Distributed agent based model for security monitoring and response
DC CAFCFirst Claim
1. A system that detects the state of a computer network, comprising:
- a plurality of distributed agents disposed in said computer network, each said distributed agent including a microprocessor adapted to;
passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network,analyze collected data to develop activity models representative of activities of said computer network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams, code emulating code or humans, and/or other suspicious activities in said computer network, andgenerate counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure; and
a server that provides a security and validity score for free software available for download, the validity score comprising three components including a first component computed based on security of the free software itself, a second component computed based on experiences users have with the free software, and a third component based on a reputation of a programmer that created the free software.
2 Assignments
Litigations
0 Petitions
Accused Products
Abstract
An architecture is provided for a widely distributed security system (SDI-SCAM) that protects computers at individual client locations, but which constantly pools and analyzes information gathered from machines across a network in order to quickly detect patterns consistent with intrusion or attack, singular or coordinated. When a novel method of attack has been detected, the system distributes warnings and potential countermeasures to each individual machine on the network. Such a warning may potentially include a probability distribution of the likelihood of an intrusion or attack as well as the relative probabilistic likelihood that such potential intrusion possesses certain characteristics or typologies or even strategic objectives in order to best recommend and/or distribute to each machine the most befitting countermeasure(s) given all presently known particular data and associated predicted probabilistic information regarding the prospective intrusion or attack. If any systems are adversely affected, methods for repairing the damage are shared and redistributed throughout the network.
-
Citations
22 Claims
-
1. A system that detects the state of a computer network, comprising:
-
a plurality of distributed agents disposed in said computer network, each said distributed agent including a microprocessor adapted to; passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network, analyze collected data to develop activity models representative of activities of said computer network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams, code emulating code or humans, and/or other suspicious activities in said computer network, and generate counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure; and a server that provides a security and validity score for free software available for download, the validity score comprising three components including a first component computed based on security of the free software itself, a second component computed based on experiences users have with the free software, and a third component based on a reputation of a programmer that created the free software. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of detecting the state of a computer network, comprising:
-
providing a plurality of distributed agents disposed in said computer network to passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network; analyzing said data using a microprocessor to develop activity models based on collected data and representative of activities of said network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams, code emulating code or humans, and/or other suspicious activities in said computer network, said data analysis including performing a pattern analysis on the collected data to identify patterns in the collected data representative of suspicious activities; generating counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure; and a server providing a security and validity score for free software available for download, the validity score comprising three components including a first component computed based on security of the free software itself, a second component computed based on experiences users have with the free software, and a third component based on a reputation of a programmer that created the free software. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification