Enabling network intrusion detection by representing network activity in graphical form utilizing distributed data sensors to detect and transmit activity data
First Claim
1. A method for generating a network activity graph comprising:
- at a control server, receiving from a first sensor at a first remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device, wherein said first sensor comprises an adapter configured to enable sensed activity occurring at the first remote device to be packaged in a specialized format for transmission to the control server, and wherein said first sensor encapsulates the sensed activity into a specific transmission message recognizable by receiving components at the control server and forwards the message to the control server;
the control server fusing activity data retrieved from multiple ones of said message from respective multiple sensors, including the first sensor, located within the network, into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network;
the control server translating data within an activity report generated from the received activity data into a graph representation and incorporating the translated data into a combined activity graph;
the control server determining which elements within received activity reports are already represented by a node or edge within the activity graph in order to prevent duplication of a mapping within the activity graph of already represented elements;
the control server creating a new node or edge for only those elements not already represented within the activity graph;
the control server generating a request for secondary evidence and transmitting the request to the sensor of the remote device, wherein in response to receipt of a request for secondary evidence at the sensor of the remote device from the control server, said sensor is triggered to locate, package and transmit the requested additional evidence to the control server; and
in response to receipt of the secondary evidence at the control server, the control server automatically translating the secondary evidence into eGMIDS usable format and fusing the secondary evidence into the activity graph;
wherein said multiple sensors comprise an email sensor, which completes the functions of;
tracking emails between users on a network; and
monitoring an exchange of emails within a context, which context includes the sender'"'"'s and recipient'"'"'s other activities in addition to the exchange of emails on the network, said other activities being pre-determined to trigger said monitoring and which occur prior to or concurrent with the exchange of emails to trigger said monitoring, and wherein said monitoring includes monitoring a content of the email for key words that may be associated with a threat when placed in proper context, given the other activity of the sender and/or recipient of the email.
3 Assignments
0 Petitions
Accused Products
Abstract
A method, system, and computer program product for detecting and mapping activity occurring at and between devices on a computer network for utilization within an intrusion detection mechanism. An enhanced graph matching intrusion detection system (eGMIDS) utility executing on a control server provides data collection functions and data fusion techniques. The eGMIDS comprises multiple sensors and associated unique adaptors that are located at different remote devices of the network and utilized to detect specific types of activity occurring at the respective devices relevant to eGMIDS processing. The sensors convert the data into eGMIDS format and encapsulate the data in a special transmission packet that is transmitted to the control server. The eGMIDS utility converts the activity data within these packets into eGMIDS-usable format and then processes the converted data via a data fusion technique to generate a graphical representation of the network (devices) and the activity occurring at/amongst the various devices.
-
Citations
31 Claims
-
1. A method for generating a network activity graph comprising:
-
at a control server, receiving from a first sensor at a first remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device, wherein said first sensor comprises an adapter configured to enable sensed activity occurring at the first remote device to be packaged in a specialized format for transmission to the control server, and wherein said first sensor encapsulates the sensed activity into a specific transmission message recognizable by receiving components at the control server and forwards the message to the control server; the control server fusing activity data retrieved from multiple ones of said message from respective multiple sensors, including the first sensor, located within the network, into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network; the control server translating data within an activity report generated from the received activity data into a graph representation and incorporating the translated data into a combined activity graph; the control server determining which elements within received activity reports are already represented by a node or edge within the activity graph in order to prevent duplication of a mapping within the activity graph of already represented elements; the control server creating a new node or edge for only those elements not already represented within the activity graph; the control server generating a request for secondary evidence and transmitting the request to the sensor of the remote device, wherein in response to receipt of a request for secondary evidence at the sensor of the remote device from the control server, said sensor is triggered to locate, package and transmit the requested additional evidence to the control server; and in response to receipt of the secondary evidence at the control server, the control server automatically translating the secondary evidence into eGMIDS usable format and fusing the secondary evidence into the activity graph; wherein said multiple sensors comprise an email sensor, which completes the functions of;
tracking emails between users on a network; and
monitoring an exchange of emails within a context, which context includes the sender'"'"'s and recipient'"'"'s other activities in addition to the exchange of emails on the network, said other activities being pre-determined to trigger said monitoring and which occur prior to or concurrent with the exchange of emails to trigger said monitoring, and wherein said monitoring includes monitoring a content of the email for key words that may be associated with a threat when placed in proper context, given the other activity of the sender and/or recipient of the email. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for generating a graph representation of sensed activity data within a network, said system comprising:
-
