System and method for a distributed application and network security system (SDI-SCAM)

DC CAFC

US 8,327,442 B2
Filed: 12/24/2003
Issued: 12/04/2012
Est. Priority Date: 12/24/2002
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A distributed security system that protects individual computers in a computer network having a plurality of computers, said system comprising individual computers having agents associated therewith that control the associated individual computer, each agent performing the steps of:

creating statistical models of usage of the associated individual computer in said computer network;

gathering and analyzing information relating to current usage of the associated individual computer in said computer network;

determining from said information a pattern of usage of the associated individual computer that is consistent with intrusion or attack of the associated individual computer or the computer network;

determining a probability of the likelihood of an intrusion or attack from said pattern of usage of the associated individual computer;

distributing in real-time warnings and potential countermeasures to agents of each of said individual computers in said computer network when the determined probability of the likelihood of an intrusion or attack exceeds a statistical threshold, wherein at least one of said warnings comprises information related to the nature of the intrusion or attack and the determined probability of the likelihood of intrusion or attack based on the statistical models of the associated individual computer; and

updating said statistical models of the associated individual computer to reflect the current usage of the associated individual computer in said computer network and the likelihood of intrusion or attack;

wherein each said agent schedules the associated individual computers for different anti-viral software updates based on different levels of probability of an intrusion or attack for each individual computer based on the statistical model for each individual computer and a detected level of probability of an intrusion or attack; and

wherein each said agent suspends said schedule and immediately provides the anti-viral software update to the associated individual computer when an intrusion or attack of any computer in said computer network is detected or the detected probability of an intrusion or attack is high that the associated individual computer has been infected by a particular type of virus.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

This document discloses the architecture and proposed application of a highly distributed network security system. Using a combination of intelligent client-side and server-side agents, redundant memory arrays, duplicate network connections, and a variety of statistical analytics, which are cleverly designed to anticipate, counteract and defeat likely strategic designs, behaviors and adaptations of these threats which may be intended to evade or even disable the network security system, this system serves to detect, prevent, and repair a wide variety of network intrusions.

82 Citations

View as Search Results

33 Claims

1. A distributed security system that protects individual computers in a computer network having a plurality of computers, said system comprising individual computers having agents associated therewith that control the associated individual computer, each agent performing the steps of:
- creating statistical models of usage of the associated individual computer in said computer network;
  
  gathering and analyzing information relating to current usage of the associated individual computer in said computer network;
  
  determining from said information a pattern of usage of the associated individual computer that is consistent with intrusion or attack of the associated individual computer or the computer network;
  
  determining a probability of the likelihood of an intrusion or attack from said pattern of usage of the associated individual computer;
  
  distributing in real-time warnings and potential countermeasures to agents of each of said individual computers in said computer network when the determined probability of the likelihood of an intrusion or attack exceeds a statistical threshold, wherein at least one of said warnings comprises information related to the nature of the intrusion or attack and the determined probability of the likelihood of intrusion or attack based on the statistical models of the associated individual computer; and
  
  updating said statistical models of the associated individual computer to reflect the current usage of the associated individual computer in said computer network and the likelihood of intrusion or attack;
  
  wherein each said agent schedules the associated individual computers for different anti-viral software updates based on different levels of probability of an intrusion or attack for each individual computer based on the statistical model for each individual computer and a detected level of probability of an intrusion or attack; and
  
