Method and system for encrypted network management and intrusion detection

US 7,383,577 B2
Filed: 06/03/2002
Issued: 06/03/2008
Est. Priority Date: 05/20/2002
Status: Active Grant

First Claim

Patent Images

1. A network security system, the system comprising:

a) a system data store capable of storing risk criteria data, network default data, historical data regarding an encrypted computer network, and network performance and usage data;

b) a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;

c) a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising of;

i) receiving data corresponding to a communication transmitted over an encrypted computer network and a signal used to transmit the communication via the communication, interface;

ii) detecting a violation within an encrypted data stream by applying a plurality of tests, wherein the plurality of tests comprise a statistical anomaly test that compares the received data with statistical data in the system data store or information derived therefrom and performs anomaly-based detection based on the comparison between the received data and the statistical data, wherein the plurality of tests further comprise a policy test that compares the received data to predetermined policy, and wherein the statistical data comprises any of mean, non-zero mean, standard deviation, autocorrelation, and peak for each time slice for a plurality of thresholds;

iii) generating an alarm signal if a violation was detected.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system includes a system data store capable of storing a variety of data associated with an encrypted computer network and communications transmitted thereon, a communication interface supporting communication over a communication channel and a system processor. Data corresponding to communications transmitted over the encrypted communication network are received. One or more tests are applied to the received data to determine whether a particular communication represents a potential security violation. An alarm may be generated based upon the results of the applied test or tests.

440 Citations

23 Claims

1. A network security system, the system comprising:
- a) a system data store capable of storing risk criteria data, network default data, historical data regarding an encrypted computer network, and network performance and usage data;
  
  b) a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;
  
  c) a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising of;
  
  i) receiving data corresponding to a communication transmitted over an encrypted computer network and a signal used to transmit the communication via the communication, interface;
  
  ii) detecting a violation within an encrypted data stream by applying a plurality of tests, wherein the plurality of tests comprise a statistical anomaly test that compares the received data with statistical data in the system data store or information derived therefrom and performs anomaly-based detection based on the comparison between the received data and the statistical data, wherein the plurality of tests further comprise a policy test that compares the received data to predetermined policy, and wherein the statistical data comprises any of mean, non-zero mean, standard deviation, autocorrelation, and peak for each time slice for a plurality of thresholds;
  
  iii) generating an alarm signal if a violation was detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising of updating the historical data in the data store based upon the received data.
  - 3. The system of claim 1, wherein the first communication interface'"'"'s receiver receives the signal corresponding to a communication transmitted over the encrypted computer network and forwards data corresponding to the communication and the signal to the system processor.
  - 4. The system of claim 3, wherein the encrypted computer network is a wireless computer network employing encryption and wherein the first communication interface'"'"'s receiver is a wireless receiver.
  - 5. The system of claim 4, wherein the wireless computer network employs WEP as the encryption.
  - 6. The system of claim 3, wherein the signal received by the first communication interface'"'"'s receiver originate from an access point within a wireless computer network, from a station within a wireless computer network, or from one or more sensors located within an area serviced by a wireless computer network.
  - 7. The system of claim 6, further comprising one or more sensors located within an area serviced by the wireless computer network, wherein each of the one or more sensors comprise a wireless receiver capable of receiving communications transmitted over the wireless computer network and a transmitter capable of transmitting data associated with received communications over the communication channel to the first communication interface.
  - 8. The system of claim 7, wherein each sensor further comprises at least one processing element of the system processor and wherein the at least one processing element is programmed or adapted to cause the sensors transmitter to forward data associated with received communications in response to reception of received communications by the sensor'"'"'s wireless receiver.
  - 9. The system of claim 8, wherein each sensor'"'"'s transmitter is a wireless transmitter or wherein each sensor further comprises a wireless transmitter, and wherein each sensor'"'"'s at least one processor is further programmed or adapted to perform the step comprising of triggering an active defense of the wireless computer network in response to a generated alarm.
  - 10. The system of claim 6, wherein the first communication interface further comprises a transmitter that transmits outbound communications to the communication channel and further comprising a device housing that houses the first communication interface and at least one processing element of the system processor, thereby forming a first device, and one or more additional devices, wherein each additional device comprises a housing, a device communication interface allowing communication via the communication channel and at least one processing element of the system processor, wherein the signal received by any of the first or the additional devices'"'"' respective communication interface originate from an access point within the wireless computer network, from a station within the wireless computer network, or from a different device.
  - 11. The system of claim 10, further comprising one or more sensors located within an area serviced by the wireless network, wherein, each of the one or more sensors comprise a wireless receiver capable of receiving communications transmitted over the wireless computer network and a transmitter capable of transmitting data associated with received communications over the communication channel to the first communication interface, wherein the signals received by any of the first or the additional devices'"'"' respective communication interface may also originate from one of the one or more sensors.
  - 12. The system of claim 1, wherein the first communication interface further comprises a transmitter that transmits outbound communications to the communication channel and wherein the system processor is programmed or adapted to perform the steps comprising of triggering an active defense of a wireless computer network in response to a generated alarm and each generated alarm comprises a type or severity and wherein the system processor'"'"'s triggering of an active defense comprises the step of selecting an active defense based on the type or the severity of the generated alarm to which the triggering step was responsive.
  - 13. The system of claim 12, wherein the triggered active defense is:
    - 1) transmitting packets containing inserted CRC errors;
      
