Context aware network security monitoring for threat detection

US 9,215,244 B2
Filed: 12/06/2012
Issued: 12/15/2015
Est. Priority Date: 11/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method for context aware network security monitoring for threat detection, the method comprising:

monitoring, by at least one processor, behavior of each of at least one node, associated with at least one user, in a network to generate a behavior profile for each of the at least one user,wherein the behavior of each of the at least one node is based on traffic flow through each of the at least one node,wherein the traffic flow is monitored by analyzing an Internet Protocol (IP) packet header of at least one data packet that has traveled through each of the at least one node, andwherein the IP packet header contains a security signature portion, the security signature portion includes geolocation information for at least one of the nodes that the data packet has passed or routed;

comparing, by the at least one processor, the behavior profile for the at least one user with a baseline behavior profile for the at least one user;

determining, by the at least one processor, when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user;

flagging an event associated with the difference, by the at least one processor, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and

classifying the event, by the at least one processor, to an event classification.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed method involves monitoring behavior of at least one node, associated with at least one user, in a network to generate a behavior profile for the user(s). The method further involves comparing the behavior profile for at least one user with a baseline behavior profile for the user(s). Also, the method involves determining when there is a difference between the behavior profile for at least one user and the baseline behavior profile for the user(s). Further, the method involves flagging an event associated with the difference: when the difference exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and/or does not meet at least one criterion. Additionally, the method involves classifying the event to an event classification. Further, the method involves transmitting the event to at least one other node in the network and/or a network operations center.

61 Citations

View as Search Results

37 Claims

1. A method for context aware network security monitoring for threat detection, the method comprising:
- monitoring, by at least one processor, behavior of each of at least one node, associated with at least one user, in a network to generate a behavior profile for each of the at least one user,wherein the behavior of each of the at least one node is based on traffic flow through each of the at least one node,wherein the traffic flow is monitored by analyzing an Internet Protocol (IP) packet header of at least one data packet that has traveled through each of the at least one node, andwherein the IP packet header contains a security signature portion, the security signature portion includes geolocation information for at least one of the nodes that the data packet has passed or routed;
  
  comparing, by the at least one processor, the behavior profile for the at least one user with a baseline behavior profile for the at least one user;
  
  determining, by the at least one processor, when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user;
  
  flagging an event associated with the difference, by the at least one processor, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and
  
  classifying the event, by the at least one processor, to an event classification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the method further comprises transmitting, by at least one transmitter associated with the at least one node associated with the at least one user, the event to at least one of at least one other node in the network and a network operations center.
  - 3. The method of claim 1, wherein the method further comprises initially monitoring, by the at least one processor, the behavior of the at least one node, associated with the at least one user, in the network to generate the baseline behavior profile for the at least one user.
  - 4. The method of claim 1, wherein the method further comprises transmitting, by at least one transmission source, the baseline behavior profile for the at least one user to the at least one node associated with the at least one user;
    - andreceiving, by at least one receiver associated with the at least one node associated with the at least one user, the baseline behavior profile for the at least one user.
  - 5. The method of claim 4, wherein the at least one transmission source is employed in at least one of at least one satellite and at least one pseudo-satellite.
  - 6. The method of claim 5, wherein the at least one satellite is at least one of a Lower Earth Orbiting (LEO) satellite, a Medium Earth Orbiting (MEO) satellite, and a Geosynchronous Earth Orbiting (GEO) satellite.
  - 7. The method of claim 4, wherein the at least one transmission source is associated with at least one of at least one other node in the network and the network operations center.
  - 8. The method of claim 1, wherein the at least one processor is associated with at least one of the at least one node associated with the at least one user, at least one other node in the network, and the network operations center.
  - 9. The method of claim 1, wherein the method further comprises transmitting, by at least one transmission source, an event update to the at least one network node associated with the at least one user;
    - andupdating, by the at least one processor, the baseline behavior profile for the at least one user by using the event update.
  - 10. The method of claim 9, wherein the at least one transmission source is employed in at least one of at least one satellite and at least one pseudo-satellite.
  - 11. The method of claim 10, wherein the at least one satellite is at least one of a Lower Earth Orbiting (LEO) satellite, a Medium Earth Orbiting (MEO) satellite, and a Geosynchronous Earth Orbiting (GEO) satellite.
  - 12. The method of claim 9, wherein the at least one transmission source is associated with at least one of at least one other node in the network and the network operations center.
  - 13. The method of claim 1, wherein the monitoring of the behavior of the at least one node associated with the at least one user further includes at least one of:
    - monitoring usage of the at least one node associated with the at least one user;
      
