Distributed agent based model for security monitoring and response

DC CAFC

US 9,503,470 B2
Filed: 10/01/2013
Issued: 11/22/2016
Est. Priority Date: 12/24/2002
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A system that detects the state of a computer network, comprising:

a plurality of distributed agents disposed in said computer network, each said distributed agent including a microprocessor adapted to;

passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network,analyze collected data to develop activity models representative of activities of said computer network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams, code emulating code or humans, and/or other suspicious activities in said computer network, andgenerate counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure; and

a server that provides a security and validity score for free software available for download, the validity score comprising three components including a first component computed based on security of the free software itself, a second component computed based on experiences users have with the free software, and a third component based on a reputation of a programmer that created the free software.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

An architecture is provided for a widely distributed security system (SDI-SCAM) that protects computers at individual client locations, but which constantly pools and analyzes information gathered from machines across a network in order to quickly detect patterns consistent with intrusion or attack, singular or coordinated. When a novel method of attack has been detected, the system distributes warnings and potential countermeasures to each individual machine on the network. Such a warning may potentially include a probability distribution of the likelihood of an intrusion or attack as well as the relative probabilistic likelihood that such potential intrusion possesses certain characteristics or typologies or even strategic objectives in order to best recommend and/or distribute to each machine the most befitting countermeasure(s) given all presently known particular data and associated predicted probabilistic information regarding the prospective intrusion or attack. If any systems are adversely affected, methods for repairing the damage are shared and redistributed throughout the network.

Citations

22 Claims

1. A system that detects the state of a computer network, comprising:
- a plurality of distributed agents disposed in said computer network, each said distributed agent including a microprocessor adapted to;
  
  passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network,analyze collected data to develop activity models representative of activities of said computer network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams, code emulating code or humans, and/or other suspicious activities in said computer network, andgenerate counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure; and
  
  a server that provides a security and validity score for free software available for download, the validity score comprising three components including a first component computed based on security of the free software itself, a second component computed based on experiences users have with the free software, and a third component based on a reputation of a programmer that created the free software.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A system as in claim 1, further comprising a distributed sensor network that aggregates and analyzes data to develop a probabilistic likelihood of a threat to safe code, machines, servers, or individuals, wherein said counter-offensive generating means generates counter-offensive measures that are targeted to a given threat or attack based upon historical feedback from successes and failures of previous counter measures used in response to similar attacks and threats.
  - 3. A system as in claim 2, wherein said historical feedback updates an adaptive learning or adaptive rule base.
  - 4. A system as in claim 2, wherein said distributed sensor network aggregates and analyzes data pertaining to software within the network in order to enable detection and characterization of vulnerabilities and/or provide recommendations for remedial repair or revision.
  - 5. A system as in claim 1, wherein said counter-offensive generating means creates a bogus target for invoking attack on said bogus target for purposes of achieving early detection of a system infection.
  - 6. A system as in claim 1, wherein each distributed agent is connected to each other distributed agent through a fully isolated computer network that operates independently from the computer network on which a protected computer resides.
  - 7. A system as in claim 1, wherein when the analyzing means detects suspicious activities, a distributed agent opens a “
    - honey pot”
      
      trap in a virtual space that simulates an environment of the protected computer.
  - 8. A system as in claim 1, wherein each distributed agent monitors processes for behavior consistent with viral infection and flags processes having said behavior as a potential threat, said monitoring including determining whether a process opens and modifies a wide range of heterogeneous files, whether a process accesses a mail system'"'"'s address folder, whether a process aggressively propagates copies of itself, whether a process engages in recursively redundant actions whose objective is designed to achieve no useful purposes, whether a process aggressively or repetitively generates or obtains data files in order to propagate inordinately voluminous and/or large files resulting in bursts of traffic, whether a process performs similar recursively redundant actions resulting in consumption and overloading of valuable processing capacity, whether a process modifies or mutates its own code and/or behavior, and/or whether a process opens unexpected communication ports with outside entities will be flagged as a potential threat.
  - 9. A system as in claim 1, wherein each distributed agent determines a probability and a degree of ill motive of individuals of most likely suspicion and monitors activities of said individuals in the computer network.
  - 10. A system as in claim 1, wherein the server performs tests on the free software to check if the free program ever accesses memory locations that it is not supposed to access and to detect if the free software has memory leaks that would enable the free software to launch a denial of service attack.
  - 11. A system as in claim 1, wherein each distributed agent monitors time and circumstances of any changes to the computer network, cross-checks the time and circumstances of any changes against average traffic patterns for the computer network, and flags changes at unusual times or under unusual circumstances as suspicious activities.

