Method and system for dynamic network intrusion monitoring, detection and response

DC CAFC

US 7,159,237 B2
Filed: 01/19/2001
Issued: 01/02/2007
Est. Priority Date: 03/16/2000
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of operating a probe as part of a security monitoring system for a computer network, comprising:

a) collecting status data from at least one monitored component of said network;

b) analyzing status data to identify potentially security-related events represented in the status data, wherein the analysis includes filtering followed by an analysis of post-filtering residue, wherein the post-filtering residue is data neither discarded nor selected by filtering;

c) transmitting information about said identified events to an analyst associated with said security monitoring system;

d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system; and

e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Reexamination

Accused Products

Abstract

A probe attached to a customer'"'"'s network collects status data and other audit information from monitored components of the network, looking for footprints or evidence of unauthorized intrusions or attacks. The probe filters and analyzes the collected data to identify potentially security-related events happening on the network. Identified events are transmitted to a human analyst for problem resolution. The analyst has access to a variety of databases (including security intelligence databases containing information about known vulnerabilities of particular network products and characteristics of various hacker tools, and problem resolution databases containing information relevant to possible approaches or solutions) to aid in problem resolution. The analyst may follow a predetermined escalation procedure in the event he or she is unable to resolve the problem without assistance from others. Various customer personnel can be alerted in a variety of ways depending on the nature of the problem and the status of its resolution. Feedback from problem resolution efforts can be used to update the knowledge base available to analysts for future attacks and to update the filtering and analysis capabilities of the probe and other systems.

299 Citations

42 Claims

1. A method of operating a probe as part of a security monitoring system for a computer network, comprising:
- a) collecting status data from at least one monitored component of said network;
  
  b) analyzing status data to identify potentially security-related events represented in the status data, wherein the analysis includes filtering followed by an analysis of post-filtering residue, wherein the post-filtering residue is data neither discarded nor selected by filtering;
  
  c) transmitting information about said identified events to an analyst associated with said security monitoring system;
  
  d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system; and
  
  e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein said identifying step includes performing a multi-stage analysis of said status data.
  - 3. The method of claim 2, wherein said multi-stage analysis includes performing a discrimination analysis on said status data.
  - 4. The method of claim 3, wherein the discrimination analysis includes positive filtering.
  - 5. The method of claim 3, wherein the discrimination analysis includes negative filtering.
  - 6. The method of claim 2, wherein said multi-stage analysis includes analysis at the probe and analysis at a secure operations center configured to receive data from said probe.
  - 7. The method of claim 1, wherein said identifying step includes aggregating and synthesizing said status data at the probe.
  - 8. The method of claim 7, wherein said identifying step includes cross-correlating data across said monitored components.
  - 9. The method of claim 7, wherein said identifying step includes analyzing the frequency of occurrence of said events.
  - 10. The method of claim 1, further comprising after said step (c), performing further computer-based analysis at a secure operations center configured to receive data from said probe.
  - 11. The method of claim 10, wherein said computer-based analysis includes aggregating, synthesizing, and presenting alerts on an ensemble basis.
  - 12. The method of claim 10, wherein said identifying step includes cross-correlating data across said monitored components.
  - 13. The method of claim 10, wherein said identifying step includes analyzing the frequency of occurrence of said events.
  - 14. The method of claim 10, wherein said computer-based analysis includes cross-probe correlation.
  - 15. The method of claim 1, further comprising instantaneously self-tuning said probe based on previously collected status data.
  - 16. The method of claim 1, wherein said dynamic modifying step includes consideration of non-real-time information from ongoing security research efforts.
  - 17. The method of claim 1, wherein said receiving feedback step occurs in substantially real time.

18. A security monitoring system for a computer network, comprising:
- a) a plurality of sensors for monitoring components of said network;
  
  b) at least one secure operations center configured to receive and analyze potentially security-related event data from at least one probe; and
  
  c) at least one probe, wherein said probe is configured to(1) collect status data from at least one sensor monitoring at least one component of said network;
  
  (2) analyze status data to identify potentially security-related events represented in the status data, wherein the analysis includes filtering followed by an analysis of post-filtering residue, wherein the post-filtering residue is data neither discarded nor selected by filtering;
  
  (3) transmit information about said identified events to an analyst associated with said secure operations center;
  
