METHOD AND APPARATUS FOR DETECTION OF INFORMATION TRANSMISSION ABNORMALITIES

US 20090138592A1
Filed: 11/13/2008
Published: 05/28/2009
Est. Priority Date: 11/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method of adapting to changed conditions and analyzing network communication with respect to a profile of acceptable behavior including probability values of network communication parameters developed from a collection of historical network communication, the method comprising:

receiving a current network communication, the current network communication including a first network communication parameter and a second network communication parameter, the first network communication parameter independent of the second network communication parameter;

assigning a first probability value indicative of the first network communication parameter, the probability value based on a comparison of the first network communication parameter against the profile of acceptable behavior;

assigning a second probability value indicative of the second network communication parameter, the probability value based on a comparison of the second network communication parameter against the profile of acceptable behavior, the second probability value statistically independent of the first probability value;

determining the probability value of the current network communication by aggregating the first and second probability values of the first and second network communication parameters;

validating the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria;

triggering a responsive action based on the result of the validation.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method for securing a network application is described. The method for securing a network application includes receiving network information within a network application and assigning a probability value to an independent aspect of the network information. The probability value is based on a verification of the independent aspect of the information against a profile of acceptable behavior. The method for securing a network application also includes aggregating the probability values of the independent aspects of the network information to determine the probability of the entire network traffic. In addition, the method for securing a network application includes determining whether the probability value of the entire network information is above or below a threshold probability value. The entire network information is screened out based on the probability value of the entire message with respect to the threshold probability value.

97 Citations

View as Search Results

35 Claims

1. A method of adapting to changed conditions and analyzing network communication with respect to a profile of acceptable behavior including probability values of network communication parameters developed from a collection of historical network communication, the method comprising:
- receiving a current network communication, the current network communication including a first network communication parameter and a second network communication parameter, the first network communication parameter independent of the second network communication parameter;
  
  assigning a first probability value indicative of the first network communication parameter, the probability value based on a comparison of the first network communication parameter against the profile of acceptable behavior;
  
  assigning a second probability value indicative of the second network communication parameter, the probability value based on a comparison of the second network communication parameter against the profile of acceptable behavior, the second probability value statistically independent of the first probability value;
  
  determining the probability value of the current network communication by aggregating the first and second probability values of the first and second network communication parameters;
  
  validating the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria;
  
  triggering a responsive action based on the result of the validation.
- View Dependent Claims (4, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 4. The method of claim 1, further comprising storing the first network communication parameter in a buffer until enough data has been accumulated for the first network communication parameter to be statistically valid.
  - 6. The method of claim 1, further comprising merging the current network communication to the profile of acceptable behavior when the current network communication meets the threshold criteria.
  - 7. The method of claim 1, wherein the triggering comprises transmitting an alert when the current network communication fails to meet the threshold criteria.
  - 8. The method of claim 1, further comprising forwarding the current network communication to an administrator for further analysis when the current network communication fails to meet the threshold criteria.
  - 9. The method of claim 1, wherein the threshold criteria is based on a threshold probability value.
  - 10. The method of claim 1, wherein the threshold probability value comprises a range of probability values.
  - 11. The method of claim 1, wherein the probability value of the current network communication is 1 if it meets the threshold criteria and the probability value is unchanged if it fails to meet the threshold criteria.
  - 12. The method of claim 1, wherein the current network communication is rejected when the current network communication is below the threshold probability value.
  - 13. The method of claim 1, wherein the first network communication parameter and the second network communication parameter are mutually exclusive.
  - 14. The method of claim 1, wherein the probability value of the current network information is a multiplication of the probability values of the first and second network communication parameters.

2. The method of claim 2, further comprising storing the current network communication in a buffer until enough data has been accumulated for the current network communication to be statistically valid.
- View Dependent Claims (3, 5)
- - 3. The method of claim 2, wherein the current network communication is determined to be statistically valid based on one of time since the collection of the current network communication started, the number of a current inbound communication and a current outbound communication of the current network information and diversity of the current network information.
  - 5. The method of claim 2, further comprising storing the second network communication parameter in a buffer until enough data has been accumulated for the second network communication parameter to be statistically valid.

