Network intrusion detection visualization

US 8,245,301 B2
Filed: 09/15/2009
Issued: 08/14/2012
Est. Priority Date: 09/15/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A network monitoring and visualization system comprising:

a computer coupled to a network and adapted to receive data from the network, the computer including a computer readable medium having stored thereon software instructions for programming the computer to monitor the network and to provide a graphical visualization of monitored network activity, the software instructions, when executed by the computer, cause the computer to perform operations including;

retrieving a plurality of minimum description length (MDL) models, each MDL model representing a different network activity behavior and each MDL model including a grammar having a plurality of motifs;

receiving a network activity data sample corresponding to network activity;

applying the grammar of each MDL model to the data sample to determine a measure of similarity between the data sample and the MDL model corresponding to the grammar being applied;

characterizing the data sample based on the measure of similarity, including mapping a normalized difference value for each motif of a grammar to a generate a plurality of statistical features;

generating a plurality of intelligent icons, each corresponding to one of the MDL models and each including a plurality of graphical representations corresponding to one of the statistical features representing the normalized difference value of a respective one of the motifs for that MDL model;

simultaneously displaying the intelligent icons on a display device coupled to the computer;

determining a relative importance of a corresponding motif within the MDL model associated with that motif;

arranging the graphical representations based on the relative importance of the corresponding motif within the MDL model associated with that motif; and

dynamically updating the intelligent icons in response to changes in data associated with each respective intelligent icon, such that the intelligent icons displayed on the display device represent only the most recent data values of the corresponding MDL model.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network activity visualization system can include a minimum description length (MDL) based network intrusion detection system having an MDL grammar database adapted to store a plurality of MDL grammars, and a pattern matching module adapted to match a received network activity data set against the MDL grammars by calculating a distance of the network activity data set from each MDL grammar. The system can also include an intelligent icon module coupled to the MDL-based intrusion detection system and adapted to receive the MDL grammars and distances of a network data set from each respective MDL grammar, and adapted to generate intelligent icons based on the MDL grammars and distances. The system can further include a display system adapted to display the intelligent icons so as to provide a visual indication of network security.

Citations

23 Claims

1. A network monitoring and visualization system comprising:
- a computer coupled to a network and adapted to receive data from the network, the computer including a computer readable medium having stored thereon software instructions for programming the computer to monitor the network and to provide a graphical visualization of monitored network activity, the software instructions, when executed by the computer, cause the computer to perform operations including;
  
  retrieving a plurality of minimum description length (MDL) models, each MDL model representing a different network activity behavior and each MDL model including a grammar having a plurality of motifs;
  
  receiving a network activity data sample corresponding to network activity;
  
  applying the grammar of each MDL model to the data sample to determine a measure of similarity between the data sample and the MDL model corresponding to the grammar being applied;
  
  characterizing the data sample based on the measure of similarity, including mapping a normalized difference value for each motif of a grammar to a generate a plurality of statistical features;
  
  generating a plurality of intelligent icons, each corresponding to one of the MDL models and each including a plurality of graphical representations corresponding to one of the statistical features representing the normalized difference value of a respective one of the motifs for that MDL model;
  
  simultaneously displaying the intelligent icons on a display device coupled to the computer;
  
  determining a relative importance of a corresponding motif within the MDL model associated with that motif;
  
  arranging the graphical representations based on the relative importance of the corresponding motif within the MDL model associated with that motif; and
  
  dynamically updating the intelligent icons in response to changes in data associated with each respective intelligent icon, such that the intelligent icons displayed on the display device represent only the most recent data values of the corresponding MDL model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the characterizing includes calculating a proximity between the data sample and the one or more MDL models.
  - 3. The system of claim 1, wherein the network activity is classified as normal activity or threat activity based on the characterization of the data sample.
  - 4. The system of claim 1, wherein the network activity is classified as a zero day attack when the data sample is determined to have a distance from each of the MDL models that is above a predetermined threshold.
  - 5. The system of claim 1, wherein the MDL models include a group of normal network activity models and a group of attack network activity models, and wherein intelligent icons corresponding to both groups are displayed simultaneously.
  - 6. The system of claim 5, wherein the statistical features indicate whether the network activity data is more likely correlated with the group of normal network activity MDL models or with the group of attack network activity MDL models.
  - 7. The system of claim 1, wherein the statistical features indicate a proximity of the network activity relative to one or more of the MDL models.
  - 8. The system of claim 1, wherein the statistical features indicate that the network activity data represents a new network behavior when the statistical features exceed a threshold distance from the MDL models.
  - 9. The system of claim 1, wherein the operations further include partitioning the network activity data sample according to the motifs of the MDL models in which each motif identifies a portion of the network activity data sample corresponding to that motif.

