Adaptive behavioral intrusion detection systems and methods

US 8,205,259 B2
Filed: 03/28/2003
Issued: 06/19/2012
Est. Priority Date: 03/29/2002
Status: Active Grant

First Claim

Patent Images

1. A method of detecting network intrusion attempts on a communications network, the method comprising:

collecting data associated with network traffic on the communications network, the data collection being over a time period sufficient to establish a sample of historical data, the historical data indicating normal network traffic;

examining network traffic for data comprising known strings and series of bytes that indicate signature attacks;

reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets;

applying predetermined rules to group data packets associated with objects on the communications network according to common data packet characteristics, the grouped data packets establishing an anomaly pool;

analyzing the anomaly pool using the historical data;

generating an alert based on the behavioral analysis and converting alerts from native signature format to a unified format for storage; and

storing a modified version of the historical data based on the compressed packets and the alerts.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for analyzing historical network traffic and determining which traffic does not belong in a network are disclosed. Intrusion detection is performed over a period of time, looking for behavioral patterns within networks or information systems and generating alerts when these patterns change. The intrusion detection system intelligently forms correlations between disparate sources to find traffic anomalies. Over time, behaviors are predictive, and the intrusion detection system attempts to predict outcomes, becoming proactive instead of just reactive. Intrusions occur throughout whole information systems, including both network infrastructure and application servers. By treating the information system as a whole and performing intrusion detection across it, the chances of detection are increased significantly.

60 Citations

View as Search Results

22 Claims

1. A method of detecting network intrusion attempts on a communications network, the method comprising:
- collecting data associated with network traffic on the communications network, the data collection being over a time period sufficient to establish a sample of historical data, the historical data indicating normal network traffic;
  
  examining network traffic for data comprising known strings and series of bytes that indicate signature attacks;
  
  reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets;
  
  applying predetermined rules to group data packets associated with objects on the communications network according to common data packet characteristics, the grouped data packets establishing an anomaly pool;
  
  analyzing the anomaly pool using the historical data;
  
  generating an alert based on the behavioral analysis and converting alerts from native signature format to a unified format for storage; and
  
  storing a modified version of the historical data based on the compressed packets and the alerts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising:
    - monitoring the network traffic for known strings and series of bytes that indicate signature attacks.
  - 3. The method of claim 1 further comprising:
    - analyzing the anomaly pool independently of any of the predetermined rules that identified the data packets for addition to the anomaly pool.
  - 4. The method of claim 1, wherein an alert is generated if a statistical value associated with the anomaly pool is not within a predetermined threshold value associated with the historical data.
  - 5. The method of claim 1, wherein the step of generating an alert comprises adding alerts to an alert pool and releasing alerts to a console for viewing by an operator.
  - 6. The method of claim 1, wherein the step of generating alerts comprises:
    - adding a first set of alerts to an alert pool;
      
      resolving internet protocol addresses associated with each alert in the alert pool with a name and renaming each alert in the alert pool with a name recognizable by an operator;
      
      applying a set of rules to select alerts from the alert pool to be displayed on a console for viewing by the operator, the rules comprising high level selection parameters that have been previously defined; and
      
      releasing the selected alerts by name to the console for viewing by the operator.
  - 7. The method of claim 1 further comprising:
    - performing the method across a plurality of networks; and
      
      compiling results in a global database.
  - 8. The method of claim 7 further comprising:
    - updating the historical data in a global database associated with the communications network.
  - 9. The method of claim 1, wherein the step of updating the historical data comprises:
    - storing sources of possible intrusion attempts in a database with an indicator of their hostility to the network; and
      
      removing a source of possible intrusion attempts from the database when a value of the indicator is sufficiently low due to a period of inactivity of the source.
  - 10. A non-transitory computer storage medium storing a computer program which, when executed by a computer-controlled apparatus, causes the computer-controlled apparatus to perform the method of claim 1.
  - 11. A computer-controlled apparatus operative for implementing the method of claim 1, wherein the apparatus comprises a hardware server.

12. A method of detecting network intrusion attempts associated with network objects on a communications network, the method comprising:
- collecting normal data associated with network objects on the communications network on a continuing basis to establish historical data associated with traffic across the network, wherein the historical data comprises delivery information associated with packets communicated over the communications network, the data collection occurring over a time period sufficient to establish a sample of the historical data;
  
  examining network traffic for data comprising known strings and series of bytes that indicate signature attacks;
  
  reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets;
  
  analyzing the anomaly pool using the historical data;
  
  generating an alert based on the behavioral analysis and a converter for converting alerts from native signature format to a unified format for storage in at least one relational database; and
  
  storing a modified version of the historical data based on the compressed packets and the alerts.

