Adaptive behavioral intrusion detection systems and methods
First Claim
1. A method of detecting network intrusion attempts on a communications network, the method comprising:
- collecting data associated with network traffic on the communications network, the data collection being over a time period sufficient to establish a sample of historical data, the historical data indicating normal network traffic;
examining network traffic for data comprising known strings and series of bytes that indicate signature attacks;
reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets;
applying predetermined rules to group data packets associated with objects on the communications network according to common data packet characteristics, the grouped data packets establishing an anomaly pool;
analyzing the anomaly pool using the historical data;
generating an alert based on the behavioral analysis and converting alerts from native signature format to a unified format for storage; and
storing a modified version of the historical data based on the compressed packets and the alerts.
13 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for analyzing historical network traffic and determining which traffic does not belong in a network are disclosed. Intrusion detection is performed over a period of time, looking for behavioral patterns within networks or information systems and generating alerts when these patterns change. The intrusion detection system intelligently forms correlations between disparate sources to find traffic anomalies. Over time, behaviors are predictive, and the intrusion detection system attempts to predict outcomes, becoming proactive instead of just reactive. Intrusions occur throughout whole information systems, including both network infrastructure and application servers. By treating the information system as a whole and performing intrusion detection across it, the chances of detection are increased significantly.
60 Citations
22 Claims
-
1. A method of detecting network intrusion attempts on a communications network, the method comprising:
-
collecting data associated with network traffic on the communications network, the data collection being over a time period sufficient to establish a sample of historical data, the historical data indicating normal network traffic; examining network traffic for data comprising known strings and series of bytes that indicate signature attacks; reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets; applying predetermined rules to group data packets associated with objects on the communications network according to common data packet characteristics, the grouped data packets establishing an anomaly pool; analyzing the anomaly pool using the historical data; generating an alert based on the behavioral analysis and converting alerts from native signature format to a unified format for storage; and storing a modified version of the historical data based on the compressed packets and the alerts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of detecting network intrusion attempts associated with network objects on a communications network, the method comprising:
-
collecting normal data associated with network objects on the communications network on a continuing basis to establish historical data associated with traffic across the network, wherein the historical data comprises delivery information associated with packets communicated over the communications network, the data collection occurring over a time period sufficient to establish a sample of the historical data; examining network traffic for data comprising known strings and series of bytes that indicate signature attacks; reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets; analyzing the anomaly pool using the historical data; generating an alert based on the behavioral analysis and a converter for converting alerts from native signature format to a unified format for storage in at least one relational database; and storing a modified version of the historical data based on the compressed packets and the alerts.
-
-
13. A method of detecting network intrusion attempts on a communications network, the method comprising:
-
collecting data associated with network traffic, the data collection being over a time period sufficient to establish a sample of historical data; examining network traffic for data comprising known strings and series of bytes that indicate signature attacks; reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets; applying predetermined rules to group data packets associated with objects on the communications network according to common data packet characteristics, the grouped data packets establishing an anomaly pool; analyzing the anomaly pool using the historical data and known strings and series of bytes that indicate signature attacks; generating an alert based on the behavioral analysis and a converter for converting alerts from native signature format to a unified format for storage in at least one relational database; and storing a modified version of the historical data based on the compressed packets and the alerts. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. An intrusion detection system for detecting network intrusion attempts associated with network objects on a communications network, the system comprising:
-
a sensor connected to the network to monitor network traffic associated with network objects on the network, the sensor operable to collect network data over a time period sufficient to establish a sample of historical data, the sensor comprising; a knowledge-based component for examining network traffic for data comprising known strings and series of bytes that indicate signature attacks; and a packet logger for reading packets in network traffic, classifying the packets by protocols, and creating packages of compressed packets; a hardware server connected to the sensor that accepts real-time alerts for possible signature attacks and a converter for converting alerts from native signature format to a unified format for storage in at least one relational database; an analysis server that generates an alert based on the behavioral analysis; and at least one relational database to store a modified version of the historical data based on the compressed packets and the alerts. - View Dependent Claims (21, 22)
-
Specification