Adaptive behavioral intrusion detection systems and methods

US 8,448,247 B2
Filed: 04/23/2012
Issued: 05/21/2013
Est. Priority Date: 03/29/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method, comprising:

performing, using one or more computer systems;

identifying normal behavior in a network based, at least in part, upon network traffic sampled over a period of time;

receiving packets transmitted through the network;

selecting a portion of the received packets that does not display the normal behavior based, at least in part, upon a comparison between the received packets and the normal behavior;

rating the selected packets, at least in part, according to their deviations from the normal behavior;

generating an alert in response to one or more of the selected packets having a rating that meets a threshold value, the alert having a strength assigned thereto, the strength associated with the alert'"'"'s abnormality;

receiving a human-assigned score associated with the alert, the score being reflective of a prediction accuracy;

combining the strength and the score associated with the alert into a strength-score value; and

determining whether to escalate the alert as a function of the strength-score value.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for analyzing historical network traffic and determining which traffic does not belong in a network are disclosed. Intrusion detection is performed over a period of time, looking for behavioral patterns within networks or information systems and generating alerts when these patterns change. The intrusion detection system intelligently forms correlations between disparate sources to find traffic anomalies. Over time, behaviors are predictive, and the intrusion detection system attempts to predict outcomes, becoming proactive instead of just reactive. Intrusions occur throughout whole information systems, including both network infrastructure and application servers. By treating the information system as a whole and performing intrusion detection across it, the chances of detection are increased significantly.

Citations

20 Claims

1. A method, comprising:
- performing, using one or more computer systems;
  
  identifying normal behavior in a network based, at least in part, upon network traffic sampled over a period of time;
  
  receiving packets transmitted through the network;
  
  selecting a portion of the received packets that does not display the normal behavior based, at least in part, upon a comparison between the received packets and the normal behavior;
  
  rating the selected packets, at least in part, according to their deviations from the normal behavior;
  
  generating an alert in response to one or more of the selected packets having a rating that meets a threshold value, the alert having a strength assigned thereto, the strength associated with the alert'"'"'s abnormality;
  
  receiving a human-assigned score associated with the alert, the score being reflective of a prediction accuracy;
  
  combining the strength and the score associated with the alert into a strength-score value; and
  
  determining whether to escalate the alert as a function of the strength-score value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the network includes disparate sources, and wherein the disparate sources include at least one server and at least one firewall.
  - 3. The method of claim 1, wherein the period of time is sufficient to yield a statistically significant sample of historical traffic data.
  - 4. The method of claim 1, wherein identifying the normal behavior includes determining one or more sequences of behavioral patterns, each sequence including a series of network events ordered in time.
  - 5. The method of claim 1, wherein identifying the normal behavior includes determining one or more thresholds of behavioral patterns, each of the one or more thresholds of behavioral patterns including a number of network events.
  - 6. The method of claim 1, wherein selecting the portion of the received packets that do not display the normal behavior includes excluding those among the received packets that display the normal behavior.
  - 7. The method of claim 1, wherein rating the selected packets includes scoring the selected packets independently of one or more criteria used in the selection.
  - 8. The method of claim 1, wherein rating the selected packets further comprises:
    - grouping the selected packets into sets of packets, each packet within a given set of packets having a characteristic in common with other packets of the same set of packets;
      
      comparing each of the sets of packets against the normal behavior; and
      
      scoring each packet within a given set of packets according to the given set of packet'"'"'s deviation from the normal behavior.
  - 9. The method of claim 8, wherein the characteristic includes at least one of:
    - a source port, a destination port, a source address, a destination address, or a protocol.
  - 10. The method of claim 8, wherein scoring each packet includes generating statistics configured to correlate two or more of the sets of packets.
  - 11. The method of claim 1, wherein generating the alert further comprises:
    - performing, using the one or more computer systems;
      
      identifying a source associated with the alert; and
      
      applying a Resistance-to-Change (RTC) bias to the rating, the RTC bias associated with the source and configured to reduce a magnitude of the rating.
  - 12. The method of claim 1, further comprising:
    - performing, using the one or more computer systems;
      
      updating the normal behavior based, at least in part, upon the alert.
  - 13. The method of claim 1, further comprising:
    - performing the identifying, receiving, selecting, rating, and generating operations across a plurality of networks; and
      
      compiling results in a global database.