  (4) receive feedback based on empirically-derived information reflecting operation of said security monitoring system; and
  
  (5) dynamically modify an analysis capability of said probe during operation thereof based on said received feedback.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The security monitoring system of claim 18, wherein said probe is configured to identify potentially security-related events by performing a discrimination analysis on said status data.
  - 20. The security monitoring system of claim 19, wherein said probe is configured to identify potentially security-related events by performing a positive filter discrimination analysis on said status data.
  - 21. The security monitoring system of claim 19, wherein said probe is configured to identify potentially security-related events by performing a negative filter discrimination analysis on said status data.
  - 22. The security monitoring system of claim 18, wherein said probe and said secure operations center are configured to identify potentially security-related events by performing a multistage analysis of said status data.
  - 23. The security monitoring system of claim 22, wherein said multi-stage analysis includes analysis at the probe and analysis at said secure operations center.
  - 24. The security monitoring system of claim 18, wherein said secure operations center is configured to identify potentially security-related events by performing a computer-based analysis of said potentially security-related event data received from said probe.
  - 25. The security monitoring system of claim 24, wherein said computer-based analysis is configured to correlate data from different probes.

26. A computer-readable medium whose contents cause a computer system to operate a probe as part of a security monitoring system for a computer network, by performing the steps of:
- a) collecting status data from at least one monitored component of said network;
  
  b) analyzing status data to identify potentially security-related events represented in the status data, wherein the analysis includes filtering followed by an analysis of post-filtering residue, wherein the post-filtering residue is data neither discarded nor selected by filtering;
  
  c) transmitting information about said identified events to an analyst associated with said security monitoring system;
  
  d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system; and
  
  e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 27. The computer-readable medium of claim 26, wherein said identifying step includes performing a multi-stage analysis of said status data.
  - 28. The computer-readable medium of claim 27, wherein said multi-stage analysis includes performing a discrimination analysis on said status data.
  - 29. The computer-readable medium of claim 28, wherein the discrimination analysis includes positive filtering.
  - 30. The computer-readable medium of claim 28, wherein the discrimination analysis includes negative filtering.
  - 31. The computer-readable medium of claim 27, wherein said multi-stage analysis includes analysis at the probe and analysis at a secure operations center configured to receive data from said probe.
  - 32. The computer-readable medium of claim 26, wherein said identifying step includes aggregating and synthesizing said status data at the probe.
  - 33. The computer-readable medium of claim 32, wherein said identifying step includes cross-correlating data across said monitored components.
  - 34. The computer-readable medium of claim 32, wherein said identifying step includes analyzing the frequency of occurrence of said events.
  - 35. The computer-readable medium of claim 26, further comprising after said step (c), performing further computer-based analysis at a secure operations center configured to receive data from said probe.
  - 36. The computer-readable medium of claim 35, wherein said computer-based analysis includes aggregating, synthesizing, and presenting alerts on an ensemble basis.
  - 37. The computer-readable medium of claim 35, wherein said identifying step includes cross-correlating data across said monitored components.
  - 38. The computer-readable medium of claim 35, wherein said identifying step includes analyzing the frequency of occurrence of said events.
  - 39. The computer-readable medium of claim 35, wherein said computer-based analysis includes cross-probe correlation.
  - 40. The computer-readable medium of claim 26, further comprising instantaneously self-tuning said probe based on previously collected status data.
  - 41. The computer-readable medium of claim 26, wherein said dynamic modifying step includes consideration of non-real-time information from ongoing security research efforts.
  - 42. The computer-readable medium of claim 26, wherein said receiving feedback step occurs in substantially real time.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
BT Americas Incorporated (BT Group PLC)
Original Assignee
BT Counterpane, Inc. (BT Group PLC)
Inventors
Schneier, Bruce, Gross, Andrew H., Callas, Jonathan D.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Jackson, Jenise

Application Number

US09/766,343
Publication Number

US 20020087882A1
Time in Patent Office

2,174 Days
Field of Search

713200-201, 709/208, 709/220, 709223-229, 726 1- 3, 726 11- 13, 726 22- 25, 726/6
US Class Current

726/3
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Method and system for dynamic network intrusion monitoring, detection and response

First Claim

3 Assignments

Litigations

2 Petitions

Reexamination

Accused Products

Abstract

299 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for dynamic network intrusion monitoring, detection and response

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

299 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links