Device and method for detection of anomalous behavior in a computer network

US 9,401,932 B2
Filed: 01/03/2014
Issued: 07/26/2016
Est. Priority Date: 12/04/2012
Status: Active Grant

First Claim

Patent Images

1. A method for identifying an anomalous behavior in a network of host computing elements comprising the steps of:

providing 1-n network sensors in a computer network and in data communication therewith, wherein each network sensor is configured to sense or identify a characteristic of a network data packet, a network flow, or both being communicated across the computer network,outputting, by at least one of the network sensors, a sensor notification upon the satisfaction of a predetermined set of network data conditions,outputting the 1-n sensor notifications to a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications,executing the one or more Rete algorithms, andoutputting an alarm signal upon the detection of the anomalous behavior.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device and method for providing forensic data in network activity indicative of the presence of malware. A distributed set of network-based sensors operates within an enterprise network in cooperation with a centralized analytics and correlation engine that correlates detected events across the sensors to detect malicious activity on a monitored network which may include using a multi-tiered or Rete net rule set or engine. When malicious activity is detected upon the satisfaction of a predetermined set of conditions, the invention traces the activity to a host responsible for the activity for further action.

14 Citations

View as Search Results

24 Claims

1. A method for identifying an anomalous behavior in a network of host computing elements comprising the steps of:
- providing 1-n network sensors in a computer network and in data communication therewith, wherein each network sensor is configured to sense or identify a characteristic of a network data packet, a network flow, or both being communicated across the computer network,outputting, by at least one of the network sensors, a sensor notification upon the satisfaction of a predetermined set of network data conditions,outputting the 1-n sensor notifications to a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications,executing the one or more Rete algorithms, andoutputting an alarm signal upon the detection of the anomalous behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein an input to the 1-n Rete net-based rule engine comprises an alert generated by the 1-n Rete net-based rule engine used as a feedback input to a second anomalous detection rule engine.
  - 3. The method of claim 1 wherein at least one of the 1-n sensors is within the computer network behind a network firewall element of the network.
  - 4. The method of claim 1 wherein an input to the 1-n Rete net-based rule engine comprises a host information element and a notification from the 1-n sensors in the network.
  - 5. The method of claim 1 wherein an input to the 1-n Rete net-based rule engine is generated as a result of an output to a correlator configured for the processing of host and flow statistics from the 1-n sensors.
  - 6. The method of claim 1 wherein an input to the 1-n Rete net-based rule engine is selected from the group consisting of a sensor notification and a host type.
  - 7. The method of claim 1 wherein an output from the 1-n Rete net-based rule engine is selected from the group consisting of a host alert, a potential alarm, and a potential alert from a correlator.
  - 8. The method of claim 1 further comprising the step of providing a correlator input selected from the group consisting of a notification, a host statistic, and a host alert.
  - 9. The method of claim 1 further comprising the step of providing a correlator output comprising a correlator notification.

10. A method for identifying an anomalous behavior in a network of host computing elements comprising the steps of:
- providing 1-n network sensors in a computer network and in data communication therewith,outputting, by one or more of the network sensors, a sensor notification upon the satisfaction of a predetermined set of network data conditions,outputting the 1-n sensor notifications to 1-n Rete net-based engines configured to execute one or more Rete algorithms configured for the deterministic detection of anomalous behavior in the computer network based on the notifications,executing the one or more Rete algorithms, andoutputting an alarm signal upon the detection of the anomalous behavior.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10 wherein at least one of the 1-n sensors is within the network behind a network firewall element in the network.
  - 12. The method of claim 10 wherein an input to the 1-n Rete net-based rule engine is comprised of host information for an individual host.
  - 13. The method of claim 10 wherein an input to the 1-n Rete net-based rule engine is comprised of an output from a correlator configured for the processing of host and flow statistics.
  - 14. The method of claim 10 wherein an input to the 1-n Rete net-based rule engine is selected from the group consisting of a sensor notification, a host type, and a correlator notification.
  - 15. The method of claim 10 wherein an output from the 1-n Rete net-based rule engine is selected from the group consisting of a host alert, a potential alarm, and an alert to a correlator.
  - 16. The method of claim 10 further comprising the step of providing a correlator input selected from the group consisting of a notification, a host statistic, and a host alert.
  - 17. The method of claim 10 further comprising the step of providing a correlator output comprising a correlator notification.

