Detecting emergent behavior in communications networks

US 9,256,735 B2
Filed: 10/10/2012
Issued: 02/09/2016
Est. Priority Date: 10/10/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

performing, by a computer system;

decomposing a plurality of data packets into a plurality of component data types, the plurality of data packets associated with a candidate alert representing a potential security threat in a communications network;

retrieving, from a database, a count for each of a plurality of historical data types, the plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the communications network in a given time period;

calculating a score that indicates an aggregate discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding one of the historical data types for a particular hour of day, a particular day of the week, the particular day within the month, and the particular day within a year for the given time period; and

handling the candidate alert based, at least in part, upon the score, wherein handling the candidate alert further comprises issuing the candidate alert in response to the score meeting a threshold value, and suppressing the candidate alert in response to the score not meeting the threshold value.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of detecting emergent behaviors in communications networks are disclosed. In some embodiments, a method may include decomposing a plurality of data packets into a plurality of component data types associated with a candidate alert representing a potential security threat in a network. The method may also include retrieving, from a database, a count for each of a plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the network in a given time period. The method may further include calculating a score that indicates a discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding historical data type in the same time period, and handling the candidate alert based upon the score.

22 Citations

View as Search Results

18 Claims

1. A method, comprising:
- performing, by a computer system;
  
  decomposing a plurality of data packets into a plurality of component data types, the plurality of data packets associated with a candidate alert representing a potential security threat in a communications network;
  
  retrieving, from a database, a count for each of a plurality of historical data types, the plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the communications network in a given time period;
  
  calculating a score that indicates an aggregate discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding one of the historical data types for a particular hour of day, a particular day of the week, the particular day within the month, and the particular day within a year for the given time period; and
  
  handling the candidate alert based, at least in part, upon the score, wherein handling the candidate alert further comprises issuing the candidate alert in response to the score meeting a threshold value, and suppressing the candidate alert in response to the score not meeting the threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein at least one of the plurality of component data types includes a combination of at least two elements selected from the group consisting of:
    - a protocol, a source address, a destination address, a source port, a destination port, an alert type, and a service type.
  - 3. The method of claim 2, wherein calculating the score further comprises:
    - performing, by the computer system;
      
      applying a weight to a discrepancy involving a data type having a combination of fewer of the elements that is less than another weight applied to another discrepancy involving another data type having another combination of more of the elements; and
      
      calculating a weighted average of each discrepancy and corresponding weight.
  - 4. The method of claim 1, wherein calculating the score further comprises:
    - performing, by the computer system;
      
      at least one of;
      
      applying a weight to a discrepancy involving a time period equal to a day of the week that is less than another weight applied to another discrepancy involving another time period equal to a time interval;
      
      applying a weight to a discrepancy involving a time period equal to a day of the month that is less than another weight applied to another discrepancy involving another time period equal to day of the week;
      
      or applying a weight to a discrepancy involving a time period equal to a day of the year that is less than another weight applied to another discrepancy involving another time period equal to a day of the month; and
      
      calculating a weighted average of each discrepancy and corresponding weight.
  - 5. The method of claim 1, wherein the counts include at least one of:
    - a number of packets entering the communications network, a number of packets leaving the communications network, an amount of data entering the communications network, or an amount of data leaving the communications network.
  - 6. The method of claim 1, further comprising, prior to handling the candidate alert:
    - performing, by the computer system;
      
      calculating a complexity of one or more of the plurality of data packets; and
      
      modifying the score based, at least in part, upon the complexity.
  - 7. The method of claim 6, wherein calculating the complexity further comprises executing a Particle Swarm Optimization (PSO) technique.
  - 8. The method of claim 6, wherein calculating the complexity further comprises executing a Force Vector Surface Optimization (FVSO) technique.
  - 9. The method of claim 1, further comprising:
    - performing, by the computer system;
      
      updating, in the database, one or more of the counts for each of a plurality of historical data types in the given time period based, at least in part, upon the amounts of data in each of the subset of the component data types.
  - 10. The method of claim 9, further comprising:
    - performing, by the computer system;
      
      updating, in the database, a prediction accuracy of one or more of the counts for one or more historical data types corresponding to the subset of the components data types in the given time period.
  - 11. The method of claim 1, further comprising, prior to calculating the score:
    - performing, by the computer system;
      
      selecting the subset of the component data types among the plurality of data types, at least in part, by determining which of the corresponding historical data types has a prediction accuracy above a threshold value.