      monitoring a location of the at least one node associated with the at least one user;
      
      monitoring data passing through the at least one node associated with the at least one user;
      
      monitoring a quantity of the data passing through the at least one node associated with the at least one user;
      
      monitoring a time of the data passing through the at least one node associated with the at least one user;
      
      monitoring a date of the data passing through the at least one node associated with the at least one user;
      
      monitoring an origination source the data is being transmitted from originally; and
      
      monitoring a final destination the data is being transmitted.
  - 14. The method of claim 1, wherein the method further comprises authenticating, with at least one authenticator device, a location of the at least one node associated with the at least one user.
  - 15. The method of claim 14, wherein the at least one authenticator device authenticates the location of the at least one node associated with the at least one user by evaluating at least one authentication signal.
  - 16. The method of claim 15, wherein the at least one authentication signal is transmitted by at least one transmission source, and is received by at least one receiving source associated with the at least one node associated with the at least one user.
  - 17. The method of claim 16, wherein the at least one transmission source is employed in at least one of at least one satellite and at least one pseudo-satellite.
  - 18. The method of claim 17, wherein the at least one satellite is at least one of a Lower Earth Orbiting (LEO) satellite, a Medium Earth Orbiting (MEO) satellite, and a Geosynchronous Earth Orbiting (GEO) satellite.
  - 19. The method of claim 1, wherein the at least one criterion is related to at least one of:
    - a location of the at least one network node associated with the at least one user;
      
      a type of data passing through the at least one network node associated with the at least one user;
      
      a time the at least one network node associated with the at least one user receives data;
      
      a day the at least one network node associated with the at least one user receives the data;
      
      a time the at least one network node associated with the at least one user transmits the data;
      
      a day the at least one network node associated with the at least one user transmits the data;
      
      a location of an origination source the data is transmitted from originally; and
      
      a location of a final destination source the data is being transmitted.

20. A system for context aware network security monitoring for threat detection, the system comprising:
- at least one processor to monitor behavior of each of at least one node associated with at least one user in a network to generate a behavior profile for each of the at least one user, wherein the behavior of each of the at least one node is based on traffic flow through each of the at least one node, and wherein the traffic flow is monitored by analyzing an Internet Protocol (IP) packet header of at least one data packet that has traveled through each of the at least one node, wherein the IP packet header contains a security signature portion, the security signature portion includes geolocation information for at least one of the nodes that the data packet has passed or routed;
  
  compare the behavior profile for the at least one user with a baseline behavior profile for the at least one user;
  
  determine when there is a difference between the behavior profile for the at least one user and the baseline behavior profile for the at least one user;
  
  flag an event associated with the difference, when the difference at least one of exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and does not meet at least one criterion; and
  
  classify the event to an event classification; and
  
  at least one transmitter, associated with the at least one node associated with the at least one user, to transmit the event to at least one of at least one other node in the network and a network operations center.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 21. The system of claim 20, wherein the processor is further to initially monitor the behavior of the at least one node associated with the at least one user in the network to generate the baseline behavior profile for the at least one user.
  - 22. The system of claim 20, wherein the system further comprises:
    - at least one transmission source to transmit the baseline behavior profile for the at least one user to the at least one node associated with the at least one user; and
      