15. A method of adapting to changed conditions and analyzing network traffic in a network application system comprising:
- developing a profile of acceptable behavior for network information for transmission over a network, the profile of acceptable behavior including probability values of network communication parameters developed from a collection of historical network communication;
  
  receiving a current network communication, the current network communication including multiple current network communication parameters, each of the current network communication parameters independent of each other;
  
  assigning a probability value indicative of each of the current network communication parameter, the probability value based on a comparison of each of the current network communication parameter against the profile of acceptable behavior;
  
  determining the probability value of the current network communication by aggregating the probability value of each of the current network communication parameter;
  
  validating the current network communication against the profile of acceptable behavior based upon whether or not the probability value of the current network communication meets a threshold criteria;
  
  triggering a responsive action based on the result of the validation.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The method of claim 15, further comprising storing the multiple current network communication parameters of the current network communication in a buffer until enough information has been accumulated for each of the network communication parameters to be statistically valid.
  - 17. The method of claim 16, wherein the current network communication parameter is determined to be statistically valid based on one of time since the collection of the current network communication parameter started, number of network communication including current network communication parameter and the diversity of the current network communication.
  - 18. The method of claim 15, further comprising merging the current network communication to the profile of acceptable behavior when the current network communication meets the threshold criteria.
  - 19. The method of claim 15, further comprising triggering an alert when the current network communication fails to meet the threshold criteria.
  - 20. The method of claim 15, further comprising forwarding the current network communication to an administrator for further analysis when the current network information fails to meet the threshold criteria.
  - 21. The method of claim 15, wherein the threshold probability criteria is based on a threshold probability value.
  - 22. The method of claim 21, further comprising generating different threshold probability values depending on the severity of the variation from the profile of acceptable behavior.
  - 23. The method of claim 21, wherein the probability value of the current network information is 1 if it is above the threshold probability value and the probability value is unchanged if it is below the threshold probability value.
  - 24. The method of claim 21, wherein the threshold probability value comprises a range of probability values.
  - 25. The method of claim 21, wherein the current network information is rejected when the current network information is below the threshold probability value.
  - 26. The method of claim 15, wherein the multiple current network communication parameters of the current network information are mutually exclusive.
  - 27. The method of claim 15, wherein the probability value of the current network information is a multiplication of the probability value of each current network communication parameter of the current network information.
  - 28. The method of claim 15, wherein the probability value of the network information is the weighted average of probabilities of the multiple current network communication parameters.

29. A system for adapting to changed conditions and analyzing network traffic in a network application system comprising:
- a dynamic profiling module configured to develop a profile of acceptable behavior for network information for transmission over a network, the profile of acceptable behavior including probability values of network communication parameters developed from a collection of historical network communication;
  
  a control module configured to receive a current network communication, the current network communication including multiple current network communication parameters, each of the current network communication parameters independent of each other; and
  
  the control module configured to assign a probability value indicative of each of the current network communication parameter, the probability value based on a comparison of each of the current network communication parameter against the profile of acceptable behavior,to determine probability value of the current network communication by aggregating the probability value of each of the current network communication parameter,to validate the current network communication against the profile of acceptable behavior based upon the probability value of the current network communication and a threshold criteria,to trigger a responsive action based on the result of the validation.
- View Dependent Claims (30, 31, 32, 33, 34, 35)
- - 30. The system of claim 29, further comprising a buffer configured to store the multiple current network communication parameters of the current network communication in a buffer until enough information has been accumulated for each of the network communication parameters to be statistically valid.
  - 31. The system of claim 30, wherein the current network communication parameter is determined to be statistically valid based on one of time since the collection of the current network communication parameter started, number of network communication including current network communication parameter and the diversity of the current network communication.
  - 32. The system of claim 29, further comprising an adaptation module configured to merge the current network communication to the profile of acceptable behavior when the current network communication meets the threshold criteria.
  - 33. The system of claim 29, wherein the control module is further configured to trigger an alert when the current network communication fails to meet the threshold criteria.
  - 34. The system of claim 29, wherein the control module is further configured to forward the current network information to an administrator for further analysis when the current network communication fails to meet the threshold criteria.
  - 35. The system of claim 29, further comprising a correlation and analysis module configured to analyze the current network communication to determine the security risk of the current network communication when the current network communication fails to meet the threshold criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Kolton, Doron, Mizrahi, Rami, Overcash, Kevin

Granted Patent

US 8,180,886 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/16   Threshold monitoring

H04L 63/1425   Traffic logging, e.g. anoma...

METHOD AND APPARATUS FOR DETECTION OF INFORMATION TRANSMISSION ABNORMALITIES

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR DETECTION OF INFORMATION TRANSMISSION ABNORMALITIES

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links