  wherein each said agent suspends said schedule and immediately provides the anti-viral software update to the associated individual computer when an intrusion or attack of any computer in said computer network is detected or the detected probability of an intrusion or attack is high that the associated individual computer has been infected by a particular type of virus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 31)
- - 2. The system of claim 1, wherein said at least one warning comprises a relative probabilistic likelihood that a detected potential intrusion or attack based on said detected pattern of usage has certain characteristics or strategic objectives and said potential countermeasures comprise a most appropriate countermeasure for one or more most probable intrusions or attacks based on said detected pattern of usage.
  - 3. The system of claim 1, wherein at least one of said agents distributes to said individual computers in said computer network information relating to repairs conducted in response to detected intrusions or attacks.
  - 4. The system of claim 1, wherein each said agent is provided in a security system installed in each of a plurality of individual computers in said computer network.
  - 5. The system of claim 1, wherein each said agent is provided in a system that is provided in addition to a security system installed in each of a plurality of individual computers in said computer network.
  - 6. The system of claim 1, wherein each said agent is provided on a router for providing said information to individual computers or computer networks connected to said router.
  - 7. The system of claim 1, wherein agents associated with individual computers in said computer network communicate said information and said real-time warnings and potential countermeasures in a peer to peer fashion.
  - 8. The system of claim 1, wherein agents associated with individual computers in said computer network communicate said information and said real-time warnings and potential countermeasures to a central server for distribution to agents associated with other individual computers in said computer network.
  - 9. The system of claim 1, wherein individual computers in said computer network each comprise redundant memory systems that persistently mirror the contents of primary memory of each said individual computer.
  - 10. The system of claim 1, wherein said information comprises at least one of traffic data amongst individual computers in said computer network and metadata associated with one or more accessors of said individual computers in said computer network.
  - 11. The system of claim 1, wherein each said agent comprises a virus scanner that checks code of each said individual computer for patterns associated with viruses or malicious programming.
  - 12. The system of claim 1, wherein each said agent distributes shared set keys and parameters for updating said statistical models to each of said individual computers in said computer network.
  - 13. The system of claim 1, wherein each said agent communicates with other individual computers based on characteristics of the computer network that may change from moment to moment based on a probabilistic determination of a threat level of a particular intruder or attack.
  - 14. The system of claim 1, wherein each said agent schedules said different individual computers for different anti-viral software updates based on different levels of probability of an intrusion or attack for each different individual computer.
  - 15. The system of claim 1, wherein each said agent comprises a Bayesian network that constantly gauges a probability of an ongoing attack based on traffic activity in said computer network.
  - 16. The system of claim 1, wherein said warnings comprise information related to a particular nature and probability of a detected intrusion or attack.
  - 17. The system of claim 1, wherein said detected pattern of usage is compared against a security database to determine if said pattern of usage is consistent with a known intrusion or attack.
  - 31. The system of claim 1, each agent further receiving warnings and potential countermeasures from agents of other of said individual computers in said computer network when the determined probability of the likelihood of an intrusion or attack exceeds a statistical threshold, wherein at least one of said warnings comprises information related to the nature of the intrusion or attack and the determined probability of the likelihood of intrusion or attack based on the statistical models of said individual computers.

18. A method of protecting individual computers in a computer network having a plurality of computers, wherein individual computers have associated agents that control said individual computers to perform the steps of:
- creating statistical models of usage of said individual computer in said computer network;
  
  gathering and analyzing information relating to current usage of said individual computer in said computer network;
  
  determining from said information a pattern of usage of said individual computer that is consistent with intrusion or attack of the individual computer or the computer network;
  
  determining a probability of the likelihood of an intrusion or attack from said pattern of usage of said individual computer;
  
  distributing in real-time warnings and potential countermeasures to agents of each of said individual computers in said computer network when the determined probability of the likelihood of an intrusion or attack exceeds a statistical threshold, wherein at least one of said warnings comprises information related to the nature of the intrusion or attack and the determined probability of the likelihood of intrusion or attack based on the statistical models of said individual computer;
  
  updating said statistical models of said individual computer to reflect the current usage of said individual computer in said computer network and the likelihood of intrusion or attack;
  
  scheduling the individual computers associated with respective agents for different anti-viral software updates based on different levels of probability of an intrusion or attack for each different individual computer based on the statistical model for the computer to be updated and a detected level of probability of an intrusion or attack; and
  
