Systems and methods for detection and suppression of abnormal conditions within a networked environment

US 8,978,136 B2
Filed: 02/17/2012
Issued: 03/10/2015
Est. Priority Date: 02/17/2011
Status: Active Grant

First Claim

Patent Images

1. A processor-implemented system for handling a malicious computer-related security event, wherein the security event occurs at central network access points of the Internet, wherein the central network access points are points involving networks of autonomous and different Internet service providers, said system comprising:

a non-signature based security event detection software system operating on a first computer connected to a first network of a first Internet service provider;

wherein the non-signature based security event detection software system detects the security event by examining a runtime state of the first computer,wherein detecting the security event by examining the runtime state of the first computer comprises;

comparing the runtime state of the first computer to a normal runtime state of the first computer, anddetermining that the runtime state of the first computer is different from the normal runtime state of the first computer;

a second computer, on which a security event management software system operates, the security event detection software system having access to security event detection results generated by the non-signature based security event detection software system;

wherein the security event management processing software system deploys information to systems of the other Internet service providers that are associated with the central network access points; and

wherein the deployed information is used by the other Internet service providers to handle a security event within their respective networks that is similar to or same as the security event encountered in the first network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for handling a malicious computer-related security event that occurs at central network access points of the Internet involving networks of autonomous and different internet service providers. A system includes a non-signature based security event detection software system operating on a first computer connected to a first network of a first internet service provider, where the non-signature based security event detection software system detects the security event by examining runtime state of the first computer. A security event management software system operates on a processor-based platform and has access to security event detection results generated by the non-signature based security event detection software system.

Citations

21 Claims

1. A processor-implemented system for handling a malicious computer-related security event, wherein the security event occurs at central network access points of the Internet, wherein the central network access points are points involving networks of autonomous and different Internet service providers, said system comprising:
- a non-signature based security event detection software system operating on a first computer connected to a first network of a first Internet service provider;
  
  wherein the non-signature based security event detection software system detects the security event by examining a runtime state of the first computer,wherein detecting the security event by examining the runtime state of the first computer comprises;
  
  comparing the runtime state of the first computer to a normal runtime state of the first computer, anddetermining that the runtime state of the first computer is different from the normal runtime state of the first computer;
  
  a second computer, on which a security event management software system operates, the security event detection software system having access to security event detection results generated by the non-signature based security event detection software system;
  
  wherein the security event management processing software system deploys information to systems of the other Internet service providers that are associated with the central network access points; and
  
  wherein the deployed information is used by the other Internet service providers to handle a security event within their respective networks that is similar to or same as the security event encountered in the first network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein the security event comprises a malicious network intrusion security event with respect to the first network or malware operating on the first computer.
  - 3. The system of claim 1, wherein the non-signature based security event detection software system is not premised on knowing what malicious activity resembles in order to detect the malicious activity associated with the unauthorized network intrusion.
  - 4. The system of claim 3, wherein the non-signature based security event detection software system utilizes system memory analysis of the first computer in order to access the runtime state.
  - 5. The system of claim 4, wherein analysis upon the system memory provides information about the runtime integrity of the first computer system.
  - 6. The system of claim 5, wherein the security event management processing software system combines the memory analysis with more additional forensics analysis which include network analysis, file system analysis, and registry analysis.
  - 7. The system of claim 1, wherein the non-signature based security event detection software system operates as a host-based security solution.
  - 8. The system of claim 7, wherein security event detection results from a network-based security software system are also used by the security event management software system for handling a security event in the network of the different Internet service provides that is similar to or same as the security event in the first network.
  - 9. The system of claim 8, wherein the network-based security software system examines incoming and outgoing network traffic.
  - 10. The system of claim 1, wherein the security event management processing software system operates at a centralized location relative to the networks of the Internet service providers associated with the central network access points.
  - 11. The system of claim 10, wherein the centralized location comprises a security operations center.
  - 12. The system of claim 11, wherein the security operations center monitors multiple Internet service providers in order to detect security events that occur in the environments of the Internet service providers, thereby providing a global perspective with respect to security events across multiple Internet service providers.
  - 13. The system of claim 11, wherein the security operations center monitors multiple Internet service providers and monitors both commercial and government networks in order to detect security events that occur in the environments of the Internet service providers, the commercial networks, and the government networks, thereby providing a global perspective with respect to security events across multiple Internet service providers and different types of networks.
  - 14. The system of claim 11, wherein the central network access points are carrier-neutral exchange points.
  - 15. The system of claim 14, wherein presence of carrier-neutral exchange points results in lower latency for customer access and for attribution in event of a multi-carrier, multi-hop network attack.
  - 16. The system of claim 11, wherein the security operations center is operated by a trusted third party administrator, which allows the security operations center to have access to security event detection information across networks of different Internet service providers and to utilize the security event detection information across different Internet service providers, thereby providing visibility across multiple networks operated by different Internet service providers.
  - 17. The system of claim 16, wherein the security operations center receives results from different types of security event detection systems that are implemented in a modular technology platform, thereby facilitating constant testing and updating with recent version of the security event detection systems.
  - 18. The system of claim 16, wherein the security operations center operates as clearinghouse for threat analytics and information security events associated with the different Internet service providers.
  - 19. The system of claim 18, wherein the security operations center anonymizes the security event detection information and propagates for use by other Internet service providers.
  - 20. The system of claim 18, wherein the security operations center aggregates and correlates logs and alerts from security devices associated with different Internet service providers.

21. A processor-implemented method for handling a malicious computer-related security event, wherein the security event occurs at central network access points of the Internet, wherein the central network access points are points involving networks of autonomous and different Internet service providers, said method comprising:
- operating a non-signature based security event detection software system on a first computer connected to a first network of a first Internet service provider;
  
  detecting the security event by the non-signature based security event detection software system by examining a runtime state of the first computer,wherein detecting the security event by examining the runtime state of the first computer comprises;
  
  comparing the runtime state of the first computer to a normal runtime state of the first computer, anddetermining that the runtime state of the first computer is different from the normal runtime state of the first computer;
  
  operating a security event management software system on a processor-based platform, wherein the security event management software system has access to security event detection results generated by the non-signature based security event detection software system; and
  
  deploying information by the security event management processing software system to systems of the other Internet service providers that are associated with the central network access points;
  
  wherein the deployed information is used by the other Internet service providers to handle a security event within their respective networks that is similar to or same as the security event encountered in the first network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Terremark Worldwide Incorporated (Verizon Communications Inc.)
Inventors
Day, Christopher Wayne
Primary Examiner(s)
SCOTT, RANDY A

Application Number

US13/399,116
Publication Number

US 20140245439A1
Time in Patent Office

1,117 Days
Field of Search

726/10, 726/22, 726/23, 709/217, 709/218, 709/219, 713/168, 713/169, 713/170
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Systems and methods for detection and suppression of abnormal conditions within a networked environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detection and suppression of abnormal conditions within a networked environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links