SDI-SCAM

DC CAFC

US 9,438,614 B2
Filed: 07/15/2013
Issued: 09/06/2016
Est. Priority Date: 10/23/2002
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A distributed network security system that detects the state of a computer network having a plurality of nodes including identifying potential threats to the computer network, said system comprising:

at least two agents disposed in said computer network that collect data representative of operations of said computer network including respective nodes in said computer network, said data relating to communication, internal and external accesses, code execution functions, code analysis and/or network resource conditions of respective nodes in said computer network; and

a server programmed to;

compare data collected by said at least two agents to determine code analysis and/or activity models characterizing conditions within said computer network including behaviors, events and/or function of respective nodes of said computer network, said behaviors representative of normal states and one or more abnormal states representative of suspicious activity indicative of an attack or threat to said computer network,perform a pattern analysis in the collected data to identify patterns in the collected data representative of suspicious activities indicative of an attack or threat to said computer network and to develop code analysis and/or activity models from the collected data representative of activities of said computer networks in a normal state and activities of said computer networks in an abnormal state based on said identified patterns, wherein said pattern analysis involves comparing data collected by each said agent to the data collected by another agent to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, anddetermine during said pattern analysis if a probability threshold for detecting and classifying a threat is breached by said similar patterns of suspicious activities and, if so, send out an alert to other agents, a central server and/or human operator.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

A distributed multi-agent system and method is implemented and employed across at least one intranet for purposes of real time collection, monitoring, aggregation, analysis and modeling of system and network operations, communications, internal and external accesses, code execution functions, network and network resource conditions as well as other assessable criteria within the implemented environment. Analytical models are constructed and dynamically updated from the data sources so as to be able to rapidly identify and characterize conditions within the environment (such as behaviors, events, and functions) that are typically characteristic with that of a normal state and those that are of an abnormal or potentially suspicious state. The model is further able to implement statistical flagging functions, provide analytical interfaces to system administrators and estimate likely conditions that characterize the state of the system and the potential threat. The model may further recommend (or alternatively implement autonomously or semi-autonomously) optimal remedial repair and recovery strategies as well as the most appropriate countermeasures to isolate or neutralize the threat and its effects.

Citations

36 Claims

1. A distributed network security system that detects the state of a computer network having a plurality of nodes including identifying potential threats to the computer network, said system comprising:
- at least two agents disposed in said computer network that collect data representative of operations of said computer network including respective nodes in said computer network, said data relating to communication, internal and external accesses, code execution functions, code analysis and/or network resource conditions of respective nodes in said computer network; and
  
  a server programmed to;
  
  compare data collected by said at least two agents to determine code analysis and/or activity models characterizing conditions within said computer network including behaviors, events and/or function of respective nodes of said computer network, said behaviors representative of normal states and one or more abnormal states representative of suspicious activity indicative of an attack or threat to said computer network,perform a pattern analysis in the collected data to identify patterns in the collected data representative of suspicious activities indicative of an attack or threat to said computer network and to develop code analysis and/or activity models from the collected data representative of activities of said computer networks in a normal state and activities of said computer networks in an abnormal state based on said identified patterns, wherein said pattern analysis involves comparing data collected by each said agent to the data collected by another agent to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, anddetermine during said pattern analysis if a probability threshold for detecting and classifying a threat is breached by said similar patterns of suspicious activities and, if so, send out an alert to other agents, a central server and/or human operator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A system as in claim 1, wherein said server protects individual machines in said computer network by pooling and analyzing information gathered from different machines across the computer network by said at least two agents passively collecting, monitoring and aggregating data representative of activities of said plurality of machines.
  - 3. A system as in claim 1, wherein said alert includes a probability or probability distribution that a threat poses certain degrees of potential danger, threat classification or nature of said threat from analyzed data in order to determine an origin of suspicious activity indicative of an attack or threat to the computer network and potential counter measures from other individual machines in said computer network.
  - 4. A system as in claim 3, wherein said alert includes a probability of likely threat subjection to other identified individuals, organizations, nodes, degrees of potential danger, threat classification, and/or nature of said threat.
  - 5. A system as in claim 3, wherein said alert is accompanied by an optimally suited defense scheme customized for the threat based determinable behaviors, characteristics and/or conditions of the threatened system in order to provide appropriate remedial counter measures.
  - 6. A system as in claim 5, wherein said alert includes defensive and counter offensive responsive action protocols appropriate to said detected likely threat.
  - 7. A system as in claim 3, wherein the analyzed data is provided to other agents for purposes of updating their data models.
  - 8. A system as in claim 6, wherein said defensive and counter offensive response to said likely threat are performed in a fashion which is autonomous, manually executed, or semi-autonomously executed whereby an agent performs passive monitoring and relays auditable data from a portion of the computer network local to said agent.
  - 9. A system as in claim 3, wherein said alert includes information that is recommended for remedial repair and/or recovery strategies to isolate or neutralize the identified potential threats to the computer system once the existence of harm to the system has been confirmed.

