NETWORK DEFENSE SYSTEM AND FRAMEWORK FOR DETECTING AND GEOLOCATING BOTNET CYBER ATTACKS

US 20130174256A1
Filed: 12/28/2012
Published: 07/04/2013
Est. Priority Date: 12/29/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a data collection and storage subsystem configured to provide a central repository to store network traffic data received from a plurality of sensors positioned within geographically separate networks;

a computing cluster coupled to the data collection storage subsystem;

a set of software modules configured to execute a plurality of cyber defense algorithms on the computing cluster that analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“

botnet attacks”

) from devices within the geographically separate networks; and

a visualization and decision-making subsystem, operatively coupled to the data collection and storage subsystem, that generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks;

wherein the data collection and storage subsystem is further configured to store a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network defense system is described that provides network sensor infrastructure and a framework for managing and executing advanced cyber security algorithms specialized for detecting highly-distributed, stealth network attacks. In one example, a system includes a data collection and storage subsystem that provides a central repository to store network traffic data received from sensors positioned within geographically separate networks. Cyber defense algorithms analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“botnet attacks”) from devices within the geographically separate networks. A visualization and decision-making subsystem generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks. The data collection and storage subsystem stores a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.

138 Citations

20 Claims

1. A system comprising:
- a data collection and storage subsystem configured to provide a central repository to store network traffic data received from a plurality of sensors positioned within geographically separate networks;
  
  a computing cluster coupled to the data collection storage subsystem;
  
  a set of software modules configured to execute a plurality of cyber defense algorithms on the computing cluster that analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“
  
  botnet attacks”
  
  ) from devices within the geographically separate networks; and
  
  a visualization and decision-making subsystem, operatively coupled to the data collection and storage subsystem, that generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks;
  
  wherein the data collection and storage subsystem is further configured to store a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the data collection and storage subsystem provides a set of recording and filtering rules to the sensors for filtering the network traffic data prior to communication to the data collection and storage subsystem.
  - 3. The system of claim 2, wherein the set of recording and filtering rules specify an aggregate set of network traffic features as indicated by the manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
  - 4. The system of claim 1, wherein the data collection and storage subsystem is configured to provide to one of the algorithms a subset of the stored network traffic data indicated by the manifest of parameters for the network traffic data to be analyzed by the one of the cyber defense algorithms.
  - 5. The system of claim 1, further comprising:
    - automation software to repeatedly execute the cyber defense algorithms on the computing system,wherein the data collection and storage subsystem periodically receives updates of the network data traffic from the sensors, andwherein the data collection and storage subsystem provides a sliding window of the network traffic data to the cyber defense algorithms executing on the computing system as indicated by the manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
  - 6. The system of claim 1, wherein the visualization and decision-making subsystem presents high-level summaries of malicious behavior detected by the one or more cyber defense algorithms.
  - 7. The system of claim 1, wherein the data collection and storage subsystem provides an interface for communicating security policies to the sensors deployed within the networks.
  - 8. The system of claim 1, wherein the computing cluster comprises one or more high-performance computing frameworks.
  - 9. The system of claim 1, wherein the plurality of sensors are configured to monitor network traffic and generate network traffic data.
  - 10. The system of claim 1, wherein the data collection and storage subsystem comprises a database for storing the network traffic data, and the data collection and storage subsystem is configured to provide subsets of the network traffic data from the database to the cyber defense algorithms as indicated by the manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
  - 11. The system of claim 10, wherein the data collection and storage subsystem is further configured to perform one or more transformations on the subsets of the network traffic data from the database to provide data the network traffic data to the cyber defense algorithms in a form required by the cyber defense algorithms as indicated by the manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.

12. A method comprising:
- receiving network traffic data with a centralized data collection and storage subsystem from a plurality of sensors positioned within geographically separately networks;
  
  providing subsets of the network traffic data from the data collection and storage subsystem to a set of cyber defense algorithms executing on a computing cluster coupled to the data collection storage subsystem, as indicated by a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms;
  
  executing the set of cyber defense algorithms to analyze the network traffic data and detect centrally-controlled malware performing a distributed network attack (“
  
  botnet attack”
  
  ) from devices within the geographically separate networks; and
  
  generating a user interface with a visualization and decision-making subsystem to present an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, further comprising:
    - providing a set of recording and filtering rules to the sensors for filtering the network traffic data prior to communication to the data collection and storage subsystem wherein the set of recording and filtering rules specify an aggregate set of network traffic features as indicated by the manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
  - 14. The method of claim 12, further comprising:
    - periodically receiving updated network traffic data from the sensors with the data collection and storage subsystem; and
      
      repeatedly executing the cyber defense algorithms on the cluster of computing devices with automation software, where repeatedly executing the cyber defense algorithms includes providing a sliding window of the network traffic data to the cyber defense algorithms executing on the cluster of computing devices, as indicated by a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
  - 15. The method of claim 12, further comprising:
    - presenting, with the visualization and decision-making subsystem, high-level summaries of malicious behavior detected by the one or more cyber defense algorithms.
  - 16. The method of claim 12, further comprising:
    - monitoring network traffic and generating network traffic data with the plurality of sensors.
  - 17. The method of claim 12, further comprising:
    - storing the network traffic data in a database; and
      
      providing subsets of the network traffic data from the database to the cyber defense algorithms as indicated by the manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
  - 18. The method of claim 17, further comprising:
    - performing one or more transformations on the subsets of the network traffic data from the database to provide data the network traffic data to the cyber defense algorithms in a form required by the cyber defense algorithms as indicated by the manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.

19. A computer-readable medium comprising instructions for causing a programmable processor to:
- receive network traffic data from a plurality of sensors positioned within geographically separately networks;
  
  store the network traffic data to a centralized data collection and storage subsystem;
  
  execute a set of cyber defense algorithms on a cluster of computing devices coupled to the data collection storage subsystem, wherein the cyber defense algorithms analyze the network traffic data and detect centrally-controlled, malware that is currently performing a distributed network attack (“
  
  botnet attack”
  
  ) from devices within the geographically separate networks; and
  
  generate a user interface with a visualization and decision-making subsystem to present an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks.

20. A computing device configured to implement a data collection and storage subsystem, the computing device comprising one or more processors configured to:
- execute a central repository to store network traffic data received from a plurality of sensors positioned within geographically separate networks;
  
  execute a set of software modules configured to execute a plurality of cyber defense algorithms on a computing cluster coupled to the computing device, wherein the cyber defense algorithms analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“
  
  botnet attacks”
  
  ) from devices within the geographically separate networks; and
  
  execute a visualization and decision-making subsystem, operatively coupled to the data collection and storage subsystem, that generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks;
  
  wherein the data collection and storage subsystem is further configured to store a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Powers, Judson

Granted Patent

US 9,083,741 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

NETWORK DEFENSE SYSTEM AND FRAMEWORK FOR DETECTING AND GEOLOCATING BOTNET CYBER ATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

138 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK DEFENSE SYSTEM AND FRAMEWORK FOR DETECTING AND GEOLOCATING BOTNET CYBER ATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links