Network attack visualization and response through intelligent icons

US 8,245,302 B2
Filed: 09/15/2010
Issued: 08/14/2012
Est. Priority Date: 09/15/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A network intrusion visualization system comprising:

a computer coupled to a network and adapted to receive data from the network, the computer including a nontransitory computer readable medium having stored thereon software instructions for programming the computer to provide a graphical visualization of monitored network activity, the software instructions, when executed by the computer, cause the computer to perform operations including;

applying a grammar having a plurality of motifs to a network activity data sample to determine a measure of similarity between the data sample and each of a plurality of models representing different network activity behaviors associated with the grammar;

characterizing the data sample based on the measure of similarity, including mapping a normalized difference value for each motif of the grammar to generate a plurality of statistical features;

generating a plurality of intelligent icons, each icon corresponding to one of the models and having a respective plurality of graphical representations each corresponding to a different statistical feature representing the normalized difference value of a respective one of the motifs for that model; and

displaying the intelligent icons and the respective plurality of graphical representations on a display device coupled to the computer,wherein the operations further include arranging the graphical representations based on a relative importance of a corresponding motif within the model associated with that motif.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network activity visualization system can include an MDL grammar database adapted to store a plurality of MDL grammars, and a pattern matching module adapted to match a received network activity data set against the MDL grammars by calculating a distance of the network activity data set from each MDL grammar. The system can also include an intelligent icon module adapted to receive the MDL grammars and distances of a network data set from each respective MDL grammar, and adapted to generate intelligent icons based on the MDL grammars and distances. The system can further include a display system adapted to display the intelligent icons so as to provide a visual indication of network security.

65 Citations

View as Search Results

28 Claims

1. A network intrusion visualization system comprising:
- a computer coupled to a network and adapted to receive data from the network, the computer including a nontransitory computer readable medium having stored thereon software instructions for programming the computer to provide a graphical visualization of monitored network activity, the software instructions, when executed by the computer, cause the computer to perform operations including;
  
  applying a grammar having a plurality of motifs to a network activity data sample to determine a measure of similarity between the data sample and each of a plurality of models representing different network activity behaviors associated with the grammar;
  
  characterizing the data sample based on the measure of similarity, including mapping a normalized difference value for each motif of the grammar to generate a plurality of statistical features;
  
  generating a plurality of intelligent icons, each icon corresponding to one of the models and having a respective plurality of graphical representations each corresponding to a different statistical feature representing the normalized difference value of a respective one of the motifs for that model; and
  
  displaying the intelligent icons and the respective plurality of graphical representations on a display device coupled to the computer,wherein the operations further include arranging the graphical representations based on a relative importance of a corresponding motif within the model associated with that motif.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23, 24)
- - 2. The system of claim 1, wherein the operations further include arranging the graphical representations simultaneously on a display.
  - 3. The system of claim 1, wherein the characterizing includes calculating a proximity between the data sample and the models.
  - 4. The system of claim 1, wherein the network activity is classified as normal activity or threat activity based on the characterization of the data sample.
  - 5. The system of claim 1, wherein the network activity is classified as a zero day attack when the data sample is determined to have a distance from each model that is above a predetermined threshold.
  - 6. The system of claim 1, wherein the models include a group of normal network activity models and a group of attack network activity models, and intelligent icons representing both groups are displayed simultaneously.
  - 7. The system of claim 6, wherein the statistical features indicate whether the network activity data is more likely correlated with the group of normal network activity models or with the group of attack network activity models.
  - 8. The system of claim 1, wherein the statistical features indicate a proximity of the network activity relative to one or more of the models.
  - 9. The system of claim 1, wherein the statistical features indicate that the network activity data represents a new network behavior when the statistical features exceed a threshold distance from the models.
  - 10. The system of claim 1, wherein the models are MDL models.
  - 23. The system of claim 1, wherein the network activity data sample is taken from a network connecting a truck and a satellite.
  - 24. The system of claim 1, wherein the operations further include downgrading quality of service, but not terminating, data transfer in the network associated with the network activity data sample based on a measure of similarity between the data sample and one or more of the models associated with an intrusion.