18. A method for identifying an anomalous behavior in a network of host computing elements using a multi-tiered analytics rule engine comprising the steps of:
- providing 1-n network sensors in a computer network and in data communication therewith, wherein each network sensor is configured to sense or identify a characteristic of a network data packet, a network flow, or both being communicated across the computer network, each network sensor configured to output a sensor notification to each of a first tier rule engine and a second tier rule engine upon the satisfaction of a predetermined set of sensor network conditions, and wherein at least one of the first tier rule engine or the second tier rule engine comprises a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications,identifying, by the first tier rule engine, a predetermined set of notifications,outputting one or more alert events to the second tier rule engine in response to identifying the predetermined set of notifications, andoutputting, by the second tier rule engine, an alarm event to a user upon identifying a predetermined combination of alarms and notifications.
- View Dependent Claims (19)
- - 19. The method of claim 18 wherein at least one of the 1-n sensors is within the network behind a network firewall element in the network.

20. A method for identifying an anomalous behavior in a network of host computing elements using a multi-tiered analytics rule engine comprising the steps of:
- providing 1-n network sensors in a computer network and in data communication therewith, wherein each network sensor is configured to monitor one or more host statistics of a host, wherein the one or more host statistics comprise a statistic related to applications executing on the host, a subnet communicated with by the host, a byte count of transmitted data, a byte count of received data, or any combination thereof, wherein each network sensor is configured to output a sensor notification to each of a first tier rule engine and a second tier rule engine upon the satisfaction of a predetermined set of sensor network conditions, a subset of which comprises a predetermined host condition, and wherein at least one of the first tier rule engine or the second tier rule engine comprises a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications,the first tier rule engine configured to output one or more alert events to the second tier rule engine upon identifying a predetermined set of notifications,the second tier rule engine configured to output an alarm event to a user upon identifying a predetermined combination of alarms and notifications, andwherein the 1-n sensors are configured to concurrently output summary host data comprising flow data upon identification of a notification resulting from the host condition.
- View Dependent Claims (21)
- - 21. The method of claim 20 wherein at least one of the 1-n sensors is within the network behind a firewall element in the network.

22. A device for identifying an anomalous behavior in a network of host computing elements comprising:
- 1-n network sensors configured to output a sensor notification upon the satisfaction of a predetermined set of network data conditions and to output summary data and special packet data, and1-n Rete net-based rule engines that are configured to execute a one or more Rete algorithms that are configured for the deterministic detection of anomalous behavior in the network based on the notifications.
- View Dependent Claims (23)
- - 23. The device of claim 22 further comprising a correlation engine configured to receive summary data and special packet data from the 1-n sensors.

24. A device for identifying an anomalous behavior in a network of host computing elements using a multi-tiered analytics rule engine comprising:
- 1-n network sensors within a computer network,a first tier rule engine,a second tier rule engine,wherein each network sensor of the 1-n network sensors is configured to sense or identify a characteristic of a network data packet, a network flow, or both being communicated across the computer network,wherein the 1-n network sensors are configured to output a sensor notification to each of a first tier rule engine and a second tier rule engine upon the satisfaction of a predetermined set of sensor network conditions,wherein at least one of the first tier rule engine or the second tier rule engine comprises a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications,wherein the first tier rule engine is further configured to output one or more alert events to the second tier rule engine upon identifying a predetermined set of notifications, andwherein the second tier rule engine is configured to output an alarm event to a user upon identifying a predetermined combination of alarms and notifications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber adAPT, Inc., PFG Ip, LLC
Original Assignee
Cyber adAPT, Inc.
Inventors
Deerman, James, Joll, Bill, Lanning, Craig, Rhodes, Keith
Primary Examiner(s)
Dada, Beemnet

Application Number

US14/147,105
Publication Number

US 20140245374A1
Time in Patent Office

935 Days
Field of Search
US Class Current

1/1
CPC Class Codes

F01D 3/04   axial thrust being compensa...

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Device and method for detection of anomalous behavior in a computer network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Device and method for detection of anomalous behavior in a computer network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links