Methods and systems for detecting abnormal digital traffic

US 7,908,357 B2
Filed: 09/21/2005
Issued: 03/15/2011
Est. Priority Date: 09/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting abnormal network traffic comprising:

providing at least one knowledge node comprising a characterization model utilizing decision-making techniques from engineering statistics based on prior network information and not based on fixed thresholds or signatures;

assigning characterizations of network behaviors according to the characterization models of the at least one knowledge nodes; and

calculating a confidence value quantifying the degree of confidence that the network behaviors constitute abnormal traffic, the confidence value being based on the characterizations from the at least one knowledge node and on weighting factors associated with the knowledge nodes;

wherein said assigning and said calculating are executed by a processing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the present invention encompass methods and systems for detecting abnormal digital traffic by assigning characterizations of network behaviors according to knowledge nodes and calculating a confidence value based on the characterizations from at least one knowledge node and on weighting factors associated with the knowledge nodes. The knowledge nodes include a characterization model based on prior network information. At least one of the knowledge nodes should not be based on fixed thresholds or signatures. The confidence value includes a quantification of the degree of confidence that the network behaviors constitute abnormal network traffic.

41 Citations

View as Search Results

22 Claims

1. A method for detecting abnormal network traffic comprising:
- providing at least one knowledge node comprising a characterization model utilizing decision-making techniques from engineering statistics based on prior network information and not based on fixed thresholds or signatures;
  
  assigning characterizations of network behaviors according to the characterization models of the at least one knowledge nodes; and
  
  calculating a confidence value quantifying the degree of confidence that the network behaviors constitute abnormal traffic, the confidence value being based on the characterizations from the at least one knowledge node and on weighting factors associated with the knowledge nodes;
  
  wherein said assigning and said calculating are executed by a processing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as recited in claim 1, wherein each knowledge node is associated with at least one network behavior.
  - 3. The method as recited in claim 1, prior to the assigning step, further comprising the step of detecting network events by network sensors.
  - 4. The method as recited in claim 3, wherein the network sensors are selected from the group consisting of signature-based sensors, network anomaly sensors, protocol anomaly sensors and combinations thereof.
  - 5. The method as recited in claim 1, prior to the assigning step, further comprising the step of classifying network traffic as approved or unapproved.
  - 6. The method as recited in claim 5, wherein the classifying is based on source data, destination data, connection state, traffic data flow, or combinations thereof.
  - 7. The method as recited in claim 5, wherein the network behaviors comprise unapproved network traffic.
  - 8. The method as recited in claim 1, further comprising the step of logging the network behaviors.
  - 9. The method as recited in claim 1, further comprising the step of performing a security action when the confidence value is greater than or equal to an alert value.
  - 10. The method as recited in claim 9, wherein the security action is notifying administrators, collecting forensic data, establishing a quarantine for offending systems, transferring offending systems to a virtual network, suspend user access, or a combination thereof.
  - 11. The method as recited in claim 1, wherein the knowledge nodes are selected from the group consisting of failed connect egress, failed connect ingress, success MSPorts, failed SMTP, P2P ports, failed connect intranet, and success SMTP.
  - 12. The method as recited in claim 1, wherein the calculating step is performed by hypothesis nodes.
  - 13. The method as recited in claim 12, wherein hypothesis nodes are selected from the group consisting of portscan, P2P, unknown alert, virus, MS walk, and SMTP storm.
  - 14. The method as recited in claim 1, further comprising the step of refining the knowledge nodes according to the accumulation of said prior network information and administrator feedback.
  - 15. The method as recited in claim 1, wherein the calculating step is based on a modified Bayesian analysis model.

16. A system for detecting abnormal traffic comprising:
- a. sensors to detect network events, wherein a network behavior comprises at least one network event;
  
  b. a program on a computer-readable medium, the program comprising;
  
  i. at least one knowledge node assigning characterizations of network behaviors, each knowledge node comprising a characterization model utilizing decision-making techniques from engineering statistics based on prior network information and not based on fixed thresholds or signatures;
  
  ii. at least one hypothesis node calculating a confidence value based on the characterizations from the at least one knowledge node, each hypothesis node comprising a weighting factor for associated knowledge nodes, the confidence value comprising a quantification of the degree of confidence that the network behaviors constitute abnormal network traffic; and
  
  c. a processing device to execute the program.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The system as recited of claim 16, wherein the sensors are selected from the group of sensors consisting of signature-based sensors, network anomaly sensors, protocol anomaly sensors and combinations thereof.
  - 18. The system as recited in claim 16, wherein each knowledge node is associated with at least one network behavior.
  - 19. The system as recited in claim 16, further comprising means for aggregating a plurality of network events.
  - 20. The system as recited in claim 16, further comprising means for performing security actions in response to abnormal network traffic.
  - 21. The system as recited in claim 16, further comprising means for logging network behaviors.
  - 22. The system as recited in claim 16, further comprising means for refining the knowledge nodes according to the accumulation of said prior network information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Battelle Memorial Institute
Original Assignee
Battelle Memorial Institute
Inventors
Goranson, Craig A., Burnette, John R.
Primary Examiner(s)
Jaroenchonwanit; Bunjob

Application Number

US11/231,565
Publication Number

US 20070067438A1
Time in Patent Office

2,001 Days
Field of Search

709223-229, 706/46, 702/182, 704/252, 705 1- 38, 707/100, 713/201, 726/23
US Class Current

709/224
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Methods and systems for detecting abnormal digital traffic

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting abnormal digital traffic

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links