10. A system that detects the state of a computer network having a plurality of nodes, said system comprising a plurality of distributed agents designed for adaptive learning and probabilistic analysis, said agents passively collecting, monitoring, aggregating and pattern analyzing data collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, determining from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded, and when said probability threshold has been exceeded by said similar patterns of suspicious activities, alerting other agents, a central server, and/or a human operator.
- View Dependent Claims (11, 12, 13)
- - 11. A system as in claim 10, wherein said adaptive learning is implemented by a Bayesian analysis system.
  - 12. A system as in claim 10, wherein the said adaptive learning is implemented by a pattern matching algorithm.
  - 13. A system as in claim 10, wherein said distributed agents are part of a distributed system architecture.

14. A network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate and pattern analyze data representative of behavioral activities and/or code in various locations across a computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, and that determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, alert other agents, a central server, and/or a human operator, wherein said distributed agents together form a scalable distributed network architecture capable of dynamically responsive network wide remote communication, statistical processing, data distribution and redistribution and updating of said distributed agents.
- View Dependent Claims (15)
- - 15. A system as in claim 14, wherein said scalable distributed network architecture is adapted to provide rapid communication, detection, classification, tracking, probabilistic analysis and/or defensive and counter offensive measures.

16. A network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate and pattern analyze data representative of behavioral activities and/or code in various locations across a computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, and that determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities;
- each of said agents performing adaptive learning in order to detect the probability, classification and/or nature of a threat to said computer network, to develop notification thresholds for alerting other agents of potential threats to said computer network, and to develop appropriate counter measures, including defensive, remedial and/or reparative functions as well as preventative functions, wherein at least one of said distributed agents further performs at least one of alerting, auditing and/or reporting functions to human and/or autonomous operators.
- View Dependent Claims (17)
- - 17. A system as in claim 16, wherein each of said agents provides defensive functions whereby redundant memory, hardware and associated processing capacity are insulated from an infected or corrupted portion of the computer network.

18. A network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate, and pattern analyze data representative of behavioral activities and/or code in various locations across a computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, and that determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, alert other agents, a central server, and/or a human operator, and said distributed agents further utilizing said collected data to create and update a probabilistic model for a potential threat to the computer network.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. A system as in claim 18, further comprising a virus scanner that is updated by said pattern analyzed data from said distributed agents.
  - 20. A system as in claim 18, wherein said distributed agents are distributed across clients, servers and/or distributed central data warehouses of said computer network.
  - 21. A system as in claim 18, wherein distributed agents use threat detection, notification, agent updating, response and/or remediation protocols.
  - 22. A system as in claim 18, wherein at least one of said distributed agents provides defensive measures implementing redundant hardware, memory and communications links and neutralizes or isolates suspected threats to the computer network utilizing the defensive measures.
  - 23. A system as in claim 18, wherein said distributed agents implement adaptive learning techniques across a variety of system and network environments and are enabled by their capacity for interoperability between any heterogeneous protocols that are associated with a security system on the computer network.
  - 24. A system as in claim 23, wherein said interoperability between any heterogeneous protocols further enables said system to integrate with at least one other security system for purposes of implementing the system functions of passively collecting, monitoring, aggregating and pattern analyzing data as well as performing adaptive learning to detect the probability, classification, and/or nature of a threat to the computer network, developing notification thresholds for alerting other agents of potential threats to the computer network, and/or for developing appropriate countermeasures including defensive, remedial, reparative, and/or preventative functions.

