Systems and methods for anomaly detection in patterns of monitored communications

US 7,124,438 B2
Filed: 03/08/2002
Issued: 10/17/2006
Est. Priority Date: 03/08/2002
Status: Active Grant

First Claim

Patent Images

1. A system for detecting an anomalous communication transmitted over a communications network, the system comprising:

a) an interface coupling the system with the communications network;

b) a system data store capable of storing data associated with communications transmitted over the communications network and information associated with one or more responses to be initiated if an anomaly is detected;

c) a system processor in communication with the interface and the data store, wherein the system processor comprises one or more processing elements and wherein the system processor executes;

i) a collection engine that;

1) receives a communication via the interface; and

2) generates data associated with the received communication by applying one or more tests to the received communication;

ii) an analysis engine that detects whether an anomaly exists with respect to the received communication based upon the data generated by the collection engine and data associated with previously received communications from the system data store; and

iii) an action engine that initiates a predetermined response from the system data store if an anomaly was detected by the analysis engine;

wherein the analysis engine detects whether an anomaly exists by;

1) determining a set of anomaly types of interest;

2) for each of the anomaly types of interest in the determined set,(a) acquiring one or more anomaly thresholds associated with the respective anomaly type based at least in part upon accumulated data associated with received communications from the system data store;

(b) comparing information in the stored risk profile against at least one of the acquired one or more anomaly thresholds; and

(c) determining whether an anomaly of the respective anomaly type exists with respect to the received communication based upon the comparison.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems and methods for enhancing electronic communication security. A communication transmitted over a communications network is received and tested by a collection engine to generate data associated with the received communication. An analysis engine analyzes the data generated by the collection engine along with data associated with previously received communications to whether an anomaly exists. If an anomaly exists with respect to the received communication, an action engine initiates a predetermined response.

475 Citations

43 Claims

1. A system for detecting an anomalous communication transmitted over a communications network, the system comprising:
- a) an interface coupling the system with the communications network;
  
  b) a system data store capable of storing data associated with communications transmitted over the communications network and information associated with one or more responses to be initiated if an anomaly is detected;
  
  c) a system processor in communication with the interface and the data store, wherein the system processor comprises one or more processing elements and wherein the system processor executes;
  
  i) a collection engine that;
  
  1) receives a communication via the interface; and
  
  2) generates data associated with the received communication by applying one or more tests to the received communication;
  
  ii) an analysis engine that detects whether an anomaly exists with respect to the received communication based upon the data generated by the collection engine and data associated with previously received communications from the system data store; and
  
  iii) an action engine that initiates a predetermined response from the system data store if an anomaly was detected by the analysis engine;
  
  wherein the analysis engine detects whether an anomaly exists by;
  
  1) determining a set of anomaly types of interest;
  
  2) for each of the anomaly types of interest in the determined set,(a) acquiring one or more anomaly thresholds associated with the respective anomaly type based at least in part upon accumulated data associated with received communications from the system data store;
  
  (b) comparing information in the stored risk profile against at least one of the acquired one or more anomaly thresholds; and
  
