BEHAVIORAL BASELINING OF NETWORK SYSTEMS

US 20180248901A1
Filed: 08/02/2017
Published: 08/30/2018
Est. Priority Date: 02/27/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

instantiating, by at least one processor, a baseline, wherein the baseline comprises a set of assets, and a set of relationships including a first relationship;

associating a first event stream with the baseline, wherein the first event stream comprises events including a first event, and each event comprises attributes;

evaluating each event of the first event stream by performing evaluations corresponding to attributes in the set of relationships; and

detecting, by the at least one processor, based on the evaluating of the first event stream, a drift from the baseline, wherein the drift is based on a failure of at least one attribute value in the first event to match at least one attribute value of the first relationship.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for behavioral baselining of network systems. In one embodiment, a method includes: storing, in an asset attribute database, information regarding assets, wherein each asset comprises at least one attribute; storing, in a relationship database, information regarding relationships, wherein each relationship comprises at least one attribute; selecting, from the asset attribute database, assets based on at least one attribute value; selecting, from the relationship database, one or more relationships based on at least one attribute value, the selected relationships including a first relationship; creating a baseline, wherein the baseline comprises the selected assets and the selected relationships; connecting a first event stream to the baseline, wherein the first event stream comprises a set of events, and each event comprises attributes; and detecting a drift from the baseline, wherein the drift is determined using the first event stream and is based on a failure of at least one attribute value in a first event of the first event stream to match at least one attribute value of the first relationship.

43 Citations

View as Search Results

20 Claims

1. A method, comprising:
- instantiating, by at least one processor, a baseline, wherein the baseline comprises a set of assets, and a set of relationships including a first relationship;
  
  associating a first event stream with the baseline, wherein the first event stream comprises events including a first event, and each event comprises attributes;
  
  evaluating each event of the first event stream by performing evaluations corresponding to attributes in the set of relationships; and
  
  detecting, by the at least one processor, based on the evaluating of the first event stream, a drift from the baseline, wherein the drift is based on a failure of at least one attribute value in the first event to match at least one attribute value of the first relationship.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first relationship comprises a first attribute and a first evaluation corresponding to the first attribute, and detecting the drift further comprises using the first evaluation to evaluate event data for the first attribute from the first event, and determining that the evaluated event data fails the first evaluation.
  - 3. The method of claim 2, wherein an event type for each event in the first event stream is flow, and the event data is a value for a source IP address or a destination IP address.
  - 4. The method of claim 1, wherein the first relationship comprises a derived attribute, the derived attribute has a value determined using collected first data corresponding to a second attribute of the first relationship, and the collected first data is used to calculate the value of the derived attribute.
  - 5. The method of claim 4, wherein the derived attribute is an average number of packets or bytes over a predetermined time period, and the collected first data is a set of values corresponding to the second attribute, each value being a flow count.
  - 6. The method of claim 1, wherein each event in the first event stream comprises a time attribute having a value based on a time that the respective event occurred, and the evaluating of the first event stream is performed over an evaluation period comprising a plurality of time periods.
  - 7. The method of claim 6, wherein the evaluating of the first event stream further comprises a first evaluation corresponding to the time attribute that compares the respective time value for each event to one or more temporal ranges.
  - 8. The method of claim 7, wherein the first evaluation determines whether the respective time value is within a predetermined range of time values.
  - 9. The method of claim 7, wherein the evaluating of the first event stream further comprises a second evaluation corresponding to a source or destination attribute, the second evaluation determining whether a value for a source or destination address is within a first range of addresses.
  - 10. The method of claim 1, wherein the evaluating of the first event stream comprises performing a first evaluation and performing a second evaluation, and the method further comprises:
    - performing the first evaluation to create a range of addresses, the addresses corresponding to values for source or destination addresses collected from the first event stream; and
      
      subsequent to performing the first evaluation, performing the second evaluation to determine whether a source or destination address of an event in the first event stream is within the range of addresses.
  - 11. The method of claim 10, wherein the evaluating of the first event stream further comprises performing a third evaluation and performing a fourth evaluation, and the method further comprises:
    - performing the third evaluation to create a first group of assets; and
      
      performing the fourth evaluation to determine whether a source or destination asset for an event in the first event stream is in the first group of assets.

