System that provides early detection, alert, and response to electronic threats
First Claim
Patent Images
1. A computer system that provides early warning detection and response to electronic threats in a large wide area network, said system comprising:
- (a) a virtual Anonymity, Privacy, and Secrecy (APS) module comprised of several components distributed throughout said system, said APS module comprising components that are adapted to identify and remove data carrying personal information and to enable secure encrypted communications between modules in said system, thereby insuring that the anonymity, privacy and secrecy of all users of said large wide area network are preserved while enabling said system to perform its function;
(b) one or more physical Known eThreat Handler (KEHM) modules that are deployed inside said large wide area network, said KEHM modules comprising components that are adapted to look for a match between signatures of known eThreats and the stream of Internet packets in real-time, thereby identifying and removing known eThreats from data stream;
(c) one or more physical Data Stream Manager (DSM) modules that are deployed inside said large wide area network, said DSM modules comprising components that are adapted to;
(i) receive the data stream that has been forwarded from said KEHM modules;
(ii) forward said data stream to the target computer;
(iii) extract files from said data stream by filtering out traffic that has no potential to assist with eThreat detection and traffic that has a potential to assist with detection of new eThreats;
(d) a physical New eThreat Detection module not directly connected to the large wide area network data stream, said module comprising;
(i) a plurality of detection plug-ins each of which is adapted to analyze and provide a subjective numeric grade for the danger posed by the suspected eThreat in a file or a file from other sources;
(ii) a risk weighing component that is adapted to combine the numeric grades provided by said plurality of detection plug-ins to provide a final rank for each of said eThreat files in order to determine if a new eThreat has been detected; and
(iii) components that are adapted to construct a unique signature for each new eThreat detected;
(e) a physical Collaborative eThreat Recognition module not directly connected to said large wide area network data stream, said Collaborative eThreat Recognition module comprising components that are adapted to apply rule-based detection techniques to information received from various system agents and users to detect potential new eThreats;
(f) a physical Storage Manager module not connected directly to said large wide area network data stream, said Storage Manager module comprising components that are adapted to;
(i) store and manage files sent to said module by other modules of said system; and
(ii) store information about said files managed by said module;
(g) a physical Control Center module not connected directly to said large wide area network data stream, which comprises graphic user interfaces and other components that are adapted to provide all information gathered by other modules of said system that is relevant to the recognition of new eThreats to a human expert group that is responsible for running said system and to provide feedback from said human expert group to modules of said system;
(h) communication links between said modules of said system; and
(i) the Control Center modules comprising an Attack-Trace-Back module adapted to trace back the source of an eThreat by constructing a progagation tree from a log.
3 Assignments
0 Petitions
Accused Products
Abstract
The invention is a computer system that provides early detection alert and response to electronic threats (eThreats) in large wide area networks, e.g. the network of an Internet Services Provider or a Network Services Provider. The system of the invention accomplishes this by harnessing the processing power of dedicated hardware, software residing in specialized servers, distributed personal computers connected to the network, and the human brain to provide multi-layered early detection, alarm and response. The layers comprise: a Protection Layer, which detects and eliminates from the network data stream eThreats known to the system; a Detection Layer, which detects and creates signatures for new eThreats that are unknown to the system; an Expert Analysis Layer, which comprises a group of human experts who receive information from various components of the system and analyze the information to confirm the identity of new eThreats; and a Collaborative Detection & Protection Layer, which detects potential new eThreats by processing information received from various system agents and users. A Dynamic Sandbox Protection Layer associated with the distributed personal computers connected to the network. can optionally be part of the system of the invention.
71 Citations
7 Claims
-
1. A computer system that provides early warning detection and response to electronic threats in a large wide area network, said system comprising:
-
(a) a virtual Anonymity, Privacy, and Secrecy (APS) module comprised of several components distributed throughout said system, said APS module comprising components that are adapted to identify and remove data carrying personal information and to enable secure encrypted communications between modules in said system, thereby insuring that the anonymity, privacy and secrecy of all users of said large wide area network are preserved while enabling said system to perform its function; (b) one or more physical Known eThreat Handler (KEHM) modules that are deployed inside said large wide area network, said KEHM modules comprising components that are adapted to look for a match between signatures of known eThreats and the stream of Internet packets in real-time, thereby identifying and removing known eThreats from data stream; (c) one or more physical Data Stream Manager (DSM) modules that are deployed inside said large wide area network, said DSM modules comprising components that are adapted to; (i) receive the data stream that has been forwarded from said KEHM modules; (ii) forward said data stream to the target computer; (iii) extract files from said data stream by filtering out traffic that has no potential to assist with eThreat detection and traffic that has a potential to assist with detection of new eThreats; (d) a physical New eThreat Detection module not directly connected to the large wide area network data stream, said module comprising; (i) a plurality of detection plug-ins each of which is adapted to analyze and provide a subjective numeric grade for the danger posed by the suspected eThreat in a file or a file from other sources; (ii) a risk weighing component that is adapted to combine the numeric grades provided by said plurality of detection plug-ins to provide a final rank for each of said eThreat files in order to determine if a new eThreat has been detected; and (iii) components that are adapted to construct a unique signature for each new eThreat detected; (e) a physical Collaborative eThreat Recognition module not directly connected to said large wide area network data stream, said Collaborative eThreat Recognition module comprising components that are adapted to apply rule-based detection techniques to information received from various system agents and users to detect potential new eThreats; (f) a physical Storage Manager module not connected directly to said large wide area network data stream, said Storage Manager module comprising components that are adapted to; (i) store and manage files sent to said module by other modules of said system; and (ii) store information about said files managed by said module; (g) a physical Control Center module not connected directly to said large wide area network data stream, which comprises graphic user interfaces and other components that are adapted to provide all information gathered by other modules of said system that is relevant to the recognition of new eThreats to a human expert group that is responsible for running said system and to provide feedback from said human expert group to modules of said system; (h) communication links between said modules of said system; and (i) the Control Center modules comprising an Attack-Trace-Back module adapted to trace back the source of an eThreat by constructing a progagation tree from a log. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeDeutsche Telekom AG
-
Original AssigneeBen Gurion University of The Negev
-
InventorsElovici, Yuval, Tachan, Gil, Shabtai, Asaf
-
Primary Examiner(s)Srivastava, Vivek
-
Assistant Examiner(s)SONG, HEE K
-
Application NumberUS12/025,269Publication NumberTime in Patent Office1,548 DaysField of Search726 22- 24, 726/1, 726/2, 713/201, 713150-181, 713/187, 713/188US Class Current726/24CPC Class CodesH04L 41/147 for predicting network beha...H04L 43/00 Arrangements for monitoring...H04L 63/0414 during transmission, i.e. p...H04L 63/1441 Countermeasures against mal...H04L 63/145 the attack involving the pr...