12. A method of detecting the state of a computer network, comprising:
- providing a plurality of distributed agents disposed in said computer network to passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network;
  
  analyzing said data using a microprocessor to develop activity models based on collected data and representative of activities of said network in a normal state and activities of said computer network in an abnormal state as a result of intrusions, infections, scams, code emulating code or humans, and/or other suspicious activities in said computer network, said data analysis including performing a pattern analysis on the collected data to identify patterns in the collected data representative of suspicious activities;
  
  generating counter-offensive measures where unauthorized access to a program or file containing executable code results in the program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure; and
  
  a server providing a security and validity score for free software available for download, the validity score comprising three components including a first component computed based on security of the free software itself, a second component computed based on experiences users have with the free software, and a third component based on a reputation of a programmer that created the free software.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. A method as in claim 12, further comprising aggregating and analyzing data to develop a probabilistic likelihood of a threat to safe code, machines, servers, or individuals, and generating counter-offensive measures that are targeted to a given threat or attack based upon historical feedback from successes and failures of previous counter measures used in response to similar attacks and threats.
  - 14. A method as in claim 13, further comprising updating an adaptive learning or adaptive rule base with said historical feedback.
  - 15. A method as in claim 13, further comprising aggregating and analyzing data pertaining to software within the network in order to enable detection and characterization of vulnerabilities and/or provide recommendations for remedial repair or revision.
  - 16. A method as in claim 12, further comprising creating a bogus target for invoking attack on said bogus target for purposes of achieving early detection of a system infection.
  - 17. A method as in claim 12, wherein each distributed agent is connected to each other distributed agent through a fully isolated computer network that operates independently from the computer network on which a protected computer resides.
  - 18. A method as in claim 12, wherein when the analyzing means detects suspicious activities, a distributed agent opens a “
    - honey pot”
      
      trap in a virtual space that simulates an environment of the protected computer.
  - 19. A method as in claim 12, further including each distributed agent monitoring processes for behavior consistent with viral infection and flagging processes having said behavior as a potential threat, said monitoring including determining whether a process opens and modifies a wide range of heterogeneous files, whether a process accesses a mail system'"'"'s address folder, whether a process aggressively propagates copies of itself, whether a process engages in recursively redundant actions whose objective is designed to achieve no useful purposes, whether a process aggressively or repetitively generates or obtains data files in order to propagate inordinately voluminous and/or large files resulting in bursts of traffic, whether a process performs similar recursively redundant actions resulting in consumption and overloading of valuable processing capacity, whether a process modifies or mutates its own code and/or behavior, and/or whether a process opens unexpected communication ports with outside entities will be flagged as a potential threat.
  - 20. A method as in claim 12, further including each distributed agent determining a probability and a degree of ill motive of individuals of most likely suspicion and monitoring activities of said individuals in the computer network.
  - 21. A method as in claim 12, further including the server performing tests on the free software to check if the free program ever accesses memory locations that it is not supposed to access and to detect if the free software has memory leaks that would enable the free software to launch a denial of service attack.
  - 22. A method as in claim 12, further including each distributed agent monitoring time and circumstances of any changes to the computer network, cross-checking the time and circumstances of any changes against average traffic patterns for the computer network, and flagging changes at unusual times or under unusual circumstances as suspicious activities.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CTD Networks LLC
Original Assignee
Fred HERZ Patents LLC
Inventors
Gertner, Yael, Herz, Frederick S. M., Labys, Walter Paul
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Truong, Thong

Application Number

US14/043,567
Publication Number

US 20140237599A1
Time in Patent Office

1,148 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Distributed agent based model for security monitoring and response

First Claim

2 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed agent based model for security monitoring and response

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links