Intrusion detection based on amount of network traffic

US 8,042,180 B2
Filed: 05/20/2005
Issued: 10/18/2011
Est. Priority Date: 05/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for combating malicious programs, the method comprising:

maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device;

monitoring network traffic generated by the device;

based on the network traffic that is monitored, identifying an average number of packets actually transmitted in the predetermined period of time by the device;

modifying the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device;

after the modification of the network model, monitoring network traffic from the device;

after the modification of the network model, determining that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and

disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for combating malicious programs including monitoring network traffic from one or more devices, analyzing the network traffic to determine the presence of a malicious program in the one or more devices and disabling transmission of the network traffic for those of the one or more devices determined to have the malicious program present.

50 Citations

View as Search Results

50 Claims

1. A method for combating malicious programs, the method comprising:
- maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device;
  
  monitoring network traffic generated by the device;
  
  based on the network traffic that is monitored, identifying an average number of packets actually transmitted in the predetermined period of time by the device;
  
  modifying the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device;
  
  after the modification of the network model, monitoring network traffic from the device;
  
  after the modification of the network model, determining that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and
  
  disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein analyzing said network traffic to determine the presence of a malicious program in said device:
    - comparing observed network traffic for the device to network traffic model as modified for said device; and
      
      determining that a malicious program is present when said observed network traffic deviates substantially from said network traffic model as modified.
  - 3. The method of claim 2, wherein statistical analysis is used to compare and determine.
  - 4. The method of claim 2, wherein artificial intelligence is used to compare and determine, the artificial intelligence comprising at least one of a neural network and Bayesian analysis.
  - 5. The method of claim 2, wherein determining that a malicious program is present when said observed network traffic deviates substantially from said network traffic model as modified comprises ascertaining if said observed network traffic deviates from said normal network traffic by at least a determined margin.
  - 6. The method of claim 5, wherein said determined margin is predetermined and fixed.
  - 7. The method of claim 5, wherein said determined margin is determined based on historic values observed by monitoring network traffic.
  - 8. The method of claim 5, wherein said determined margin is initially predetermined by a user and is subsequently modified to adjust a sensitivity of an analyzer for determining the presence of said malicious program based on historic values observed by monitoring network traffic.
  - 9. The method of claim 2, wherein said network traffic model is determined based on historic values observed by monitoring network traffic.
  - 10. The method of claim 2, wherein said network traffic model is initially predetermined and is subsequently modified based on historic values observed by monitoring network traffic.
  - 11. The method of claim 1, wherein disabling transmission of said network traffic for the device determined to have said malicious program present comprises powering down said device determined to have said malicious program present.
  - 12. The method of claim 1, wherein disabling transmission of said network traffic for the device determined to have said malicious program present comprises removing from said network said those of said device determined to have said malicious program present.
  - 13. The method of claim 1 wherein analyzing said network traffic comprises analyzing a factor selected from the group consisting of a size of a packet of the network traffic, a recipient address, and a time of day that the packet is being sent.
  - 14. The method of claim 1, further comprising:
    - generating a deviation score for said network traffic, the deviation score representing the degree of deviation between the observed usage and normal usage; and
      
      comparing the deviation score against an acceptable score to determine the presence of a malicious program in said device.
  - 15. The method of claim 14 wherein linear regression is used to check the deviation score against the acceptable score to determine the presence of the malicious program in said device.
  - 16. The method of claim 1, wherein disabling transmission of said network traffic for said device determined to have said malicious program present comprises revoking network authentication granted to said device determined to have said malicious program present.

17. A system for combating malicious programs comprising:
- a computer system operable to execute a software application stored on a recording media locally accessible to the computer system, the software application operable when executed by the computer system to;
  
  maintain a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device;
  
  monitor network traffic generated by the device;
  
  based on the network traffic that is monitored, identify an average number of packets actually transmitted in the predetermined period of time by the device;
  
  modify the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device;
  
  after the modification of the network model, monitor network traffic from the device;
  
  after the modification of the network model, determine that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and
  
  disable transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The system of claim 17, wherein analyzing said network traffic to determine the presence of a malicious program in said device comprises:
    - comparing observed network traffic for the device to the network traffic model for said device; and
      
      determining that a malicious program is present when said observed network traffic deviates substantially from said network traffic model.
  - 19. The system of claim 18, wherein statistical analysis is used to compare and determine.
  - 20. The system of claim 18, wherein artificial intelligence is used to compare and determine, the artificial intelligence comprising at least one of a neural network and Bayesian analysis.
  - 21. The system of claim 18, wherein determining that a malicious program is present when said observed network traffic deviates substantially from said network traffic model comprises ascertaining if said observed network traffic deviates from said network traffic model by at least a determined margin.
  - 22. The system of claim 21, wherein said determined margin is determined based on historic values observed by monitoring network traffic.
  - 23. The system of claim 21, wherein said determined margin is initially predetermined by the user and is subsequently modified to adjust a sensitivity of an analyzer for determining the presence of said malicious program based on historic values observed by monitoring network traffic.
  - 24. The system of claim 21, wherein said determined margin is determined based on historic values observed by monitoring network traffic.
  - 25. The system of claim 18, wherein said network traffic model is initially predetermined and is subsequently modified based on historic values observed by monitoring network traffic.
  - 26. The system of claim 17, wherein disabling transmission of said network traffic for the device determined to have said malicious program present comprises powering down said the device determined to have said malicious program present.
  - 27. The system of claim 17, wherein disabling transmission of said network traffic for those of said device determined to have said malicious program present comprises removing from said network said device determined to have said malicious program present.