11. A network activity visualization system comprising:
- a pattern matching module adapted to match a received network activity data set, containing data representing electronic activity in an electronic communications network, against each of a plurality of mathematical models by calculating a distance of the network activity data set from a respective one of the mathematical models, the mathematical models each having a plurality of motifs associated with a grammar; and
  
  an intelligent icon display module adapted to generate intelligent icons each corresponding to a different one of the mathematical models so as to provide a visual indication of network security, the generated intelligent icons adapted for display on a display device and each intelligent icon having a graphical representation corresponding to a different statistical feature representing a normalized difference value of a respective one of the motifs for that model,wherein the intelligent icon display module is further adapted to arrange the intelligent icons based on a relative importance of a corresponding motif within the model associated with that motif.
- View Dependent Claims (12, 13, 14, 25, 26)
- - 12. The system of claim 11, wherein when the distance between the network activity data set and each of the mathematical models exceeds a predetermined threshold, the network activity data is identified as a new behavior and a mathematical modeling process is performed on the network activity data to generate a new mathematical model.
  - 13. The system of claim 12, wherein the new mathematical model is classified as a normal mathematical model or an attack mathematical model.
  - 14. The system of claim 13, wherein the new mathematical model is added to a mathematical model database.
  - 25. The system of claim 11, wherein the network activity data set is taken from a network connecting a truck and a satellite.
  - 26. The system of claim 11, further including downgrading quality of service, but not terminating, data transfer in the network associated with the network activity data set based on a measure of similarity between the data set and one or more of the mathematical models associated with an intrusion.

15. A computer-implemented method of intrusion detection visualization comprising:
- characterizing network activity data using a computer programmed to perform network intrusion visualization, the characterizing including generating, with the computer, a plurality of statistical features each representing a relationship between the network activity data and a corresponding one of a plurality of models representing network activity behavior, each of the models having a plurality of motifs associated with a grammar;
  
  associating, with the computer, each of a plurality of graphical representations with a corresponding one of the models;
  
  altering, with the computer, a visual appearance of each graphical representation of an associated model based on a corresponding statistical feature of that model from said plurality of statistical features to generate altered graphical representations;
  
  downgrading quality of service to a network data transfer associated with the network activity data based on an indication in one of the statistical features that the network activity represents an intrusion;
  
  displaying one or more of the altered graphical representations on a display device coupled to the computer, the altered graphical representations providing on the display device a visual indication of the statistical features corresponding to the models associated with the graphical representations; and
  
  arranging the altered graphical representations based on a relative importance of a motif corresponding to the model associated with each respective altered graphical representation.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 27)
- - 16. The method of claim 15, further comprising further arranging the graphical representations on the display device based on similarity of said statistical features corresponding to the models associated with the graphical representations.
  - 17. The method of claim 15, wherein the characterizing includes calculating, with the computer, a proximity between the network activity data and each model.
  - 18. The method of claim 15, wherein the network activity is classified as normal activity or threat activity based on a result of the characterizing.
  - 19. The method of claim 15, wherein the network activity is classified as a zero day attack when the network activity data is determined to have a distance from each of the models that is above a predetermined threshold.
  - 20. The method of claim 15, wherein the models include a group of normal network activity models and a group of attack network activity models.
  - 21. The method of claim 20, wherein each statistical feature of a corresponding model from said plurality of statistical features indicates whether the network activity data is more likely correlated with the group of normal network activity models or with the group of attack network activity models.
  - 22. The method of claim 15, wherein the models are MDL models.
  - 27. The method of claim 15, wherein the network activity data is received from a network connecting a truck and a satellite.

28. A network intrusion visualization system comprising:
- a computer coupled to a network and adapted to receive data from the network, the computer including a nontransitory computer readable medium having stored thereon software instructions for programming the computer to provide a graphical visualization of monitored network activity, the software instructions, when executed by the computer, cause the computer to perform operations including;
  
  applying a grammar having a plurality of motifs to a network activity data sample to determine a measure of similarity between the data sample and each of a plurality of models representing different network activity behaviors associated with the grammar, the models including a group of normal network activity models and a group of attack network activity models;
  
  characterizing the data sample based on the measure of similarity, including mapping a normalized difference value for each motif of the grammar to generate a plurality of statistical features;
  
  generating a plurality of intelligent icons, each icon corresponding to one of the models and having a respective plurality of graphical representations each corresponding to a different statistical feature representing the normalized difference value of a respective one of the motifs for that model; and
  
  displaying simultaneously the intelligent icons corresponding to both the group of normal network activity models and the group of attack network activity models, and displaying the respective plurality of graphical representations on a display device coupled to the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Evans, Scott C., Markham, T. Stephen, Bejtlich, Richard, Barnett, Bruce G., Scholz, Bernhard J., Yan, Weizhong, Impson, Jeremy, Steinbrecher, Eric, Mitchell, Robert J. Jr.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
PARSONS, THEODORE C

Application Number

US12/882,637
Publication Number

US 20110066409A1
Time in Patent Office

699 Days
Field of Search

726 22- 25
US Class Current

726/23
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

H04L 67/75   Indicating network or usage...

Network attack visualization and response through intelligent icons

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Network attack visualization and response through intelligent icons

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links