13. A method of detecting network intrusion attempts on a communications network, the method comprising:
- collecting data associated with network traffic, the data collection being over a time period sufficient to establish a sample of historical data;
  
  examining network traffic for data comprising known strings and series of bytes that indicate signature attacks;
  
  reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets;
  
  applying predetermined rules to group data packets associated with objects on the communications network according to common data packet characteristics, the grouped data packets establishing an anomaly pool;
  
  analyzing the anomaly pool using the historical data and known strings and series of bytes that indicate signature attacks;
  
  generating an alert based on the behavioral analysis and a converter for converting alerts from native signature format to a unified format for storage in at least one relational database; and
  
  storing a modified version of the historical data based on the compressed packets and the alerts.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein analyzing the anomaly pool comprises:
    - analyzing the anomaly pool independently of any of the predetermined rules that identified the data packets for addition to the anomaly pool; and
      
      conducting a threshold analysis to determine whether a statistical value associated with the anomaly pool is within threshold values.
  - 15. The method of claim 13, wherein generating alerts identifying possible intrusion attempts comprises:
    - adding a first set of alerts to an alert pool;
      
      resolving internet protocol addresses associated with each alert in the alert pool with a name and renaming each alert in the alert pool with a name recognizable by an operator;
      
      applying a set of rules to select alerts from the alert pool to be displayed on a console for viewing by the operator, the rules comprising high level selection parameters that have been previously defined; and
      
      releasing the selected alerts by name to the console for viewing by the operator.
  - 16. The method of claim 13, further comprising:
    - performing the method across a plurality of networks;
      
      compiling results in a global database; and
      
      updating the historical data based on results in the global database.
  - 17. The method of claim 13, wherein updating the historical data comprises storing sources of possible intrusion attempts in a database with an indicator of their hostility to the network and removing a source of possible intrusion attempts from the database when a value of the data point indicator is sufficiently low due to a period of inactivity of the source.
  - 18. A non-transitory computer storage medium storing a computer program which, when executed by a computer-controlled apparatus, causes the computer-controlled apparatus to perform the method of claim 13.
  - 19. A computer-controlled apparatus operative for implementing the method of claim 13, the apparatus comprising a hardware server.

20. An intrusion detection system for detecting network intrusion attempts associated with network objects on a communications network, the system comprising:
- a sensor connected to the network to monitor network traffic associated with network objects on the network, the sensor operable to collect network data over a time period sufficient to establish a sample of historical data, the sensor comprising;
  
  a knowledge-based component for examining network traffic for data comprising known strings and series of bytes that indicate signature attacks; and
  
  a packet logger for reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets;
  
  a hardware server connected to the sensor that accepts real-time alerts for possible signature attacks and a converter for converting alerts from native signature format to a unified format for storage in at least one relational database;
  
  an analysis server that generates an alert based on the behavioral analysis; and
  
  at least one relational database to store a modified version of the historical data based on the compressed packets and the alerts.
- View Dependent Claims (21, 22)
- - 21. The system of claim 20, further comprising a plurality of sensors connected to the network.
  - 22. The system of claim 20, further comprising two or more virtual private network tunnels connecting the sensor to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Masergy Communications Incorporated (Comcast Corporation)
Original Assignee
Global DataGuard, Inc. (Comcast Corporation)
Inventors
Stute, Michael
Primary Examiner(s)
Goodarzi, Nasser
Assistant Examiner(s)
Johnson, Carlton

Application Number

US10/504,731
Publication Number

US 20050044406A1
Time in Patent Office

3,371 Days
Field of Search

713/201, 726/23, 726/24
US Class Current

726/23
CPC Class Codes

C12Q 1/6804   Nucleic acid analysis using...

C12Q 1/6865   Promoter-based amplificatio...

C12Q 2521/313   Type II endonucleases, i.e....

C12Q 2521/319   Exonuclease

C12Q 2525/121   incorporating both deoxyrib...

C12Q 2525/143   incorporating a promoter se...

C12Q 2537/1373   Displacement by a nucleic acid

C12Q 2563/179   the label being a nucleic acid

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Adaptive behavioral intrusion detection systems and methods

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive behavioral intrusion detection systems and methods

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links