28. A computer system comprising:
- a processor; and
  
  a program storage device readable by the computer system, embodying a program of instructions executable by the processor to perform a method for combating malicious programs, the method comprising;
  
  maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device;
  
  monitoring network traffic generated by the device;
  
  based on the network traffic that is monitored, identifying an average number of packets actually transmitted in the predetermined period of time by the device;
  
  modifying the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device;
  
  after the modification of the network model, monitoring network traffic from the device;
  
  after the modification of the network model, determining that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and
  
  disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 29. The computer system of claim 28, wherein analyzing said network traffic to determine the presence of a malicious program in said devices comprises:
    - comparing observed network traffic for the device to the network traffic model for said device; and
      
      determining that a malicious program is present when said observed network traffic deviates substantially from said network traffic model.
  - 30. The computer system of claim 29, wherein statistical analysis is used to compare and determine.
  - 31. The computer system of claim 29, wherein artificial intelligence is used to compare and determine, the artificial intelligence comprising at least one of a neural network and Bayesian analysis.
  - 32. The computer system of claim 29, wherein determining that a malicious program is present when said observed network traffic deviates substantially from said network traffic model comprises ascertaining if said observed network traffic deviates from said network traffic model by at least a determined margin.
  - 33. The computer system of claim 32, wherein said determined margin is determined based on historic values observed by monitoring network traffic.
  - 34. The computer system of claim 32, wherein said determined margin is initially predetermined by the user and is subsequently modified to adjust a sensitivity of an analyzer for determining the presence of said malicious program based on historic values observed by monitoring network traffic.
  - 35. The computer system of claim 32, wherein said predetermined margin is determined based on historic values observed by monitoring network traffic.
  - 36. The computer system of claim 29, wherein said normal network traffic model is initially predetermined and is subsequently modified based on historic values observed by monitoring network traffic.
  - 37. The computer system of claim 28, wherein disabling transmission of said network traffic for said device determined to have said malicious program present comprises powering down said those of said device determined to have said malicious program present.
  - 38. The computer system of claim 28, wherein disabling transmission of said network traffic for said device determined to have said malicious program present comprises removing from said network said those of said device determined to have said malicious program present.

39. A non-transitory computer recording medium including computer executable code for combating malicious programs, the computer executable code comprising:
- code for maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device;
  
  code for monitoring network traffic generated by the device;
  
  code for identifying, based on the network traffic that is monitored, an average number of packets actually transmitted in the predetermined period of time by the device;
  
  code for modifying the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device;
  
  code for monitoring network traffic from the device after the modification of the network model;
  
  code for determining, after the modification of the network model, that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and
  
  code for disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 40. The non-transitory computer recording medium of claim 39, wherein said code for analyzing said network traffic to determine the presence of a malicious program in said device comprises:
    - code for comparing observed network traffic for the device to the network traffic model for said device; and
      
      code for determining that a malicious program is present when said observed network traffic deviates substantially from said network traffic model.
  - 41. The non-transitory computer recording medium of claim 40, wherein statistical analysis is used to compare and determine.
  - 42. The non-transitory computer recording medium of claim 40, wherein artificial intelligence is used to compare and determine, the artificial intelligence comprising at least one of a neural network and Bayesian analysis.
  - 43. The non-transitory computer recording medium of claim 40, wherein said network traffic model is initially predetermined and is subsequently modified based on historic values observed by monitoring network traffic.
  - 44. The non-transitory computer recording medium of claim 39 wherein said code for determining that a malicious program is present when said observed network traffic deviates substantially from said network traffic model comprises code for ascertaining if said observed network traffic deviates from said network traffic model by at least a determined margin.
  - 45. The non-transitory computer recording medium of claim 44, wherein said determined margin is determined based on historic values observed by monitoring network traffic.
  - 46. The non-transitory computer recording medium of claim 44, wherein said determined margin is initially predetermined by the user and is subsequently modified to adjust a sensitivity of an analyzer for determining the presence of said malicious program based on historic values observed by monitoring network traffic.
  - 47. The non-transitory computer recording medium of claim 44, wherein said determined margin is determined based on historic values observed by monitoring network traffic.
  - 48. The non-transitory computer recording medium of claim 39, wherein said code for disabling transmission of said network traffic for those of said device determined to have said malicious program present comprises code for powering down said device determined to have said malicious program present.
  - 49. The non-transitory computer recording medium claim 39, wherein said code for disabling transmission of said network traffic for said device determined to have said malicious program present comprises code for removing from said network said device determined to have said malicious program present.

50. A method for combating malicious programs, the method comprising:
- maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a network administrator, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device;
  
  monitoring network traffic from the device;
  
  based on the network traffic that is monitored, identifying an average number of packets actually transmitted in the predetermined period of time by the device;
  
  modifying the network model by replacing the predetermined number of packets identified by the network administrator with an average number of packets actually transmitted in the predetermined period of time by the device;
  
  after the modification of the network model, monitoring network traffic from the device;
  
  after the modification of the network model, determining that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and
  
  disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Gassoway, Paul
Primary Examiner(s)
Colin; Carl
Assistant Examiner(s)
LE, CHAU D

Application Number

US11/133,962
Publication Number

US 20050262562A1
Time in Patent Office

2,342 Days
Field of Search

726 22- 25
US Class Current

726/22
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Intrusion detection based on amount of network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection based on amount of network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links