10. A network activity visualization system comprising:
- means for detecting network intrusions using an intrusion detection system having a mathematical model database adapted to store a plurality of mathematical models, and a pattern matching module adapted to match a received network activity data set against each mathematical model by calculating a distance of the network activity data set from a respective one of the mathematical models, the mathematical models including a plurality of minimum description length (MDL) models, each MDL model comprising a grammar having a plurality of motifs;
  
  means for generating a plurality of intelligent icons, each corresponding to one of the MDL models and each intelligent icon including a plurality of graphical representations corresponding to statistical features of respective motifs for that MDL model and for dynamically updating the intelligent icons in response to changes in data associated with each respective intelligent icon, such that the intelligent icons represent only the most recent data values of the corresponding MDL model; and
  
  means for displaying the intelligent icons so as to provide a visual indication of network security, wherein the displaying includes determining a relative importance of a corresponding motif within the MDL model associated with that motif and arranging the intelligent icons based on the relative importance of the corresponding motif within the MDL model associated with that motif.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein when the distance between the network activity data set and each of the mathematical models exceeds a predetermined threshold, the network activity data is identified as a new behavior and a mathematical modeling process is performed on the network activity data to generate a new mathematical model.
  - 12. The system of claim 11, wherein the new mathematical model is classified as a normal mathematical model or an attack mathematical model.
  - 13. The system of claim 12, wherein the new mathematical model is added to the mathematical model database.
  - 14. The system of claim 10, wherein the means for detecting network intrusions includes means for partitioning the network activity data set according to the motifs of the MDL models in which each motif identifies a portion of the network activity data set corresponding to that motif.

15. A computer-implemented method of intrusion detection visualization comprising:
- retrieving a plurality of minimum description length (MDL) models, each model representing a different network activity behavior;
  
  receiving network activity data corresponding to network activity;
  
  characterizing the network activity data using a computer programmed to perform intrusion detection visualization and the MDL models, the characterizing including generating, with the computer, a plurality of statistical features each representing a relationship between the network activity data and a respective one of the MDL models;
  
  associating, with the computer, each of a plurality of intelligent icons with a corresponding one of the MDL models;
  
  automatically altering, with the computer, an appearance of each intelligent icon based on at least one of said plurality of statistical features for said “
  
  in the phrase”
  
  automatically altering, with the computer, an appearance of each intelligent icon based on a statistical feature of the corresponding MDL model, and dynamically updating the intelligent icons in response to changes in data associated with each respective intelligent icon, such that the intelligent icons represent only the most recent data values of the corresponding MDL model;
  
  displaying one or more of the intelligent icons on a display device coupled to the computer, the intelligent icons providing a visual indication of the statistical feature of the corresponding MDL model;
  
  determining, with the computer, a relative importance of a corresponding motif within the MDL model associated with that motif; and
  
  arranging the intelligent icons based on a relative importance of a corresponding motif within the MDL model associated with that motif.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The method of claim 15, further arranging the intelligent icons on the display device based on a similarity of the statistical feature of the corresponding MDL model.
  - 17. The method of claim 15, wherein the characterizing includes calculating, with the computer, a proximity between the network activity data and the MDL models.
  - 18. The method of claim 15, wherein the network activity is classified as normal activity or threat activity based on a result of the characterizing.
  - 19. The method of claim 15, wherein the network activity is classified as a zero day attack when the network activity data is determined to have a distance from each of the MDL models that is above a predetermined threshold.
  - 20. The method of claim 15, wherein the MDL models include a group of normal network activity models and a group of attack network activity models.
  - 21. The method of claim 20, wherein each statistical feature of the relationship between the network activity data and a respective one of the MDL models, indicates whether the network activity data is more likely correlated with the group of normal network activity MDL models or with the group of attack network activity MDL models.
  - 22. The method of claim 15, wherein the method further comprises partitioning the network activity data according to a corresponding motif of an MDL model in which each motif identifies a portion of the network activity data corresponding to that motif.

23. A network monitoring and visualization system comprising:
- a computer coupled to a network and adapted to receive data from the network, the computer including a computer readable medium having stored thereon software instructions for programming the computer to monitor the network and to provide a graphical visualization of monitored network activity, the software instructions, when executed by the computer, cause the computer to perform operations including;
  
  retrieving a plurality of minimum description length (MDL) models, each MDL model representing a different network activity behavior and each MDL model including a grammar having a plurality of motifs;
  
  receiving a network activity data sample corresponding to network activity;
  
  applying the grammar of each MDL model to the data sample to determine a measure of similarity between the data sample and the MDL model corresponding to the grammar being applied;
  
  partitioning the network activity data sample according to motifs of each MDL model in which each motif identifies a portion of the network activity data sample corresponding to that motif;
  
  characterizing the data sample based on the measure of similarity, including mapping a normalized difference value for each motif of grammar to a generate a plurality of statistical features;
  
  generating a plurality of intelligent icons, each corresponding to one of the MDL models and each including a plurality of graphical representations corresponding to one of the statistical features representing the normalized difference value of a respective one of the motifs for that MDL model; and
  
  simultaneously displaying the intelligent icons on a display device coupled to the computer,wherein the MDL models include a group of normal network activity models and a group of attack network activity models, and wherein intelligent icons corresponding to both groups are displayed simultaneously on the display device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Evans, Scott Charles, Markham, Thomas, Bejtlich, Richard, Impson, Jeremy, Steinbrecher, Eric
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
PARSONS, THEODORE C

Application Number

US12/560,297
Publication Number

US 20110067106A1
Time in Patent Office

1,064 Days
Field of Search

726 22- 25
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 43/045   for graphical visualisation...

H04L 63/1416   Event detection, e.g. attac...

Network intrusion detection visualization

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Network intrusion detection visualization

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links