Computer defenses and counterattacks

US 9,591,022 B2
Filed: 12/17/2014
Issued: 03/07/2017
Est. Priority Date: 12/17/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processing system including one or more processors;

memory accessible to the processing system, wherein the memory stores instructions executable by at least one processor of the one or more processors to cause the at least one processor to;

instantiate a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second processor to monitor network activity;

send the first program code of the first detection agent to a remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent is configured to;

monitor operations of components of the remote computing device including operations of a trusted component,generate an operational signature corresponding to the monitored operations of the trusted component of the remote computing device,monitor network activity of the remote computing device based on the operational signature while emulating activity of the trusted component of the remote computing device, andtransmit network activity data to the processing system, and wherein the processing system updates the detection criteria based on the network activity data and generates updated detection criteria;

instantiate a second detection agent based on the updated detection criteria, wherein the second detection agent includes second program code; and

send the second program code of the second detection agent to the remote computing device for execution.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes instantiating a first detection agent based on detection criteria, where the first detection agent includes first program code executable by a second computing device to monitor network activity. The method further includes sending the first program code of the first detection agent to the second computing device for execution. When the first program code of the first detection agent is executed at the second computing device, the first detection agent causes network activity data to be transmitted to a network monitor, and the network monitor updates the detection criteria based on the network activity data to generate updated detection criteria. The method also includes instantiating a second detection agent based on the updated detection criteria and sending second program code of the second detection agent to the second computing device for execution.

Citations

20 Claims

1. A system comprising:
- a processing system including one or more processors;
  
  memory accessible to the processing system, wherein the memory stores instructions executable by at least one processor of the one or more processors to cause the at least one processor to;
  
  instantiate a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second processor to monitor network activity;
  
  send the first program code of the first detection agent to a remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent is configured to;
  
  monitor operations of components of the remote computing device including operations of a trusted component,generate an operational signature corresponding to the monitored operations of the trusted component of the remote computing device,monitor network activity of the remote computing device based on the operational signature while emulating activity of the trusted component of the remote computing device, andtransmit network activity data to the processing system, and wherein the processing system updates the detection criteria based on the network activity data and generates updated detection criteria;
  
  instantiate a second detection agent based on the updated detection criteria, wherein the second detection agent includes second program code; and
  
  send the second program code of the second detection agent to the remote computing device for execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the stored instructions further cause the at least one processor to execute a supervisor application, wherein the supervisor application is executable to:
    - analyze data received from one or more agents executing at one or more remote processors;
      
      initiate one or more actions automatically, without human intervention, based on the analysis; and
      
      notify a human operator of results of the data, results of the analysis, actions taken, or a combination thereof.
  - 3. The system of claim 1, wherein emulating activity of the trusted component includes emulating a rhythm of activity of the trusted component, and wherein the first program code of the first detection agent further includes instructions to authenticate other agents and to exchange encrypted messages with the other agents independently of the processing system, and wherein the second program code deactivates the first detection agent.
  - 4. The system of claim 1, wherein the first program code of the first detection agent is configured to monitor first detection criterion and is not configured to monitor second detection criterion, and wherein the second program code is executable by the second processor to monitor the second detection criterion.
  - 5. The system of claim 1, wherein the stored instructions further cause the at least one processor to execute a supervisor application, wherein the supervisor application is executable to:
    - instantiate a first defense agent based on a set of available defense actions, wherein the first defense agent includes third program code executable by the second processor to mitigate suspect network activity; and
      
      send the third program code of the first defense agent to the remote computing device for execution to mitigate particular suspect network activity that is detected by a particular detection agent.
  - 6. The system of claim 5, wherein the supervisor application is further executable to:
    - instantiate a second defense agent based on the updated detection criteria after the processing system generates updated detection criteria; and
      
      send fourth program code of the second defense agent to the remote computing device for execution.
  - 7. The system of claim 5, wherein, when the first defense agent is executed at the remote computing device, the first defense agent causes suspect network activity mitigation data to be transmitted to the processing system, and wherein the processing system updates the detection criteria to generate the updated detection criteria further based on the suspect network activity mitigation data.
  - 8. The system of claim 5, wherein, when the first defense agent is executed at the remote computing device, the first defense agent causes suspect network activity mitigation data to be transmitted to the processing system, and wherein the processing system updates the set of available defense actions to generate an updated set of available defense actions based on the suspect network activity mitigation data.
  - 9. The system of claim 5, wherein the first detection agent is configured to communicate detection data to the first defense agent at the remote computing device, wherein the detection data indentifies suspect network activity detected by the first detection agent, and wherein the first defense agent is configured to automatically select and execute a particular defense action, independently of the processing system, based on the detection data.
  - 10. The system of claim 5, wherein the set of available defense actions includes a first subset of available defense actions and a second subset of available defense actions, and wherein the third program code of the first defense agent is configured to execute the first subset of available defense actions and is not configured to execute the second subset of available defense actions.
  - 11. The system of claim 10, wherein the supervisor application is further executable to:
    - instantiate a second defense agent including fourth program code executable by the second processor to execute one or more defense actions of the second subset of defense actions; and
      