  (c) determining whether an anomaly of the respective anomaly type exists with respect to the received communication based upon the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The system of claim 1, wherein the received communication comprises an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
  - 3. The system of claim 2, wherein the received communication is an e-mail communication.
  - 4. The system of claim 1, wherein each of the one or more tests applied by the collection engine comprises intrusion detection, virus detection, spam detection or policy violation detection.
  - 5. The system of claim 1, wherein the collection engine applies a plurality of tests.
  - 6. The system of claim 5, wherein the collection engine applies each of the plurality of tests in a parallel fashion.
  - 7. The system of claim 5, wherein the collection engine applies each of the plurality of tests in a sequential fashion.
  - 8. The system of claim 1, wherein the system data store stores configuration information and wherein the collection engine applies each of the one or more tests based upon configuration information stored in the system data store.
  - 9. The system of claim 1, wherein the analysis engine detects whether an anomaly exists further based upon configuration information stored in the system data store.
  - 10. The system of claim 9, wherein the configuration information comprises anomaly types, anomaly threshold information, anomaly time period information or anomaly response information.
  - 11. The system of claim 1, wherein the analysis engine further derives one or more anomaly thresholds from the accumulated data associated with received communications in the system data store and wherein the analysis engine detects whether an anomaly exists further based upon the derived one or more anomaly thresholds.
  - 12. The system of claim 1, wherein the system data store stores configuration information and wherein the analysis engine determines the set of anomaly types of interest by reading configuration information from the system data store.
  - 13. The system of claim 1, wherein the analysis engine determines the set of anomaly types of interest based upon the received communication.
  - 14. The system of claim 1, wherein the analysis engine acquires at least one of the one or more anomaly thresholds by deriving the at least one anomaly threshold from the accumulated data associated with previously received communications.
  - 15. The system of claim 14, wherein the derivation of the at least one anomaly threshold is further based upon a predetermined time period.
  - 16. The system of claim 1, wherein the system data store stores configuration information and wherein the analysis engine acquires at least one of the one or more anomaly threshold by reading configuration information from the system data store.
  - 17. The system of claim 1, wherein the action engine'"'"'s initiated predetermined response is based upon an anomaly type associated with an anomaly detected by the analysis engine.
  - 18. The system of claim 1, wherein the action engine'"'"'s initiated predetermined response comprises conveying a notification to an administrator, refusing acceptance of further communications from the source of the received communication, quarantine of the received communication, stripping the received communication of identified content, or throttling excessive numbers of incoming connections per second to manageable levels.
  - 19. The system of claim 18, wherein the action engine'"'"'s initiated predetermined response comprises conveying a notification to an administrator and wherein the notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or SMNP alert.
  - 20. The system of claim 1, wherein the system processor further aggregates the data generated by the collection engine with the accumulated data associated with previously received communications and stores aggregated accumulated data in the system data store.
  - 21. The system of claim 1, wherein the system processor further provides an interface via which an administrator enters configuration information, receives configuration information from the interface and stores the received configuration information in the system data store.
  - 22. The system of claim 21, wherein the collection engine applies the one or more tests based upon the stored configuration information.
  - 23. The system of claim 21, wherein the analysis engine detects whether an anomaly exists based upon the stored configuration information.
  - 24. The system of claim 23, wherein the stored configuration information comprises anomaly types, anomaly threshold information, anomaly time period information or anomaly response information.
  - 25. The system of claim 21, wherein the system processor provides the interface to the administrator via a Web server, an e-mail server, a automated voice recognition system or an SMS message server.
  - 26. The system of claim 21, wherein the system processor further populates the interface with default values prior to providing it to the administrator.

27. A method for detecting an anomalous communication transmitted over a communication network, the method comprising the steps of:
- a) receiving a communication transmitted over a communication network;
  
  b) applying one or more tests to the received communication to generate data associated with the received communication;
  
  c) acquiring data associated with one or more previously received communications;
  
  d) detecting whether an anomaly exists with respect to the received communication based upon the generated data and acquired data; and
  
  e) initiating a predetermined response if an anomaly was detected,wherein the step of detecting whether an anomaly exists comprises;
  
  i) determining a set of anomaly types of interest;
  
  ii) for each of the anomaly types of interest in the determined set,1) acquiring one or more anomaly thresholds associated with the respective anomaly type based at least in part upon the acquired data associated with one or more previously received communications;
  
  2) comparing information in the stored risk profile against at least one of the acquired one or more anomaly thresholds; and
  