      or2) transmitting communications comprising random data.
  - 14. The system of claim 1, wherein the system processor is further programmed or adapted to perform the steps comprising of receiving configuration information and storing the received configuration information in the system data store.
  - 15. The system of claim 14, wherein the configuration information is received by the system processor from a configuration file, from an interactive data entry interface or from a command line.
  - 16. The system of claim 14, wherein the received configuration information comprises network default data and risk criteria.
  - 17. The system of claim 1, wherein the system data store comprises a station data store comprising data related to stations within the encrypted network and wherein the system processor is further programmed or adapted to perform the step comprising of updating the station data store based upon the received data.
  - 18. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising of notifying an administrator of the generated alarm if a violation was detected.
  - 19. The system of claim 1, wherein the plurality of tests applied by the system processor further comprises a signature test and a protocol test.
  - 20. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising of mapping station identity.

21. A network security method, the method comprising the steps of:
- a) receiving configuration information comprising one or more risk criteria, network default data, network policy, performance and usage data from a configuration file, an interactive data entry interface or a command line;
  
  b) receiving data corresponding to a communication transmitted over an encrypted computer network and a signal used to transmit the communication;
  
  c) updating a database containing data corresponding to stations in the encrypted computer network based upon the received data;
  
  d) updating state information associated with the encrypted computer network based upon the received data;
  
  e) if a statistical interval has ended based upon the received data or a fixed time interval, updating a database of statistics associated with the encrypted computer network, wherein the database of statistics comprises any of mean, non-zero mean, standard deviation, autocorrelation, and peak values for each time slice for a plurality of thresholds;
  
  f) testing the received data to determine if it represents a signature violation by comparing the received data with configuration information or information derived therefrom of known attack patterns;
  
  g) testing the received data to determine if it represents a protocol violation by comparing the received data with configuration information or information derived therefrom comprising an authorized protocol set;
  
  h) testing the received data to determine if it represents a statistical anomaly by comparing the received data with configuration, information, information derived therefrom, or information in the database of statistics associated with the encrypted computer network, wherein the statistical anomaly comprises a difference between the received data and corresponding information in the database of statistics larger than a threshold;
  
  i) testing the received data to determine if it represents a policy violation by comparing the received data with a configurable set of activity rules comprising predetermined policy;
  
  j) generating an alarm signal if the received data represents a signature violation, a protocol violation, a statistical anomaly or a policy violation, wherein, the generated alarm signal comprises a type and a severity;
  
  k) in response to the generated alarm,i) notifying an administrator of the generated alarm, its type and its seventy;
  
  orii) actively defending the encrypted computer network based upon the generated alarm'"'"'s type and seventy by;
  
  1) CRC errors;
  
  2) transmitting communications comprising random data;
  
  or3) locking-down the encrypted computer network; and
  
  1) mapping station identity.
- View Dependent Claims (22)
- - 22. Computer readable storage media storing instructions that upon execution by a system processor cause the system processor to perform the method of claim 21.

23. A network security system, the system comprising:
- a) storing means for receiving and storing risk criteria data, network default data, and network performance and usage data;
  
  b) configuration means for receiving configuration information and forwarding the received configuration information to the storing means;
  
  c) communication data receiving means for receiving data corresponding to a communication transmitted over an encrypted computer network and a signal used to transmit the communication;
  
  d) database update means for transferring updated data to the storing means based upon data received by the communication data receiving means;
  
  e) testing means for applying a plurality of tests to data received by the communication data receiving means, wherein each of the plurality of tests comprise a signature test, a protocol test, a statistical anomaly test and a policy test and wherein each test compares data received by the communication data receiving means with data in the storing means or information derived therefrom;
  
  f) alarm means for generating an alarm signal if the data received by the communication data receiving means represents a signature violation, a protocol violation, a statistical anomaly or a policy violation as determined by the testing means, wherein the generated alarm signal comprises a type and a severity;
  
  g) notification means for notifying an administrator of an alarm generated by the alarm means, its type and its severity;
  
  h) active defense means for actively defending the encrypted computer network based upon the type and severity of an alarm generated by the alarm means by;
  
  i) CRC errors;
  
  orii) transmitting communications comprising random data; and
  
  i) mapping means for mapping station identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Inventors
Sale, Edwin L., Hollingsworth, Dawn M., Hrastar, Scott, Lynn, Michael T.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US10/161,137
Publication Number

US 20030217283A1
Time in Patent Office

2,192 Days
Field of Search

713/201, 713/200
US Class Current

726/23
CPC Class Codes

H04L 41/0681   Configuration of triggering...

H04L 63/0428   wherein the data content is...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04W 12/122   Counter-measures against at...

H04W 88/08   Access point devices

Method and system for encrypted network management and intrusion detection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

440 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Method and system for encrypted network management and intrusion detection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

440 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others