Systems and methods for evaluating networks

US 9,654,503 B1
Filed: 03/11/2015
Issued: 05/16/2017
Est. Priority Date: 03/11/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for evaluating networks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying an initial set of recorded packet performance data that describes an instance of an attempt to establish a network connection path both from an original node to a subsequent node in a network and from the subsequent node to the original node;

detecting, by a software security system, a network anomaly based on comparison data resulting from a comparison between the initial set of recorded packet performance data and an additional set of recorded packet performance data that describes another instance of the attempt to establish the network connection path both from the original node to the subsequent node and from the subsequent node to the original node such that a network analysis corresponding to the comparison is bidirectional, the comparison data comprising a safety score indicative of a known level of safety and the detecting comprising;

calculating a statistical measure of differences between the initial set of recorded packet performance data and the additional set of recorded packet performance data; and

comparing the statistical measure of differences to a security threshold to determine that the statistical measure of differences exceeds the security threshold; and

performing, by the software security system, and in response to detecting the network anomaly based on the comparison between the sets of packet performance data, a security action to protect the computing device from a potential security threat indicated by the network anomaly, the security action comprising transmitting the comparison data to the computing device from a backend server provided by a security vendor that collects packet performance data from a multitude of client devices and stores the packet performance data within a security database to identify reputations of network devices.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for evaluating networks may include (1) identifying an initial set of recorded packet performance data that describes an instance of an attempt to establish a network connection path between an original node and a subsequent node in a network, (2) detecting, by a software security system, a network anomaly based on comparison data resulting from a comparison between the initial set of recorded packet performance data and an additional set of recorded packet performance data that describes another instance of an attempt to establish a network connection path between the original node and the subsequent node, and (3) performing, by the software security system, and in response to detecting the network anomaly based on the comparison between the sets of packet performance data, a security action to protect the computing device. Various other methods, systems, and computer-readable media are also disclosed.

70 Citations

View as Search Results

20 Claims

1. A computer-implemented method for evaluating networks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying an initial set of recorded packet performance data that describes an instance of an attempt to establish a network connection path both from an original node to a subsequent node in a network and from the subsequent node to the original node;
  
  detecting, by a software security system, a network anomaly based on comparison data resulting from a comparison between the initial set of recorded packet performance data and an additional set of recorded packet performance data that describes another instance of the attempt to establish the network connection path both from the original node to the subsequent node and from the subsequent node to the original node such that a network analysis corresponding to the comparison is bidirectional, the comparison data comprising a safety score indicative of a known level of safety and the detecting comprising;
  
  calculating a statistical measure of differences between the initial set of recorded packet performance data and the additional set of recorded packet performance data; and
  
  comparing the statistical measure of differences to a security threshold to determine that the statistical measure of differences exceeds the security threshold; and
  
  performing, by the software security system, and in response to detecting the network anomaly based on the comparison between the sets of packet performance data, a security action to protect the computing device from a potential security threat indicated by the network anomaly, the security action comprising transmitting the comparison data to the computing device from a backend server provided by a security vendor that collects packet performance data from a multitude of client devices and stores the packet performance data within a security database to identify reputations of network devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising providing the initial set of recorded packet performance data that describes the instance of the attempt to establish the network connection path to the security database of the backend server provided by the security vendor that collects packet performance data from the multitude of client devices and stores the packet performance data within the security database to identify reputations of network devices.
  - 3. The method of claim 2, further comprising providing an identifier for the initial set of recorded packet performance data to the backend server to enable the security database to store the initial set of recorded packet performance data indexed by the identifier.
  - 4. The method of claim 3, wherein the identifier for the initial set of recorded packet performance data is provided to the backend server separate from the packet performance data.
  - 5. The method of claim 1, wherein the backend server generates the comparison data by comparing the initial set of recorded packet performance data and the additional set of recorded packet performance data.
  - 6. The method of claim 1, wherein the instance of the attempt to establish the network connection path corresponds to an attempt to connect to the backend server provided by the security vendor that collects packet performance data from the multitude of client devices and stores the packet performance data within the security database to identify reputations of network devices.
  - 7. The method of claim 1, wherein the instance of the attempt to establish the network connection path corresponds to an attempt to connect to the computing device by the backend server provided by the security vendor that collects packet performance data from the multitude of client devices and stores the packet performance data within the security database to identify reputations of network devices.
  - 8. The method of claim 1, wherein the subsequent node comprises either:
    - a destination web server requested by an application at the computing device;
      