12. A computer system, comprising:
- at least one processor; and
  
  a memory coupled to the at least one processor, the memory configured to store instructions executable by the at least one processor to cause the computer system to;
  
  decompose a plurality of data packets into a plurality of component data types, the plurality of data packets associated with a candidate alert representing a potential security threat in a network, at least one of the plurality of data types including a combination of two or more of;
  
  a protocol, a source address, a destination address, a source port, or a destination port;
  
  for each of the plurality of data types, determining one or more counts selected from the group consisting of;
  
  a number of packets entering the network, a number of packets leaving the network, an amount of data entering the network, or an amount of data leaving the network;
  
  update, in a database, one or more historical counts for each of a plurality of historical data types corresponding to the plurality of data types for a particular hour of day, a particular day of the week, the particular day within the month, and the particular day within a year for a given time period based upon the one or more counts; and
  
  perform at least one of;
  
  (i) issue a candidate alert in response to a score meeting a threshold value, or (ii) suppress the candidate alert in response to the score not meeting the threshold value.
- View Dependent Claims (13, 14)
- - 13. The computer system of claim 12, the instructions further executable by the at least one processor to cause the computer system to:
    - update, in the database, a prediction accuracy of the one or more historical count for each of the plurality of historical data types corresponding to the plurality of data types in the given time period.
  - 14. The computer system of claim 12, wherein the instructions are further executable by the at least one processor to cause the computer system to:
    - determine that an expected event has not taken place in the network based, at least in part, upon an analysis of the one or more historical counts in the given time period; and
      
      issuing a missing event alert.

15. A non-transitory computer-readable storage medium having program instructions stored thereon that, upon execution by a computer system, cause the computer system to:
- decompose a plurality of data packets into a plurality of component data types, the plurality of data packets associated with a candidate alert representing a potential security threat in a computer network, at least one of the plurality of data types including a combination of at least two elements selected from the group consisting of;
  
  a protocol, a source address, a destination address, a source port, a destination port, an alert type, and a service type;
  
  retrieve, from a database, a count for each of a plurality of historical data types, the plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the computer network in a given time period, the counts including at least one of;
  
  a number of packets entering the computer network, a number of packets leaving the computer network, an amount of data entering the computer network, or an amount of data leaving the computer network;
  
  calculate a score that indicates an aggregate discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding one of the historical data types for a particular hour of day, a particular day of the week, the particular day within the month, and the particular day within a year for the given time period, at least in part, by applying a weight to a discrepancy involving a data type having a combination of fewer of the elements that is less than another weight applied to another discrepancy involving another data type having another combination of more of the elements, and calculating a weighted average of each discrepancy and corresponding weight, wherein the given time period includes a combination of two or more of;
  
  a time interval, a day of the week, a day of the month, a week of the month, a day of the year, or a month of the year; and
  
  perform at least one of;
  
  (i) issue the candidate alert in response to the score meeting a threshold value, or (ii) suppress the candidate alert in response to the score not meeting the threshold value.
- View Dependent Claims (16, 17, 18)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the instructions are further executable by the computer system to cause the computer system to:
    - calculate a complexity of one or more of the plurality of data packets; and
      
      modify the score based, at least in part, upon the complexity.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein to calculate the complexity, the instructions are further executable by the computer system to cause the computer system to perform a Particle Swarm Optimization (PSO) technique.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein to calculate the complexity, the instructions are further executable by the computer system to cause the computer system to perform a Force Vector Surface Optimization (FVSO) technique.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Masergy Communications Incorporated (Comcast Corporation)
Original Assignee
Masergy Communications Incorporated (Comcast Corporation)
Inventors
Stute, Michael Roy
Primary Examiner(s)
Lemma, Samson
Assistant Examiner(s)
KANAAN, SIMON P

Application Number

US13/648,895
Publication Number

US 20130117852A1
Time in Patent Office

1,217 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1425 Traffic logging, e.g. anoma...

Detecting emergent behavior in communications networks

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Detecting emergent behavior in communications networks

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others