12. A system, comprising:
- at least one database,at least one processor; and
  
  at least one memory in communication with the at least one processor and storing instructions that, when executed by the at least one processor, cause the system to;
  
  instantiate a baseline, wherein the baseline comprises a set of assets, and a set of relationships including a first relationship;
  
  associate a first event stream with the baseline, wherein the first event stream comprises events including a first event, and each event comprises attributes;
  
  evaluate each event of the first event stream by performing evaluations corresponding to attributes in the set of relationships; and
  
  detect, based on the evaluating of the first event stream, a drift from the baseline, wherein the drift is based on a failure of at least one attribute value in the first event to match at least one attribute value of the first relationship.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein:
    - the first relationship comprises a first attribute, a second attribute, and a first evaluation;
      
      the first attribute is a flow count;
      
      the second attribute is an average number of packets over a time period; and
      
      the first evaluation comprises deriving the average number of packets using the flow count.
  - 14. The system of claim 12, wherein:
    - the set of assets comprises a first asset having a group attribute with a first group value, and a second asset having a group attribute with a second group value;
      
      the first relationship comprises a source attribute and a destination attribute, the source attribute having the first group value, and the destination attribute having the second group value; and
      
      the first event comprises event data including event values for a source group and a destination group, wherein the failure comprises at least one of;
      
      the event value for the source group does not match the first group value, or the event value for the destination group does not match the second group value.
  - 15. The system of claim 12, wherein an event type of the first relationship is authentication, and the first relationship includes a user attribute corresponding to a set of authorized users.
  - 16. The system of claim 15, wherein detecting the drift is based at least in part on evaluation of an event including a logon by a user that is not in the set of authorized users.
  - 17. The system of claim 12, wherein a second relationship of the set of relationships references an event stream having an event type of port scan, and the second relationship comprises a detected ports attribute with attribute values that are determined when the second relationship is instantiated.

18. A non-transitory, computer-readable medium storing instructions that, when executed, cause a computing device to:
- instantiate a baseline, wherein the baseline comprises a set of assets, and a set of relationships including a first relationship;
  
  associate a first event stream with the baseline, wherein the first event stream comprises events including a first event, and each event comprises attributes;
  
  evaluate each event of the first event stream by performing evaluations corresponding to attributes in the set of relationships; and
  
  detect, based on the evaluating of the first event stream, a drift from the baseline, wherein the drift is based on a failure of at least one attribute value in the first event to match at least one attribute value of the first relationship.
- View Dependent Claims (19, 20)
- - 19. The non-transitory, computer-readable medium of claim 18, wherein each asset of the set of assets comprises an asset port attribute, the first event stream is provided from a set of vulnerability scanners, and each event of the first event stream includes data from a port scan that identifies port numbers for detected ports.
  - 20. The non-transitory, computer-readable medium of claim 18, wherein attribute values for detected port attributes of each relationship in the set of relationships are based on values for asset port attributes of the set of assets when the respective relationship is instantiated, and wherein detecting the drift is based on a failure of detected ports in the first event for a first asset of the set of assets to match detected ports for the first asset in the first relationship.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Catbird Networks, Inc.
Original Assignee
Catbird Networks, Inc.
Inventors
Rieke, Malcolm

Granted Patent

US 10,666,673 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 21/31   User authentication

G06F 21/552   involving long-term monitor...

G06F 3/0482   Interaction with lists of s...

H04L 41/06   Management of faults, event...

H04L 43/026   using flow identification

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

BEHAVIORAL BASELINING OF NETWORK SYSTEMS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

BEHAVIORAL BASELINING OF NETWORK SYSTEMS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others