      send the fourth program code of the second defense agent to the remote computing device.
  - 12. The system of claim 1, wherein the supervisor application is further executable to:
    - instantiate a first attack agent based on a set of available counterattack actions, wherein the first attack agent includes fifth program code executable by the second processor to execute a counterattack based on suspect network activity; and
      
      send the fifth program code of the first attack agent to the remote computing device for execution based on the suspect network activity detected by a particular detection agent.
  - 13. The system of claim 12, wherein the supervisor application is further executable to:
    - instantiate a second attack agent based on the updated detection criteria after the processing system generates updated detection criteria; and
      
      send sixth program code of the second attack agent to the remote computing device for execution.
  - 14. The system of claim 12, wherein, when the first attack agent is executed at the remote computing device, the first attack agent causes counterattack activity data to be transmitted to the processing system, and wherein the processing system updates the set of available counterattack actions to generate an updated set of available counterattack actions based on the counterattack activity data.

15. A method comprising:
- instantiating, at a first computing device, a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second computing device to monitor network activity;
  
  sending the first program code of the first detection agent to the second computing device for execution, wherein, when the first program code of the first detection agent is executed at the second computing device, the first detection agent;
  
  monitors operations of components of the second computing device including operations of a trusted component;
  
  generates an operational signature corresponding to the monitored operations of the trusted component of the second computing device;
  
  monitors network activity of the second computing device based on the operational signature while emulating activity of the trusted component of the second computing device; and
  
  causes network activity data to be transmitted to a processing system, and wherein the processing system updates the detection criteria based on the network activity data and generates updated detection criteria;
  
  instantiating, at the first computing device, a second detection agent based on the updated detection criteria; and
  
  sending second program code of the second detection agent to the second computing device for execution.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further comprising:
    - instantiating at least one additional agent, the at least one additional agent including a defense agent, an attack agent, or both; and
      
      sending program code of the at least one additional agent to the second computing device for execution.
  - 17. The method of claim 16, further comprising, before instantiating the at least one additional agent, selecting operations to be performed by the at least one additional agent based on the network activity data, wherein the program code of the at least one additional agent includes instructions executable by the second computing device to perform the selected operations.

18. A computer-readable storage device storing instructions that are executable by a processor to cause the processor to:
- instantiate a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a remote computing device to monitor network activity;
  
  send the first program code of the first detection agent to the remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent is configured to;
  
  monitor operations of components of the remote computing device including operations of a trusted component,generate an operational signature corresponding to the monitored operations of the trusted component of the remote computing device,monitor network activity of the remote computing device based on the operational signature whereby the first detection agent emulates activity of the trusted component of the remote computing device, andtransmit network activity data to a processing system, and wherein the processing system updates the detection criteria based on the network activity data to generate updated detection criteria;
  
  instantiate a second detection agent based on the updated detection criteria; and
  
  send second program code of the second detection agent to the remote computing device for execution.
- View Dependent Claims (19, 20)
- - 19. The computer-readable storage device of claim 18, wherein the instructions further cause the processor to execute a supervisor application, wherein the supervisor application is executable to:
    - analyze data received from one or more agents executing at one or more remote computing devices;
      
      initiate one or more actions automatically, without human intervention, based on the analysis; and
      
      notify a human operator of results of the data, results of the analysis, actions taken, or a combination thereof.
  - 20. The computer-readable storage device of claim 18, wherein the first program code of the first detection agent further includes instructions to authenticate other agents, to exchange secure messages with the other agents, and to send the network activity data as one or more encrypted messages to the processing system and to one or more other agents;
    - and wherein the second program code deactivates the first detection agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Purpura, William J.
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US14/574,076
Publication Number

US 20160182533A1
Time in Patent Office

811 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Computer defenses and counterattacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer defenses and counterattacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links