      at least one receiver, associated with the at least one node associated with the at least one user, to receive the baseline behavior profile for the at least one user.
  - 23. The system of claim 22, wherein the at least one transmission source is employed in at least one of at least one satellite and at least one pseudo-satellite.
  - 24. The system of claim 23, wherein the at least one satellite is at least one of a Lower Earth Orbiting (LEO) satellite, a Medium Earth Orbiting (MEO) satellite, and a Geosynchronous Earth Orbiting (GEO) satellite.
  - 25. The system of claim 22, wherein the at least one transmission source is associated with at least one of at least one other node in the network and the network operations center.
  - 26. The system of claim 20, wherein the at least one processor is associated with at least one of the at least one node associated with the at least one user, at least one other node in the network, and the network operations center.
  - 27. The system of claim 20, wherein the system further comprises at least one transmission source to transmit an event update to the at least one network node associated with the at least one user;
    - andthe at least one processor is to further update the baseline behavior profile for the at least one user by using the event update.
  - 28. The system of claim 27, wherein the at least one transmission source is employed in at least one of at least one satellite and at least one pseudo-satellite.
  - 29. The system of claim 28, wherein the at least one satellite is at least one of a Lower Earth Orbiting (LEO) satellite, a Medium Earth Orbiting (MEO) satellite, and a Geosynchronous Earth Orbiting (GEO) satellite.
  - 30. The system of claim 27, wherein the at least one transmission source is associated with at least one of at least one other node in the network and the network operations center.
  - 31. The system of claim 20, wherein the monitoring of the behavior of the at least one node associated with the at least one user further includes at least one of:
    - monitoring usage of the at least one node associated with the at least one user;
      
      monitoring a location of the at least one node associated with the at least one user;
      
      monitoring data passing through the at least one node associated with the at least one user;
      
      monitoring a quantity of the data passing through the at least one node associated with the at least one user;
      
      monitoring a time of the data passing through the at least one node associated with the at least one user;
      
      monitoring a date of the data passing through the at least one node associated with the at least one user;
      
      monitoring an origination source the data is being transmitted from originally; and
      
      monitoring a final destination the data is being transmitted.
  - 32. The system of claim 20, wherein the system further comprises at least one authenticator device to authenticate a location of the at least one node associated with the at least one user.
  - 33. The system of claim 32, wherein the at least one authenticator device authenticates the location of the at least one node, associated with the at least one user, by evaluating at least one authentication signal.
  - 34. The system of claim 33, wherein the at least one authentication signal is transmitted by at least one transmission source, and is received by at least one receiving source associated with the at least one node associated with the at least one user.
  - 35. The system of claim 34, wherein the at least one transmission source is employed in at least one of at least one satellite and at least one pseudo-satellite.
  - 36. The system of claim 35, wherein the at least one satellite is at least one of a Lower Earth Orbiting (LEO) satellite, a Medium Earth Orbiting (MEO) satellite, and a Geosynchronous Earth Orbiting (GEO) satellite.
  - 37. The system of claim 20, wherein the at least one criterion is related to at least one of:
    - a location of the at least one network node associated with the at least one user;
      
      a type of data passing through the at least one network node associated with the at least one user;
      
      a time the at least one network node associated with the at least one user receives data;
      
      a day the at least one network node associated with the at least one user receives the data;
      
      a time the at least one network node associated with the at least one user transmits the data;
      
      a day the at least one network node associated with the at least one user transmits the data;
      
      a location of an origination source the data is transmitted from originally; and
      
      a location of a final destination source the data is being transmitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Ayyagari, Arun, Aldrich, Timothy M., Corman, David E., Gutt, Gregory M., Whelan, David A.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Alata, Ayoub

Application Number

US13/707,498
Publication Number

US 20130305357A1
Time in Patent Office

1,104 Days
Field of Search

726/22, 726/23, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 9/00   Arrangements for program co...

H04B 7/18593   Arrangements for preventing...

H04L 41/046   comprising network manageme...

H04L 41/069   using logs of notifications...

H04L 43/04   Processing captured monitor...

H04L 43/0817   by checking functioning

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/12   Network monitoring probes

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/166   at the transport layer

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

H04L 9/0872   using geo-location informat...

H04L 9/3236   using cryptographic hash fu...

H04W 12/06   Authentication

H04W 12/12   Detection or prevention of ...

H04W 12/61   Time-dependent

H04W 12/63 : Location-dependent; Proximi...

H04W 12/64 : using geofenced areas

View All

Context aware network security monitoring for threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Context aware network security monitoring for threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links