NETWORK DEFENSE SYSTEM AND FRAMEWORK FOR DETECTING AND GEOLOCATING BOTNET CYBER ATTACKS
First Claim
1. A system comprising:
- a data collection and storage subsystem configured to provide a central repository to store network traffic data received from a plurality of sensors positioned within geographically separate networks;
a computing cluster coupled to the data collection storage subsystem;
a set of software modules configured to execute a plurality of cyber defense algorithms on the computing cluster that analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“
botnet attacks”
) from devices within the geographically separate networks; and
a visualization and decision-making subsystem, operatively coupled to the data collection and storage subsystem, that generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks;
wherein the data collection and storage subsystem is further configured to store a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
1 Assignment
0 Petitions
Accused Products
Abstract
A network defense system is described that provides network sensor infrastructure and a framework for managing and executing advanced cyber security algorithms specialized for detecting highly-distributed, stealth network attacks. In one example, a system includes a data collection and storage subsystem that provides a central repository to store network traffic data received from sensors positioned within geographically separate networks. Cyber defense algorithms analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“botnet attacks”) from devices within the geographically separate networks. A visualization and decision-making subsystem generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks. The data collection and storage subsystem stores a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
138 Citations
20 Claims
-
1. A system comprising:
-
a data collection and storage subsystem configured to provide a central repository to store network traffic data received from a plurality of sensors positioned within geographically separate networks; a computing cluster coupled to the data collection storage subsystem; a set of software modules configured to execute a plurality of cyber defense algorithms on the computing cluster that analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“
botnet attacks”
) from devices within the geographically separate networks; anda visualization and decision-making subsystem, operatively coupled to the data collection and storage subsystem, that generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks; wherein the data collection and storage subsystem is further configured to store a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
receiving network traffic data with a centralized data collection and storage subsystem from a plurality of sensors positioned within geographically separately networks; providing subsets of the network traffic data from the data collection and storage subsystem to a set of cyber defense algorithms executing on a computing cluster coupled to the data collection storage subsystem, as indicated by a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms; executing the set of cyber defense algorithms to analyze the network traffic data and detect centrally-controlled malware performing a distributed network attack (“
botnet attack”
) from devices within the geographically separate networks; andgenerating a user interface with a visualization and decision-making subsystem to present an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable medium comprising instructions for causing a programmable processor to:
-
receive network traffic data from a plurality of sensors positioned within geographically separately networks; store the network traffic data to a centralized data collection and storage subsystem; execute a set of cyber defense algorithms on a cluster of computing devices coupled to the data collection storage subsystem, wherein the cyber defense algorithms analyze the network traffic data and detect centrally-controlled, malware that is currently performing a distributed network attack (“
botnet attack”
) from devices within the geographically separate networks; andgenerate a user interface with a visualization and decision-making subsystem to present an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks.
-
-
20. A computing device configured to implement a data collection and storage subsystem, the computing device comprising one or more processors configured to:
-
execute a central repository to store network traffic data received from a plurality of sensors positioned within geographically separate networks; execute a set of software modules configured to execute a plurality of cyber defense algorithms on a computing cluster coupled to the computing device, wherein the cyber defense algorithms analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“
botnet attacks”
) from devices within the geographically separate networks; andexecute a visualization and decision-making subsystem, operatively coupled to the data collection and storage subsystem, that generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks within the networks; wherein the data collection and storage subsystem is further configured to store a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.
-
Specification