      oran intermediary node on the network connection path between the original node and the destination web server.
  - 9. The method of claim 1, wherein the network anomaly comprises a change in at least one of:
    - a connection speed in attempting to establish the network connection path;
      
      a direction of the network connection path; and
      
      header metadata within layers 3-5 of a network packet according to the open systems interconnection model.
  - 10. The method of claim 1, wherein detecting the network anomaly based on the comparison data comprises receiving historical data from the security database.
  - 11. The method of claim 10, wherein the historical data comprisesthe additional set of recorded packet performance data that describes the other instance of the attempt to establish the network connection path.
  - 12. The method of claim 1, wherein the initial set of recorded packet performance data comprises output from a network analysis command, the output comprising a sequence of network address identities.
  - 13. The method of claim 12, wherein the network analysis command comprises a trace route command.
  - 14. The method of claim 12, wherein the comparison between the initial set of recorded packet performance data and the additional set of recorded packet performance data comprises a comparison between initial output from an initial execution of the network analysis command and subsequent output from a subsequent execution of the same or different network analysis command.
  - 15. The method of claim 12, wherein the output further comprises a packet travel time for each network address identity in the sequence of network address identities.
  - 16. The method of claim 1, wherein the security threshold is based, at least in part, on a baseline statistical measure of differences between instances of attempting to establish the network connection path.
  - 17. The method of claim 1, wherein the network anomaly comprises a change in at least one of:
    - a security layer certificate;
      
      an identity of a network node in the network connection path; and
      
      a number of hops in the network connection path.
  - 18. The method of claim 1, wherein the same computing device records both:
    - the initial set of recorded packet performance data that describes the instance of the attempt, by the computing device, to establish the network connection path; and
      
      the additional set of recorded packet performance data that describes the other instance of the attempt, by the computing device, to establish the network connection path.

19. A system for evaluating networks, the system comprising:
- an identification module, stored in memory, that identifies an initial set of recorded packet performance data that describes an instance of an attempt to establish a network connection path both from an original node to a subsequent node in a network and from the subsequent node to the original node;
  
  a detection module, stored in memory, that detects a network anomaly based on comparison data resulting from a comparison between the initial set of recorded packet performance data and an additional set of recorded packet performance data that describes another instance of the attempt to establish the network connection path both from the original node to the subsequent node and from the subsequent node to the original node such that a network analysis corresponding to the comparison is bidirectional, the comparison data comprising a safety score indicative of a known level of safety and the detecting comprising;
  
  calculating a statistical measure of differences between the initial set of recorded packet performance data and the additional set of recorded packet performance data; and
  
  comparing the statistical measure of differences to a security threshold to determine that the statistical measure of differences exceeds the security threshold;
  
  a performance module, stored in memory, that performs, in response to detecting the network anomaly based on the comparison between the sets of packet performance data, a security action to protect a computing device from a potential security threat indicated by the network anomaly, the security action comprising transmitting the comparison data to the computing device from a backend server provided by a security vendor that collects packet performance data from a multitude of client devices and stores the packet performance data within a security database to identify reputations of network devices; and
  
  at least one physical processor configured to execute the identification module, the detection module, and the performance module.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify an initial set of recorded packet performance data that describes an instance of an attempt to establish a network connection path both from an original node to a subsequent node in a network and from the subsequent node to the original node;
  
  detect, by a software security system, a network anomaly based on comparison data resulting from a comparison between the initial set of recorded packet performance data and an additional set of recorded packet performance data that describes another instance of the attempt to establish the network connection path both from the original node to the subsequent node and from the subsequent node to the original node such that a network analysis corresponding to the comparison is bidirectional, the comparison data comprising a safety score indicative of a known level of safety and the detecting comprising;
  
  calculating a statistical measure of differences between the initial set of recorded packet performance data and the additional set of recorded packet performance data; and
  
  comparing the statistical measure of differences to a security threshold to determine that the statistical measure of differences exceeds the security threshold; and
  
  perform, by the software security system, and in response to detecting the network anomaly based on the comparison between the sets of packet performance data, a security action to protect the computing device from a potential security threat indicated by the network anomaly, the security action comprising transmitting the comparison data to the computing device from a backend server provided by a security vendor that collects packet performance data from a multitude of client devices and stores the packet performance data within a security database to identify reputations of network devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kowalyshyn, Daniel
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Do, Khang

Application Number

US14/644,691
Time in Patent Office

797 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

Systems and methods for evaluating networks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for evaluating networks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links