribute values of the target event and the one or more similar detected events of the second table are proximate to one another indicating that the target event is similar to the one or more detected events; and

identify a source of the target event as being the same as the source of the one or more similar detected events based on the correlation.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for correlating event information comprises receiving a query associated with an attribute value of a detected event. The method continues by identifying a rule for determining the attribute value, the rule associated with a rule identifier. The method continues by identifying in a first table a rule update time associated with the rule. The method continues by determining attribute values for a plurality of detected events stored in a second table, wherein the plurality of detected events occurred after the rule update time and are associated with event identifiers. The method continues by storing in a third table the determined attribute values and the event identifiers. The method concludes by identifying in the third table one or more event identifiers associated with one or more attribute values that satisfy the query.

105 Citations

View as Search Results

21 Claims

1. A system comprising:
- at least one sensor operable to receive one or more detected events, each detected event associated with at least one data packet in an enterprise network;
  
  at least one memory module operable to store one or more rules and a plurality of tables;
  
  at least one processor operable to;
  
  receive a query associated with an attribute value of a detected event;
  
  identify a rule for determining the attribute value, the rule associated with a rule identifier;
  
  identify in a first table a rule update time associated with the rule;
  
  apply the rule to determine attribute values for a plurality of detected events stored in a second table, wherein;
  
  the plurality of detected events in the second table occurred after the rule update time such that the rule is applied only to the plurality of detected events occurring after the rule update time and not to any detected events occurring before the rule update time;
  
  the plurality of detected events are associated with event identifiers; and
  
  each of the plurality of detected events is associated with a plurality of attribute values, the attribute values of each detected event defining a respective point in n-dimensional space;
  
  send to a third table the determined attribute values and the event identifiers;
  
  identify in the third table one or more event identifiers associated with one or more attribute values that satisfy the query;
  
  display to a user a set of query results, wherein the set of query results include one or more event identifiers associated with detected events occurring after the rule update time and one or more event identifiers associated with a cached query result of at least one detected event occurring prior to the rule update time;
  
  correlate the target event and one or more similar detected events of the second table, the correlation based at least in part on a distance between the respective points defined by the respective attribute values of the target event and the one or more similar detected events of the second table, wherein the distance between the respective points defined by the respective attribute values of the target event and the one or more similar detected events of the second table are proximate to one another indicating that the target event is similar to the one or more detected events; and
  
  identify a source of the target event as being the same as the source of the one or more similar detected events based on the correlation.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the processor is further operable to:
    - determine whether the query is stored in a fourth table; and
      
      if the query is stored in the fourth table, determine a query identifier and a query update time associated with the query, the query identifier and the query update time stored in the fourth table.
  - 3. The system of claim 1, wherein the processor is further operable to:
    - determine whether the query is stored in a fourth table; and
      
      if the query is not stored in the fourth table, assign a query identifier to the query and send the query and the query identifier to the fourth table.
  - 4. The system of claim 1, wherein the processor is further operable to update the rule update time associated with the rule, the rule update time stored in the first table.
  - 5. The system of claim 1, wherein the query is associated with a query identifier, and the processor is further operable to send to a fifth table the identified event identifiers in association with the query identifier.
  - 6. The system of claim 1, wherein the processor is further operable to update a query update time associated with the query, the query update time stored in a fourth table.
  - 7. The system of claim 1, wherein the processor is further operable to retrieve from the second table one or more detected events associated with the identified event identifiers.

8. An apparatus comprising:
- at least one memory module operable to store one or more rules and a plurality of tables;
  
  at least one processor operable to;
  
  receive a query associated with an attribute value of a detected event, the detected event associated with at least one data packet in an enterprise network;
  
  identify a rule for determining the attribute value, the rule associated with a rule identifier;
  
  identify in a first table a rule update time associated with the rule;
  
  apply the rule to determine attribute values for a plurality of detected events stored in a second table, wherein;
  
  the plurality of detected events in the second table occurred after the rule update time such that the rule is applied only to the plurality of detected events occurring after the rule update time and not to any detected events occurring before the rule update time;
  
  the plurality of detected events are associated with event identifiers; and
  
  each of the plurality of detected events is associated with a plurality of attribute values, the attribute values of each detected event defining a respective point in n-dimensional space;
  
  send to a third table the determined attribute values and the event identifiers;
  
  identify in the third table one or more event identifiers associated with one or more attribute values that satisfy the query;
  
  display a set of query results to a user, wherein the set of query results include one or more event identifiers associated with detected events occurring after the rule update time and one or more event identifiers associated with a cached query result of at least one detected event occurring prior to the rule update time;
  