  suspending said schedule and immediately providing the anti-viral software update to the individual computer associated with an agent when an intrusion or attack of any computer in said computer network is detected or the detected probability of an intrusion or attack is high that the computer associated with the agent has been infected by a particular type of virus.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 32)
- - 19. The method of claim 18, wherein said warning comprises a relative probabilistic likelihood that a detected potential intrusion or attack based on said detected pattern of usage has certain characteristics or strategic objectives and said potential countermeasures comprise a most appropriate countermeasure for one or more most probable intrusions or attacks based on said detected pattern of usage.
  - 20. The method of claim 18, wherein at least one of said agents further distributes to said individual computers in said computer network information relating to repairs conducted in response to detected intrusions or attacks.
  - 21. The method of claim 18, wherein said information and said real-time warnings and potential countermeasures are communicated amongst agents of individual computers in said computer network in a peer to peer fashion.
  - 22. The method of claim 18, wherein said information and said real-time warnings and potential countermeasures are communicated from agents of individual computers in said computer network to a central server for distribution to other individual computers in said computer network.
  - 23. The method of claim 18, wherein said information comprises at least one of traffic data amongst individual computers in said computer network and metadata associated with one or more accessors of said individual computers in said computer network.
  - 24. The method of claim 18, wherein each said agent further checks code of each said individual computer for patterns associated with viruses or malicious programming.
  - 25. The method of claim 18, wherein each said agent further distributes shared set keys and parameters for updating said statistical models to each of said individual computers in said computer network.
  - 26. The method of claim 18, further comprising an individual computer communicating with other individual computers based on characteristics of the computer network that may change from moment to moment based on a probabilistic determination of a threat level of a particular intruder or attack.
  - 27. The method of claim 18, wherein each said agent further schedules said different individual computers for different anti-viral software updates based on different levels of probability of an intrusion or attack for each different individual computer.
  - 28. The method of claim 18, wherein said warnings comprise information related to a particular nature and probability of a detected intrusion or attack.
  - 29. The method of claim 18, wherein said detected pattern of usage is compared against a security database by at least one of said agents to determine if said pattern of usage is consistent with a known intrusion or attack.
  - 32. The method of claim 18, each agent further receiving warnings and potential countermeasures from agents of other of said individual computers in said computer network when the determined probability of the likelihood of a intrusion or attack exceeds a statistical threshold, wherein at least one of said warnings comprises information related to the nature of the intrusion or attack and the determined probability of the likelihood of intrusion or attack based on the statistical models of said individual computers.

30. A distributed security system that protects individual computers in a computer network having a plurality of computers, wherein said distributed security system comprises at least one security computer that is fully isolated from said computer network having said individual computers and said at least one security computer includes an agent that controls said at least one security computer to perform the steps of:
- creating statistical models of usage of said individual computers in said computer network;
  
  gathering and analyzing information relating to current usage of said individual computers in said computer network;
  
  determining from said information a pattern of usage of said individual computers that is consistent with intrusion or attack of the individual computers or the computer network;
  
  determining a probability of the likelihood of an intrusion or attack from said pattern of usage of said individual computers;
  
  distributing in real-time warnings and potential countermeasures to agents of each of said individual computers in said computer network when the determined probability of the likelihood of an intrusion or attack exceeds a statistical threshold, wherein at least one of said warnings comprises information related to the nature of the intrusion or attack and the determined probability of the likelihood of intrusion or attack based on the statistical models of said individual computers; and
  
  updating said statistical models of said individual computers to reflect the current usage of said individual computers in said computer network and the likelihood of intrusion or attack;
  
  wherein said agent controls said at least one security computer to perform the steps of;
  
  scheduling different individual computers for an anti-viral software update based on the statistical models of the individual computers and a detected level of probability of an intrusion or attack of the individual computers; and
  
  suspending said schedule and immediately providing the anti-viral software update to at least one individual computer when an intrusion or attack of any computer in said computer network is detected or the detected probability of an intrusion or attack is high that said at least one individual computer has been infected by a particular type of virus.
- View Dependent Claims (33)
- - 33. The system of claim 30, each agent further receiving warnings and potential countermeasures from other of said individual computers in said computer network when the determined probability of the likelihood of an intrusion or attack exceeds a statistical threshold, wherein at least one of said warnings comprises information related to the nature of the intrusion or attack and the determined probability of the likelihood of intrusion or attack based on the statistical models of said individual computers.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Inventship LLC
Original Assignee
Frederick S.M. Herz, Walter Paul Labys
Inventors
Herz, Frederick S. M., LABYS, WALTER PAUL
Primary Examiner(s)
SHAW, YIN CHEN

Application Number

US10/746,825
Publication Number

US 20060053490A1
Time in Patent Office

3,268 Days
Field of Search

726 22- 25, 713/182, 713/188
US Class Current

726/23
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

System and method for a distributed application and network security system (SDI-SCAM)

First Claim

2 Assignments

Litigations

0 Petitions

Accused Products

Abstract

82 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for a distributed application and network security system (SDI-SCAM)

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links