14. A tangible non-transitory computer storage medium having program instructions stored thereon that, upon execution by a processor within a computer system, cause the computer system to:
- receive packets transmitted through a network;
  
  exclude, from the received packets, packets that display a normal behavior based, at least in part, upon a comparison between the received packets and the normal behavior;
  
  rate remaining ones of the received packets as a function of their deviations from the normal behavior;
  
  generate an alert in response to one or more of the remaining packets having a rating that meets a threshold value;
  
  identify a source associated with the alert; and
  
  apply a Resistance-to-Change (RTC) bias to the rating, the RTC bias associated with the source and configured to reduce a magnitude of the rating.
- View Dependent Claims (15, 16, 17)
- - 15. The non-transitory computer storage medium of claim 14, wherein the normal behavior is identified based, at least in part, upon network traffic sampled over a period of time sufficient to yield a statistically significant sample of historical traffic data.
  - 16. The non-transitory computer storage medium of claim 15, wherein the normal behavior includes at least one of:
    - (a) one or more sequences of behavioral patterns, each sequence including a series of network events ordered in time, or (b) one or more thresholds of behavioral patterns, each threshold including a number of network events.
  - 17. The non-transitory computer storage medium of claim 16, wherein the receive, exclude, rate, generate, identify, and apply occur across a plurality of networks, and wherein the program instructions, upon execution, further cause the computer system to:
    - compile results in a global database; and
      
      update historical data based on the results from the global database.

18. A system, comprising:
- a processor; and
  
  a memory coupled to the processor, the memory configured to store program instructions executable by the processor to cause the system to;
  
  receive packets transmitted through a network;
  
  eliminate packets that display a normal behavior based, at least in part, upon a comparison between the packets and the normal behavior;
  
  generate an alert in response to one or more remaining packets having a rating that meets a threshold value;
  
  apply a Resistance-to-Change (RTC) bias to the rating, the RTC bias associated with a source corresponding to the alert and configured to reduce a magnitude of the rating;
  
  assign a strength to the alert, the strength associated with the alert'"'"'s abnormality;
  
  receive a human-assigned score associated with the alert, the score being reflective of a prediction accuracy;
  
  combine the strength and the score associated with the alert into a strength-score value; and
  
  determine whether to escalate the alert as a function of the strength-score value.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the program instructions are executable by the processor to further cause the system to:
    - group the remaining packets into sets of packets, each packet within a given set of packets having a characteristic in common with other packets of the same set of packets, the characteristic including at least one of;
      
      a source port, a destination port, a source address, a destination address, or a protocol;
      
      compare each of the sets of packets against the normal behavior; and
      
      rate each packet within a given set of packets according to the given set of packet'"'"'s deviation from the normal behavior.
  - 20. The system of claim 18, wherein the receive, eliminate, generate, apply, assign, receive, combine, and determine occur across a plurality of networks, and wherein the program instructions are executable by the processor to further cause the system to:
    - compile results in a global database; and
      
      update historical data based on the results in the global database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Masergy Communications Incorporated (Comcast Corporation)
Original Assignee
Global DataGuard, Inc. (Comcast Corporation)
Inventors
Stute, Michael
Primary Examiner(s)
McNally, Michael S
Assistant Examiner(s)
Johnson, Carlton

Application Number

US13/453,879
Publication Number

US 20120210429A1
Time in Patent Office

393 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

C12Q 1/6804   Nucleic acid analysis using...

C12Q 1/6865   Promoter-based amplificatio...

C12Q 2521/313   Type II endonucleases, i.e....

C12Q 2521/319   Exonuclease

C12Q 2525/121   incorporating both deoxyrib...

C12Q 2525/143   incorporating a promoter se...

C12Q 2537/1373   Displacement by a nucleic acid

C12Q 2563/179   the label being a nucleic acid

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Adaptive behavioral intrusion detection systems and methods

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive behavioral intrusion detection systems and methods

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links