  correlate the target event and one or more similar detected events of the second table, the correlation based at least in part on a distance between the respective points defined by the respective attribute values of the target event and the one or more similar detected events of the second table, wherein the distance between the respective points defined by the respective attribute values of the target event and the one or more similar detected events of the second table are proximate to one another indicating that the target event is similar to the one or more detected events; and
  
  identify a source of the target event as being the same as the source of the one or more similar detected events based on the correlation.
- View Dependent Claims (9, 10, 11)
- - 9. The apparatus of claim 8, wherein the processor is further operable to retrieve from the second table one or more detected events associated with the identified event identifiers.
  - 10. The apparatus of claim 8, wherein the processor is further operable to update the rule update time associated with the rule, the rule update time stored in the first table.
  - 11. The apparatus of claim 8, wherein the query is associated with a query identifier, and the processor is further operable to:
    - store in a fifth table the identified event identifiers in association with the query identifier; and
      
      update a query update time associated with the query, the query update time stored in a fourth table.

12. A method comprising:
- receiving a query associated with an attribute value of a detected event, the detected event associated with at least one data packet in an enterprise network, wherein the query is associated with the attribute value of a target event;
  
  identifying a rule for determining the attribute value, the rule associated with a rule identifier;
  
  identifying in a first table a rule update time associated with the rule;
  
  applying the rule to determine attribute values for a plurality of detected events stored in a second table, the determination made by at least one processor, wherein;
  
  the plurality of detected events in the second table occurred after the rule update time such that the rule is applied only to the plurality of detected events occurring after the rule update time and not to any detected events occurring before the rule update time;
  
  the plurality of detected events are associated with event identifiers; and
  
  each of the plurality of detected events is associated with a plurality of attribute values, the attribute values of each detected event defining a respective point in n-dimensional space;
  
  storing in a third table the determined attribute values and the event identifiers;
  
  identifying in the third table one or more event identifiers associated with one or more attribute values that satisfy the query; and
  
  displaying a set of query results to a user, wherein the set of query results include one or more event identifiers associated with detected events occurring after the rule update time and one or more event identifiers associated with a cached query result of at least one detected event occurring prior to the rule update time;
  
  correlating the target event and one or more similar detected events of the second table, the correlation based at least in part on a distance between the respective points defined by the respective attribute values of the target event and the one or more similar detected events of the second table, wherein the distance between the respective points defined by the respective attribute values of the target event and the one or more similar detected events of the second table are proximate to one another indicating that the target event is similar to the one or more similar detected events; and
  
  identifying a source of the target event as being the same as the source of the one or more similar detected events based on the correlation.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, further comprising:
    - determining whether the query is stored in a fourth table; and
      
      if the query is stored in the fourth table, determining a query identifier and a query update time associated with the query, the query identifier and the query update time stored in the fourth table.
  - 14. The method of claim 12, further comprising:
    - determining whether the query is stored in a fourth table; and
      
      if the query is not stored in the fourth table, assigning a query identifier to the query and storing the query and the query identifier in the fourth table.
  - 15. The method of claim 12, further comprising updating the rule update time associated with the rule, the rule update time stored in the first table.
  - 16. The method of claim 12, wherein the query is associated with a query identifier, and further comprising storing in a fifth table the identified event identifiers in association with the query identifier.
  - 17. The method of claim 12, further comprising updating a query update time associated with the query, the query update time stored in a fourth table.
  - 18. The method of claim 12, further comprising:
    - retrieving from the second table one or more detected events associated with the identified event identifiers; and
      
      causing a graphical user interface to display the retrieved detected events.
  - 19. The method of claim 12, wherein the query is part of a complex query, and further comprising parsing the complex query into individual queries.
  - 20. The method of claim 12, wherein the plurality of attribute values associated with a detected event comprise:
    - a first attribute value based on a source IP address;
      
      a second attribute value based on a destination IP address; and
      
      a third attribute value based on a time of detection.
  - 21. The method of claim 12, wherein:
    - a first axis of the n-dimensional space corresponds to source IP addresses of the plurality of detected events; and
      
      a second axis of the n-dimensional space corresponds to destination IP addresses of the plurality of detected events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Rockwood, Troy Dean
Primary Examiner(s)
Patel; Ashok B
Assistant Examiner(s)
BECHTEL, KEVIN M

Application Number

US11/328,689
Time in Patent Office

1,792 Days
Field of Search

709/224
US Class Current

709/224
CPC Class Codes

H04L 63/14 for detecting or protecting...

System and method for attacker attribution in a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for attacker attribution in a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links