SDI-SCAM
DC CAFCFirst Claim
1. A distributed network security system that detects the state of a computer network having a plurality of nodes including identifying potential threats to the computer network, said system comprising:
- at least two agents disposed in said computer network that collect data representative of operations of said computer network including respective nodes in said computer network, said data relating to communication, internal and external accesses, code execution functions, code analysis and/or network resource conditions of respective nodes in said computer network; and
a server programmed to;
compare data collected by said at least two agents to determine code analysis and/or activity models characterizing conditions within said computer network including behaviors, events and/or function of respective nodes of said computer network, said behaviors representative of normal states and one or more abnormal states representative of suspicious activity indicative of an attack or threat to said computer network,perform a pattern analysis in the collected data to identify patterns in the collected data representative of suspicious activities indicative of an attack or threat to said computer network and to develop code analysis and/or activity models from the collected data representative of activities of said computer networks in a normal state and activities of said computer networks in an abnormal state based on said identified patterns, wherein said pattern analysis involves comparing data collected by each said agent to the data collected by another agent to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, anddetermine during said pattern analysis if a probability threshold for detecting and classifying a threat is breached by said similar patterns of suspicious activities and, if so, send out an alert to other agents, a central server and/or human operator.
1 Assignment
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
A distributed multi-agent system and method is implemented and employed across at least one intranet for purposes of real time collection, monitoring, aggregation, analysis and modeling of system and network operations, communications, internal and external accesses, code execution functions, network and network resource conditions as well as other assessable criteria within the implemented environment. Analytical models are constructed and dynamically updated from the data sources so as to be able to rapidly identify and characterize conditions within the environment (such as behaviors, events, and functions) that are typically characteristic with that of a normal state and those that are of an abnormal or potentially suspicious state. The model is further able to implement statistical flagging functions, provide analytical interfaces to system administrators and estimate likely conditions that characterize the state of the system and the potential threat. The model may further recommend (or alternatively implement autonomously or semi-autonomously) optimal remedial repair and recovery strategies as well as the most appropriate countermeasures to isolate or neutralize the threat and its effects.
-
Citations
36 Claims
-
1. A distributed network security system that detects the state of a computer network having a plurality of nodes including identifying potential threats to the computer network, said system comprising:
-
at least two agents disposed in said computer network that collect data representative of operations of said computer network including respective nodes in said computer network, said data relating to communication, internal and external accesses, code execution functions, code analysis and/or network resource conditions of respective nodes in said computer network; and a server programmed to; compare data collected by said at least two agents to determine code analysis and/or activity models characterizing conditions within said computer network including behaviors, events and/or function of respective nodes of said computer network, said behaviors representative of normal states and one or more abnormal states representative of suspicious activity indicative of an attack or threat to said computer network, perform a pattern analysis in the collected data to identify patterns in the collected data representative of suspicious activities indicative of an attack or threat to said computer network and to develop code analysis and/or activity models from the collected data representative of activities of said computer networks in a normal state and activities of said computer networks in an abnormal state based on said identified patterns, wherein said pattern analysis involves comparing data collected by each said agent to the data collected by another agent to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, and determine during said pattern analysis if a probability threshold for detecting and classifying a threat is breached by said similar patterns of suspicious activities and, if so, send out an alert to other agents, a central server and/or human operator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
- 10. A system that detects the state of a computer network having a plurality of nodes, said system comprising a plurality of distributed agents designed for adaptive learning and probabilistic analysis, said agents passively collecting, monitoring, aggregating and pattern analyzing data collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, determining from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded, and when said probability threshold has been exceeded by said similar patterns of suspicious activities, alerting other agents, a central server, and/or a human operator.
- 14. A network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate and pattern analyze data representative of behavioral activities and/or code in various locations across a computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, and that determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, alert other agents, a central server, and/or a human operator, wherein said distributed agents together form a scalable distributed network architecture capable of dynamically responsive network wide remote communication, statistical processing, data distribution and redistribution and updating of said distributed agents.
-
16. A network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate and pattern analyze data representative of behavioral activities and/or code in various locations across a computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, and that determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities;
- each of said agents performing adaptive learning in order to detect the probability, classification and/or nature of a threat to said computer network, to develop notification thresholds for alerting other agents of potential threats to said computer network, and to develop appropriate counter measures, including defensive, remedial and/or reparative functions as well as preventative functions, wherein at least one of said distributed agents further performs at least one of alerting, auditing and/or reporting functions to human and/or autonomous operators.
- View Dependent Claims (17)
- 18. A network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate, and pattern analyze data representative of behavioral activities and/or code in various locations across a computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, and that determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, alert other agents, a central server, and/or a human operator, and said distributed agents further utilizing said collected data to create and update a probabilistic model for a potential threat to the computer network.
-
25. A computer network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate and pattern analyze data representative of behavioral activities, content, and/or code in various locations across the computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, alert other agents, a central server, and/or a human operator;
- wherein attributes used for said pattern analysis include behavioral analysis of a hacker, code analysis, sequential event analysis, classification of the threat to the computer network, and/or textual and multimedia content features.
- 26. A network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate and pattern analyze data representative of behavioral activities, content, and/or code in various locations across a computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, further provide notification to other agents on the computer network for purposes of defensive or counteroffensive responses, remedial repair, and/or recovery strategies.
- 33. A distributed multi agent network security system comprising at least two agents that perform traffic monitoring and at least one of code analysis, content analysis, traffic analysis and creating activity models of various machines on a computer network and/or portions thereof representative of normal states and/or one or more abnormal states representative of suspicious activity indicative of an attack or threat to said computer network, each agent pattern analyzing collected data to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, further provide notification to other agents on the computer network.
Specification