Method and apparatus for predictive and actual intrusion detection on a network

US 8,640,234 B2
Filed: 05/04/2004
Issued: 01/28/2014
Est. Priority Date: 05/07/2003
Status: Active Grant

First Claim

Patent Images

1. A method of managing network usage, the method comprising:

defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored;

capturing network packets containing content during transmission;

decapsulating the captured network packets;

identifying linguistic patterns in the content of the captured network packets;

scoring captured network packets based on similarity of at least one of the identified linguistic patterns to one or more of the defined set of linguistic patterns; and

when a packet that is scored above a specified threshold value is identified, implementing at least one responsive action.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing network usage by defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored. Network packets are captured during transmission and analyzed to identify linguistic patterns. Captured network packets are scored based on similarity of at least one linguistic pattern to one or more of the defined set of linguistic patterns. When a packet that is scored above a specified threshold value is identified, at least one responsive action is implemented. In this manner, a system implementing the method is able to identify network traffic that is associated with prospective malicious activity and thereby provide an early warning before damage has occurred.

66 Citations

View as Search Results

32 Claims

1. A method of managing network usage, the method comprising:
- defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored;
  
  capturing network packets containing content during transmission;
  
  decapsulating the captured network packets;
  
  identifying linguistic patterns in the content of the captured network packets;
  
  scoring captured network packets based on similarity of at least one of the identified linguistic patterns to one or more of the defined set of linguistic patterns; and
  
  when a packet that is scored above a specified threshold value is identified, implementing at least one responsive action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - defining a set of categories, wherein each category is associated with a set of linguistic patterns for that category; and
      
      categorizing network packets into one or more of a plurality of categories based upon similarity to one or more of the set of linguistic patterns for that category.
  - 3. The method of claim 1 wherein the capturing comprises passively capturing.
  - 4. The method of claim 1 wherein the capturing comprises actively capturing.
  - 5. The method of claim 1 wherein the decapsulating comprises:
    - determining from packet header information a type of application layer protocol used by the packet; and
      
      parsing the packet to extract the content from the packet.
  - 6. The method of claim 5 wherein the type of protocol identified in the decapsulating is used to score and categorize the packet.
  - 7. The method of claim 5 wherein the type of protocol identified in the decapsulating is used to provide context for scoring the packet.
  - 8. The method of claim 1 further comprising normalizing information from the decapsulated network packets.
  - 9. The method of claim 1 further comprising parsing the information from the decapsulated network packets.
  - 10. The method of claim 1 further comprising generating a report comprising categorized information of the network packets.

11. A tangible computer readable storage disk or device comprising instructions that, when executed, cause a machine to at least:
- define a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored;
  
  capture network packets containing content during transmission;
  
  decapsulate the captured network packets;
  
  identify linguistic patterns in the content of the captured network packets;
  
  score captured network packets based on similarity of at least one of the identified linguistic patterns to one or more of the defined set of linguistic patterns; and
  
  when a packet that is scored above a specified threshold value is identified, implement at least one responsive action.

12. A monitored networked computing system comprising:
- a network;
  
  a plurality of computing devices coupled to the network and configured to exchange information packets containing packet information and content;
  
  a network analyzer coupled to the network, wherein the network analyzer includes mechanisms for capturing the information packets; and
  
  a linguistic analyzer coupled to the network analyzer and operable to identify preselected linguistic patterns in the content of the captured information packets, wherein the linguistic patterns are preselected to identify the information packets that preemptively indicate a future network attack.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The monitored network of claim 12 wherein the linguistic analyzer is operable to assign a score based upon a degree to which the linguistic patterns of a particular packet are similar to the preselected linguistic patterns.
  - 14. The monitored network of claim 12 wherein the network analyzer and the linguistic analyzer operate in substantially real time.
  - 15. The monitored network of claim 12 wherein the network analyzer passively captures information packets.
  - 16. The monitored network of claim 12 further comprising means for decapsulating protocol information from the information packet and using the protocol information.
  - 17. The monitored network of claim 12 further comprising a database coupled to the linguistic analyzer for storing the preselected linguistic patterns for each of a plurality of categories.
  - 18. The monitored network of claim 17 wherein the preselected linguistic patterns are represented as regular expressions.
  - 19. The monitored network of claim 12 wherein the network comprises an internet protocol network.
  - 20. The monitored network of claim 12 wherein the network comprises a fibre channel fabric.
  - 21. The monitored network of claim 12 further comprising a report generator coupled to the linguistic analyzer and operable to generate reports based on a categorization of the captured information packets.

22. A device for monitoring network traffic, the device comprising:
- a memory comprising instructions; and
  
  a processor to execute the instructions to;
  
  capture network packets containing packet information and content from a network;
  
  identify linguistic patterns in the content of the captured network packets;
  
  score captured network packets based on similarity of at least one of the identified linguistic patterns to one or more of a defined set of linguistic patterns; and
  
  implement at least one responsive action when a packet that is scored above a specified threshold value is identified.

23. A computing device configured to monitor content of network traffic, the computing device comprising:
- a processor;
  
  memory coupled to the processor;
  
  a port coupled to an external network; and
  
  computer code executable using the processor and the memory and operable to analyze linguistic patterns in the network traffic content and thereby identify network traffic on the external network by comparing the linguistic patterns in the network traffic to known linguistic patterns.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The computing device of claim 23 wherein the computer code is operable to detect network traffic associated with hacker research activity.
  - 25. The computing device of claim 23 wherein the computer code is operable to detect network traffic associated with malicious attack preparation activity.
  - 26. The computing device of claim 23 wherein the computer code is operable to detect network traffic associated with a successfully initiated attack.
  - 27. The computing device of claim 23 wherein the computer code is operable to detect network traffic associated with unauthorized access attempts made to a network resource other than the computing device itself.
  - 28. The computing device of claim 23 wherein the computer code is operable to detect linguistic patterns in the network traffic.
  - 29. The computing device of claim 28 wherein the computer code is operable to score network traffic based on similarity of at least one detected linguistic pattern to one or more preselected linguistic patterns.

30. A method of detecting a prospective network attack, the method comprising:
- defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that has been determined to be indicative of a prospective network attack;
  
  monitoring content of network traffic over time;
  
  identifying linguistic patterns when they occur in the network traffic;
  
  accumulating information about the identified occurrences of the defined set of linguistic patterns over time; and
  
  using the accumulated information as a basis for determining, using a processor, a likelihood of a prospective network attack.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30 further comprising reporting an occurrence of network traffic when the occurrence of the linguistic patterns in the network traffic exceeds a preselected threshold.
  - 32. The method of claim 30 wherein the accumulating information further comprises maintaining a score based on similarity of at least one identified linguistic pattern to one or more of the defined set of linguistic patterns;
    - andwhen the score exceeds a specified threshold value, implementing at least one responsive action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sysxnet Ltd.
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Donahue, Thomas P., Gassen, Derek
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US10/838,863
Publication Number

US 20060150249A1
Time in Patent Office

3,556 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/606   by securing the transmissio...

G06F 21/6209   to a single file or object,...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Method and apparatus for predictive and actual intrusion detection on a network

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for predictive and actual intrusion detection on a network

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others