25. A computer network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate and pattern analyze data representative of behavioral activities, content, and/or code in various locations across the computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, alert other agents, a central server, and/or a human operator;
- wherein attributes used for said pattern analysis include behavioral analysis of a hacker, code analysis, sequential event analysis, classification of the threat to the computer network, and/or textual and multimedia content features.

26. A network threat and response system comprising a plurality of distributed agents that collect, monitor, aggregate and pattern analyze data representative of behavioral activities, content, and/or code in various locations across a computer network collected by respective distributed agents to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, further provide notification to other agents on the computer network for purposes of defensive or counteroffensive responses, remedial repair, and/or recovery strategies.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. A system as in claim 26, wherein said notification includes a probability of likely threat to the computer network;
    - subjection to other identified individuals, organizations, and/or nodes;
      
      degrees of potential danger;
      
      threat classification; and
      
      /or nature of said threat to the computer network.
  - 28. A system as in claim 26, wherein data associated with said notification is used to determine an origin of suspicious activity indicative of an attack or threat to the computer network for determining potential countermeasures to an identified threat.
  - 29. A system as in claim 26, wherein the said defensive or counteroffensive responses, remedial repair, and/or recovery strategies are customized to the overall conditions and circumstances characterizing a threat to the computer system and a threatened computer system.
  - 30. A system as in claim 26, wherein said defensive or counteroffensive responses include a honey pot trap.
  - 31. A system as in claim 26, wherein said defensive responses include implementing redundant hardware, memory, and/or communication links and neutralizing or isolating suspected threats to the computer system.
  - 32. A system as in claim 26, wherein said network threat detection and response system includes a network configuration based upon a distributed non-hierarchical or a hierarchical group of agents communicating with one another.

33. A distributed multi agent network security system comprising at least two agents that perform traffic monitoring and at least one of code analysis, content analysis, traffic analysis and creating activity models of various machines on a computer network and/or portions thereof representative of normal states and/or one or more abnormal states representative of suspicious activity indicative of an attack or threat to said computer network, each agent pattern analyzing collected data to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, determine from said pattern analysis whether a probability threshold of suspicious activity indicative of an attack or threat to said computer network has been exceeded by said similar patterns of suspicious activities, and when said probability threshold has been exceeded, further provide notification to other agents on the computer network.
- View Dependent Claims (34, 35, 36)
- - 34. A system as in claim 33, wherein said at least one of code analysis, content analysis, traffic analysis and creating activity models is based upon the use of pattern analysis involving comparing data collected by each said agent to the data collected by another agent to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network.
  - 35. A system as in claim 33, wherein said at least one of code analysis, content analysis, traffic analysis and creating activity models are used for purposes of threat detection, notification, agent updating, response and/or remediation protocols.
  - 36. A system as in claim 33, wherein said at least one of code analysis, content analysis, traffic analysis and creating activity models determine threat identification, threat classification, and/or probability of a threat to said computer network based upon at least one of observed characteristics, conditions/variables of an environment which a threat has encountered, data a threat has likely accessed, actions, events and/or countermeasures to which a threat has been exposed, code within which a threat has been embedded, dissemination of the threat through email, co-occurrence of identical or related patterns of code sequences in conjunction with suspicious behavior indicative of an attack or threat to said computer network, opening and/or modifying heterogeneous files, accessing a mail system'"'"'s address folder, aggressive propagation of copies of the threat, recursively redundant actions, redundant messages, frequent or aggressive repetitive generation or obtaining of data files, propagation of inordinately voluminous or large files, redundant actions resulting in consumption of processing capacity, and/or modification or mutation of code and/or behavior.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CTD Networks LLC
Original Assignee
Fred HERZ Patents LLC
Inventors
Herz, Frederick S. M.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
WYSZYNSKI, AUBREY H

Application Number

US13/942,175
Publication Number

US 20130305377A1
Time in Patent Office

1,149 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

G06Q 20/201   Price look-up processing, e...

H04L 41/0853   by actively collecting conf...

H04L 41/147   for predicting network beha...

H04L 41/16   using machine learning or a...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

SDI-SCAM

First Claim

1 Assignment

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

SDI-SCAM

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links