Device and method for detection of anomalous behavior in a computer network
First Claim
Patent Images
1. A method for identifying an anomalous behavior in a network of host computing elements comprising the steps of:
- providing 1-n network sensors in a computer network and in data communication therewith, wherein each network sensor is configured to sense or identify a characteristic of a network data packet, a network flow, or both being communicated across the computer network,outputting, by at least one of the network sensors, a sensor notification upon the satisfaction of a predetermined set of network data conditions,outputting the 1-n sensor notifications to a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications,executing the one or more Rete algorithms, andoutputting an alarm signal upon the detection of the anomalous behavior.
7 Assignments
0 Petitions
Accused Products
Abstract
A device and method for providing forensic data in network activity indicative of the presence of malware. A distributed set of network-based sensors operates within an enterprise network in cooperation with a centralized analytics and correlation engine that correlates detected events across the sensors to detect malicious activity on a monitored network which may include using a multi-tiered or Rete net rule set or engine. When malicious activity is detected upon the satisfaction of a predetermined set of conditions, the invention traces the activity to a host responsible for the activity for further action.
-
Citations
24 Claims
-
1. A method for identifying an anomalous behavior in a network of host computing elements comprising the steps of:
-
providing 1-n network sensors in a computer network and in data communication therewith, wherein each network sensor is configured to sense or identify a characteristic of a network data packet, a network flow, or both being communicated across the computer network, outputting, by at least one of the network sensors, a sensor notification upon the satisfaction of a predetermined set of network data conditions, outputting the 1-n sensor notifications to a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications, executing the one or more Rete algorithms, and outputting an alarm signal upon the detection of the anomalous behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for identifying an anomalous behavior in a network of host computing elements comprising the steps of:
-
providing 1-n network sensors in a computer network and in data communication therewith, outputting, by one or more of the network sensors, a sensor notification upon the satisfaction of a predetermined set of network data conditions, outputting the 1-n sensor notifications to 1-n Rete net-based engines configured to execute one or more Rete algorithms configured for the deterministic detection of anomalous behavior in the computer network based on the notifications, executing the one or more Rete algorithms, and outputting an alarm signal upon the detection of the anomalous behavior. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for identifying an anomalous behavior in a network of host computing elements using a multi-tiered analytics rule engine comprising the steps of:
-
providing 1-n network sensors in a computer network and in data communication therewith, wherein each network sensor is configured to sense or identify a characteristic of a network data packet, a network flow, or both being communicated across the computer network, each network sensor configured to output a sensor notification to each of a first tier rule engine and a second tier rule engine upon the satisfaction of a predetermined set of sensor network conditions, and wherein at least one of the first tier rule engine or the second tier rule engine comprises a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications, identifying, by the first tier rule engine, a predetermined set of notifications, outputting one or more alert events to the second tier rule engine in response to identifying the predetermined set of notifications, and outputting, by the second tier rule engine, an alarm event to a user upon identifying a predetermined combination of alarms and notifications. - View Dependent Claims (19)
-
-
20. A method for identifying an anomalous behavior in a network of host computing elements using a multi-tiered analytics rule engine comprising the steps of:
-
providing 1-n network sensors in a computer network and in data communication therewith, wherein each network sensor is configured to monitor one or more host statistics of a host, wherein the one or more host statistics comprise a statistic related to applications executing on the host, a subnet communicated with by the host, a byte count of transmitted data, a byte count of received data, or any combination thereof, wherein each network sensor is configured to output a sensor notification to each of a first tier rule engine and a second tier rule engine upon the satisfaction of a predetermined set of sensor network conditions, a subset of which comprises a predetermined host condition, and wherein at least one of the first tier rule engine or the second tier rule engine comprises a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications, the first tier rule engine configured to output one or more alert events to the second tier rule engine upon identifying a predetermined set of notifications, the second tier rule engine configured to output an alarm event to a user upon identifying a predetermined combination of alarms and notifications, and wherein the 1-n sensors are configured to concurrently output summary host data comprising flow data upon identification of a notification resulting from the host condition. - View Dependent Claims (21)
-
-
22. A device for identifying an anomalous behavior in a network of host computing elements comprising:
-
1-n network sensors configured to output a sensor notification upon the satisfaction of a predetermined set of network data conditions and to output summary data and special packet data, and 1-n Rete net-based rule engines that are configured to execute a one or more Rete algorithms that are configured for the deterministic detection of anomalous behavior in the network based on the notifications. - View Dependent Claims (23)
-
-
24. A device for identifying an anomalous behavior in a network of host computing elements using a multi-tiered analytics rule engine comprising:
-
1-n network sensors within a computer network, a first tier rule engine, a second tier rule engine, wherein each network sensor of the 1-n network sensors is configured to sense or identify a characteristic of a network data packet, a network flow, or both being communicated across the computer network, wherein the 1-n network sensors are configured to output a sensor notification to each of a first tier rule engine and a second tier rule engine upon the satisfaction of a predetermined set of sensor network conditions, wherein at least one of the first tier rule engine or the second tier rule engine comprises a 1-n Rete net-based rule engine configured to execute a one or more Rete algorithms configured for the deterministic detection of an anomalous behavior in the network based on the notifications, wherein the first tier rule engine is further configured to output one or more alert events to the second tier rule engine upon identifying a predetermined set of notifications, and wherein the second tier rule engine is configured to output an alarm event to a user upon identifying a predetermined combination of alarms and notifications.
-
Specification