Emergent network defense

US 9,860,276 B2
Filed: 09/18/2013
Issued: 01/02/2018
Est. Priority Date: 09/18/2012
Status: Active Grant

First Claim

Patent Images

1. A node for use in a network having a plurality of nodes, said node comprising:

a processing device configured to sense neighboring node(s) and determine if the sensed neighboring node(s) is within a predetermined closeness of said node, said processing device further configured to determine a level of nervousness of said node based on the determination and to send and/or receive communication as to the level of nervousness to the neighboring node(s),wherein the predetermined closeness of said node is measured by a logical closeness and the logical closeness comprises network hops, network link, or vertices analysis, andwherein the level of nervousness is based on one or more of the following information security hygiene configurations;

time since the node received and applied an update patch for an application;

time since the node ensured policy has current confirmations from a configuration management server;

time since an administrator checked the node'"'"'s current local policy configuration;

performing an activity that triggers an alert for suspicious events;

performing a signature or heuristic activity that triggers local malware or suspicious behavior alerts; and

time since updated with malware or threat signatures.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided of a node for use in a network having a plurality of nodes. The node is configured to identify neighboring node(s) within a predetermined closeness of said node, measured by any of physical, logical, network hops, network link, or vertices analysis closeness. The node determines a level of nervousness of itself and sends and/or receives communication as to the level of nervousness to the neighboring node(s).

13 Citations

View as Search Results

30 Claims

1. A node for use in a network having a plurality of nodes, said node comprising:
- a processing device configured to sense neighboring node(s) and determine if the sensed neighboring node(s) is within a predetermined closeness of said node, said processing device further configured to determine a level of nervousness of said node based on the determination and to send and/or receive communication as to the level of nervousness to the neighboring node(s),wherein the predetermined closeness of said node is measured by a logical closeness and the logical closeness comprises network hops, network link, or vertices analysis, andwherein the level of nervousness is based on one or more of the following information security hygiene configurations;
  
  time since the node received and applied an update patch for an application;
  
  time since the node ensured policy has current confirmations from a configuration management server;
  
  time since an administrator checked the node'"'"'s current local policy configuration;
  
  performing an activity that triggers an alert for suspicious events;
  
  performing a signature or heuristic activity that triggers local malware or suspicious behavior alerts; and
  
  time since updated with malware or threat signatures.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The node of claim 1, wherein said node further comprises one or more data elements and said processing device controls said one or more data elements.
  - 3. The node of claim 2, wherein said one or more data elements comprise a storage sector.
  - 4. The node of claim 1, wherein the level of nervousness decreases with increased node hygiene, whereby node hygiene comprises a current state of a node'"'"'s defensive posture comprised of node attack surface, and wherein node hygiene comprises any one or more of updates with malware signatures or threat signatures, the application of a patch or update, a system configuration update, the manual validation of hygiene by a system administration, or receipt of a calming pheromone that reduces the level of node nervousness.
  - 5. The node of claim 1, wherein the level of nervousness increases with decreased node hygiene comprising any one or more of an increase in time since the node last received and applied an update patch for an application, the node ensured policy has current confirmations from a configuration management server, an administrator manually checked the node'"'"'s current local policy configuration, the node experiences an activity that triggers an alert for suspicious events, or a signature or heuristic activity that triggers local malware or suspicious behavior alerts an activity that triggers an alert for suspicious events.
  - 6. The node of claim 1, wherein said processing device is further configured to receive a signal from each of the neighboring node(s), the received signal indicating a level of nervousness of said neighboring node.
  - 7. The node of claim 6, wherein the level of nervousness is based on the level of nervousness of said neighboring node(s).
  - 8. The node of claim 7, wherein the level of nervousness is based on the frequency received or specific type of pheromone.
  - 9. The node of claim 6, wherein the level of nervousness is based on the immediate environmental characteristics, termed stigmergy.
  - 10. The node of claim 1, wherein said processing device receives a paranoia value and determines the level of nervousness based on the paranoia value.
  - 11. The node of claim 1, wherein said processing device is configured to determine an attack surface.
  - 12. The node of claim 1, wherein the level of nervousness is based on user behavior activity including time since the user last logged into the node, files and network resources access by the user, and use of privileges based on user roles.
  - 13. The node of claim 1, wherein the level of nervousness decreases with increased node hygiene, whereby node hygiene comprises a current state of a node'"'"'s defensive posture comprised of node attack surface, and wherein node hygiene comprises manual validation of hygiene by a system administration, or the receipt of a calming pheromone that reduces the level of node nervousness.
  - 14. The node of claim 1, wherein the level of nervousness is based on received signals from neighboring nodes.
  - 15. The node of claim 1, wherein the logical closeness and node hygiene comprises a risk assessment to determine a level of risk presented by the sensed neighboring node.