  3) determining whether an anomaly of the respective anomaly type exists with respect to the received communication based upon the comparison.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 28. The method of claim 27, wherein the received communication comprises an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
  - 29. The method of claim 28, wherein the received communication is an e-mail communication.
  - 30. The method of claim 27, wherein each of the one or more tests applied by the collection engine comprises intrusion detection, virus detection, spam detection or policy violation detection.
  - 31. The method of claim 27, wherein the step of applying one or more tests comprises applying a plurality of tests.
  - 32. The method of claim 27, and further comprising the step of deriving one or more anomaly thresholds from the acquired data and wherein the step of detecting whether an anomaly exists further bases detecting whether an anomaly exists upon the derived one or more anomaly thresholds.
  - 33. The method of claim 27, wherein the step of determining a set of anomaly types of interest comprises reading a configuration file.
  - 34. The method of claim 27, wherein the step of determining a set of anomaly types of interest determines the set based upon the received communication.
  - 35. The method of claim 27, wherein the step of acquiring one or more anomaly thresholds comprises the step of deriving at least one anomaly threshold from the acquired data associated with one or more previously received communications.
  - 36. The method of claim 27, wherein the initiated predetermined response is based upon an anomaly type associated with a detected anomaly.
  - 37. The method of claim 27, wherein the initiated predetermined response comprises conveying a notification to an administrator, refusing acceptance of further communications from the source of the received communication, quarantine of the received communication, stripping the received communication of identified content, or throttling excessive numbers of incoming connections per second to manageable levels.
  - 38. The method of claim 37, wherein the initiated predetermined response comprises conveying a notification to an administrator and wherein the notification comprises an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or SMNP alert.

39. Computer readable storage media storing instructions that upon execution by a system processor cause the system processor to detect an anomalous communication transmitted over a communication network, the media having stored instruction that cause the system processor to perform the steps comprising of:
- a) receiving a communication transmitted over a communication network;
  
  b) applying one or more tests to the received communication to generate data associated with the received communication;
  
  c) acquiring data associated with one or more previously received communications;
  
  d) detecting whether an anomaly exists with respect to the received communication based upon the generated data and acquired data; and
  
  e) initiating a predetermined response if an anomaly was detectedwherein the instructions causing the system processor to detect whether an anomaly exists comprise instructions causing the system processor to perform the steps comprising of;
  
  i) determining a set of anomaly types of interest;
  
  ii) for each of the anomaly types of interest in the determined set,1) acquiring one or more anomaly thresholds associated with the respective anomaly type based at least in part upon the acquired data associated with one or more previously received communications;
  
  2) comparing information in the stored risk profile against at least one of the acquired one or more anomaly thresholds; and
  
  3) determining whether an anomaly of the respective anomaly type exists with respect to the received communication based upon the comparison.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The media of claim 39, wherein the instructions causing the system processor to receive the communication comprise instructions causing the system processor to receive an e-mail communication.
  - 41. The media of claim 39, wherein the instructions causing the system processor to apply one or more tests comprise instructions causing the system processor to apply one or more of an intrusion detection test, a virus detection test, a spam detection test or a policy violation test.
  - 42. The media of claim 39, wherein the initiated predetermined response is based upon an anomaly type associated with a detected anomaly.
  - 43. The media of claim 39, wherein the initiated predetermined response comprises conveying a notification to an administrator, refusing acceptance of further communications from the source of the received communication, quarantine of the received communication, stripping the received communication of identified content, or throttling excessive numbers of incoming connections per second to manageable levels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Ciphertrust, Incorporated (McAfee, LLC)
Inventors
Judge, Paul, Rajan, Guru
Primary Examiner(s)
Song, Hosuk

Application Number

US10/094,266
Publication Number

US 20030172302A1
Time in Patent Office

1,684 Days
Field of Search

726 1- 4, 726 6- 7, 726/11, 726 23- 30, 713/150, 713/155, 713/164, 713/168, 713187-188, 709/200, 709/220, 709223-225, 709/229
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Systems and methods for anomaly detection in patterns of monitored communications

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

475 Citations

43 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for anomaly detection in patterns of monitored communications

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

475 Citations

43 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others