Adaptive behavioral intrusion detection systems and methods
First Claim
1. A method, comprising:
- performing, using one or more computer systems;
identifying normal behavior in a network based, at least in part, upon network traffic sampled over a period of time;
receiving packets transmitted through the network;
selecting a portion of the received packets that does not display the normal behavior based, at least in part, upon a comparison between the received packets and the normal behavior;
rating the selected packets, at least in part, according to their deviations from the normal behavior;
generating an alert in response to one or more of the selected packets having a rating that meets a threshold value, the alert having a strength assigned thereto, the strength associated with the alert'"'"'s abnormality;
receiving a human-assigned score associated with the alert, the score being reflective of a prediction accuracy;
combining the strength and the score associated with the alert into a strength-score value; and
determining whether to escalate the alert as a function of the strength-score value.
13 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for analyzing historical network traffic and determining which traffic does not belong in a network are disclosed. Intrusion detection is performed over a period of time, looking for behavioral patterns within networks or information systems and generating alerts when these patterns change. The intrusion detection system intelligently forms correlations between disparate sources to find traffic anomalies. Over time, behaviors are predictive, and the intrusion detection system attempts to predict outcomes, becoming proactive instead of just reactive. Intrusions occur throughout whole information systems, including both network infrastructure and application servers. By treating the information system as a whole and performing intrusion detection across it, the chances of detection are increased significantly.
-
Citations
20 Claims
-
1. A method, comprising:
performing, using one or more computer systems; identifying normal behavior in a network based, at least in part, upon network traffic sampled over a period of time; receiving packets transmitted through the network; selecting a portion of the received packets that does not display the normal behavior based, at least in part, upon a comparison between the received packets and the normal behavior; rating the selected packets, at least in part, according to their deviations from the normal behavior; generating an alert in response to one or more of the selected packets having a rating that meets a threshold value, the alert having a strength assigned thereto, the strength associated with the alert'"'"'s abnormality; receiving a human-assigned score associated with the alert, the score being reflective of a prediction accuracy; combining the strength and the score associated with the alert into a strength-score value; and determining whether to escalate the alert as a function of the strength-score value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
14. A tangible non-transitory computer storage medium having program instructions stored thereon that, upon execution by a processor within a computer system, cause the computer system to:
-
receive packets transmitted through a network; exclude, from the received packets, packets that display a normal behavior based, at least in part, upon a comparison between the received packets and the normal behavior; rate remaining ones of the received packets as a function of their deviations from the normal behavior; generate an alert in response to one or more of the remaining packets having a rating that meets a threshold value; identify a source associated with the alert; and apply a Resistance-to-Change (RTC) bias to the rating, the RTC bias associated with the source and configured to reduce a magnitude of the rating. - View Dependent Claims (15, 16, 17)
-
-
18. A system, comprising:
-
a processor; and a memory coupled to the processor, the memory configured to store program instructions executable by the processor to cause the system to; receive packets transmitted through a network; eliminate packets that display a normal behavior based, at least in part, upon a comparison between the packets and the normal behavior; generate an alert in response to one or more remaining packets having a rating that meets a threshold value; apply a Resistance-to-Change (RTC) bias to the rating, the RTC bias associated with a source corresponding to the alert and configured to reduce a magnitude of the rating; assign a strength to the alert, the strength associated with the alert'"'"'s abnormality; receive a human-assigned score associated with the alert, the score being reflective of a prediction accuracy; combine the strength and the score associated with the alert into a strength-score value; and determine whether to escalate the alert as a function of the strength-score value. - View Dependent Claims (19, 20)
-
Specification