16. A network comprising:
- a plurality of nodes, each node having a processing device configured to sense at least one neighboring node and determine if the sensed neighboring node is within a predetermined logical closeness, said processing device further configured to determine a level of nervousness of the node based on the termination and to communicate the level of nervousness of the node to the at least one neighboring node,wherein the logical closeness comprises network hops, network link, or vertices analysis, andwherein the level of nervousness is based on multiple factors dependent on the node, and may include one or more of the following;
  
  time since the node received and applied an update patch for an critical application;
  
  time since the node checked in ensured policy has current confirmations from a configuration management server;
  
  time since an administrator checked the node'"'"'s current local policy configuration;
  
  performing an activity that triggers an alert for suspicious events;
  
  performing a signature or heuristic activity that triggers local IDS or anti-virus malware or suspicious behavior alerts; and
  
  time since updated with malware and or threat signatures.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The node of claim 16, wherein the level of nervousness decreases based on increased node hygiene and/or input from neighboring nodes with decreased nervousness.
  - 18. The node of claim 16, wherein the level of nervousness increases based on decreased node hygiene and/or input from neighboring nodes with increased nervousness.
  - 19. The node of claim 16, wherein the node state alters based on neighbor input, possibly increasing or decreasing attack surface and/or hygiene.
  - 20. The network of claim 16, wherein the network operates in a distributed and decentralized network.
  - 21. The network of claim 16, wherein the level of nervousness is based on an internal nervousness of the node and a network nervousness of the network.
  - 22. The network of claim 21, wherein the internal nervousness of the node includes physical embodiments of the node.
  - 23. The network of claim 22, wherein the internal nervousness of the node comprise a logical attack surface.
  - 24. The network of claim 21, wherein the network nervousness includes input/output processes of the node, points of communication where the node interfaces with the network.
  - 25. The network of claim 24, wherein the points of communication comprise a user attack surface as the user interfaces with the node.
  - 26. The network of claim 16, wherein the network can be utilized for predictive analytics and to model complex simulations for decision support systems.
  - 27. The network of claim 16 wherein the network must be composed of a minimum number of nodes for the network to determine the level of nervousness in a distributed and decentralized manner.

28. A computer-implemented method for use in a network having a plurality of nodes, the method comprising:
- determining at one of the plurality of nodes, if at least one neighboring node is within a predetermined logical closeness of the one of the plurality of nodes;
  
  determining at the one of the plurality of nodes, a level of nervousness for the one of the plurality of nodes determined to be within the predetermined logical closeness; and
  
  communicating at the one of the plurality of nodes, the level of nervousness to the at least one neighboring nodewherein the logical closeness comprises network hops, network link, or vertices analysis, andwherein the level of nervousness is based on one or more of the following information security hygiene configurations;
  
  time since the node received and applied an update patch for an application;
  
  time since the node ensured policy has current confirmations from a configuration management server;
  
  time since an administrator checked the node'"'"'s current local policy configuration;
  
  performing an activity that triggers an alert for suspicious events;
  
  performing a signature or heuristic activity that triggers local malware or suspicious behavior alerts; and
  
  time since updated with malware or threat signatures.

29. A node for use in a network having a plurality of nodes, said node comprising:
- a processing device configured to determine if at least one neighboring node is within a predetermined closeness of said node, measured by a logical closeness, said processing device further configured to receive a level of nervousness from at least one neighboring node determined to be within the predetermined closeness, and to determine a level of nervousness of said node based at least in part on the received level of nervousness from the at least one neighboring node determined to be within the predetermined closeness,wherein the logical closeness comprises network hops, network link, or vertices analysis, andwherein the level of nervousness is based on one or more of the following information security hygiene configurations;
  
  time since the node received and applied an update patch for an application;
  
  time since the node ensured policy has current confirmations from a configuration management server;
  
  time since an administrator checked the node'"'"'s current local policy configuration;
  
  performing an activity that triggers an alert for suspicious events;
  
  performing a signature or heuristic activity that triggers local malware or suspicious behavior alerts; and
  
  time since updated with malware or threat signatures.
- View Dependent Claims (30)
- - 30. The node of claim 29, said processing device further sending the determined level of nervousness to the at least one neighboring node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Washington University
Original Assignee
George Washington University
Inventors
Crane, Earl N., Crane, Sara M., Ryan, Julie C.
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US14/428,590
Publication Number

US 20150249685A1
Time in Patent Office

1,567 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Emergent network defense

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Emergent network defense

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others