a control server having a processor which executes a software utility which comprises functional components that complete the functions of; receiving from a first sensor at a first remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device, wherein said first sensor comprises an adapter configured to enable sensed activity occurring at the first remote device to be packaged in a specialized format for transmission to the control server, and wherein said first sensor encapsulates the sensed activity into a specific transmission message recognizable by receiving components at the control server and forwards the message to the control server; wherein the multiple sensors comprise; (a) an email sensor that tracks emails between users on the network and monitors a content for key words that may be associated with a threat when placed in proper context, given other activity of a sender and/or recipient of an email; and (b) one or more of; a chat log sensor that identifies an occurrence of an exchange of communication between users; a traffic summary sensor that tracks a volume of traffic moving through each point in the network, as well as a source and destination of traffic data; a keystroke sensor that distinguishes among users at a host device based on a timing of keystrokes of the users; an encrypted session sensor that that determines whether or not a particular transmission control protocol (TCP) session is transferring encrypted or plain text data, based on statistics of the data being transferred to enable detection of encrypted sessions on ports that should be plain text and non-encrypted sessions on ports that should be encrypted, wherein information from the sensor is utilized as additional context to distinguish between threatening and benign activity; and a host device fingerprinting sensor that allows an individual remote computer to be identified even if the computer is sending or receiving data under multiple internet protocol (IP) address aliases, wherein information received enables restructuring of nodes and edges representing that host to more accurately reflect the activity of the host and expose attackers that are trying to disguise their attacks by spreading the attacks across multiple source IP addresses; a sensor data fusion utility executing within the control server and that configures the processor to; fuse activity data retrieved from multiple ones of said message received from respective multiple sensors, including the first sensor and one or more other sensors located within the network, into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network, translate data within an activity report generated from the received activity data into a graph representation and incorporating the translated data into a combined activity graph; determine which elements within received activity reports are already represented by a node or edge within the activity graph in order to prevent duplication of a mapping within the activity graph of already represented elements; and create a new node or edge for only those elements not already represented within the activity graph; the control server generates a request for secondary evidence and transmits the request to the sensor of the remote device, wherein in response to receiving a request for secondary evidence at the sensor of the remote device from the control server, said sensor locates, packages and transmits the requested additional evidence to the control server; and in response to receipt of the secondary evidence at the control server, the control server automatically translates the secondary evidence into eGMIDS usable format and fuses the secondary evidence into the activity graph. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product comprising:
-
a non-transitory recordable type medium; and program code on the recordable type medium for generating a graph representation of sensed activity data within a network, said program code comprising a software utility executing at a control server and which comprises functional components for completing the functions of; at the control server, receiving from a first sensor at a first remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device, wherein said first sensor comprises an adapter configured to enable sensed activity occurring at the first remote device to be packaged in a specialized format for transmission to the control server, and wherein said first sensor encapsulates the sensed activity into a specific transmission message recognizable by receiving components at the control server and forwards the message to the control server; and fusing activity data retrieved from multiple ones of said message from multiple sensors, including the first sensor, located within the network, into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network; translating data within an activity report generated from the received activity data into a graph representation and incorporating the translated data into a combined activity graph; determining which elements within received activity reports are already represented by a node or edge within the activity graph in order to prevent duplication of a mapping within the activity graph of already represented elements; creating a new node or edge for only those elements not already represented within the activity graph; generating a request for secondary evidence and transmitting the request to the sensor of the remote device, wherein in response to receipt of a request for secondary evidence at the sensor of the remote device from the control server, said sensor is triggered to locate, package and transmit the requested additional evidence to the control server; and in response to receipt of the secondary evidence at the control server, automatically translating the secondary evidence into eGMIDS usable format and fusing the secondary evidence into the activity graph; wherein said multiple sensors comprise an email sensor, which completes the functions of;
tracking emails between users on a network; and
monitoring an exchange of emails within a context, which context includes the sender'"'"'s and recipient'"'"'s other activities in addition to the exchange of emails on the network, said other activities being pre-determined to trigger said monitoring and which occur prior to or concurrent with the exchange of emails to trigger said monitoring, and wherein said monitoring includes monitoring a content of the email for key words that may be associated with a threat when placed in proper context, given the other activity of the sender and/or recipient of the email. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method for generating a network activity graph comprising:
-
at a control server, receiving from a first sensor at a first remote device, a message containing remote device information including an identification of the remote device and activity occurring at the remote device, wherein said first sensor comprises an adapter configured to enable sensed activity occurring at the first remote device to be packaged in a specialized format for transmission to the control server, and wherein said first sensor encapsulates the sensed activity into a specific transmission message recognizable by receiving components at the control server and forwards the message to the control server; and the control server fusing activity data retrieved from multiple ones of said message from multiple sensors, including the first sensor, located within the network into an activity graph representative of the devices on the network and the activity and inter-activity occurring at and between the devices on the network; the control server translating data within an activity report generated from the received activity data into a graph representation and incorporating the translated data into a combined activity graph; the control server determining which elements within received activity reports are already represented by a node or edge within the activity graph in order to prevent duplication of a mapping within the activity graph of already represented elements; the control server creating a new node or edge for only those elements not already represented within the activity graph; the control server generating a request for secondary evidence and transmitting the request to the sensor of the remote device, wherein in response to receipt of a request for secondary evidence at the sensor of the remote device from the control server, said sensor is triggered to locate, package and transmit the requested additional evidence to the control server; and in response to receipt of the secondary evidence at the control server, the control server automatically translating the secondary evidence into eGMIDS usable format and fusing the secondary evidence into the activity graph; wherein the multiple sensors comprise at least two sensors from among;
a Snort sensor, a Tripwire sensor, a traffic summary sensor, a keystroke sensor, an encrypted session sensor, and a host device fingerprinting sensor. - View Dependent Claims (27, 28, 29, 30, 31)
-
Specification