Method of detecting anomalous behaviour in a computer network

US 8,631,464 B2
Filed: 04/19/2005
Issued: 01/14/2014
Est. Priority Date: 04/20/2004
Status: Active Grant

First Claim

Patent Images

1. Method of detecting anomalous behavior in a computer network comprising the steps of:

monitoring network traffic flowing in a computer network system,authenticating users to which network packets of the network traffic are associated, comprising receiving kernel events requesting a connection, modifying the kernel events, transmitting the modified kernel events to a kernel of the operating system, generating connection and authentication information in the kernel, and sending authentication packets containing the authentication information and connection request information to an anomaly detection system in the computer network,extracting parameters associated to authentication packets for each user, said parameters including at least a type (T) of network services, and a network internet protocol group (N) being addressed,forming symbols based on a combination of one or more of said parameters, wherein at least some said symbols are based on a combination of a plurality of said parameters, andmodeling and analyzing individual user behavior based on sequences of occurrence of said symbols (S).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method of detecting anomalous behavior in a computer network comprising the steps of—monitoring network traffic flowing in a computer network system,—authenticating users to which network packets of the network traffic are associated,—extracting parameters associated to the network packets for each user, said parameters including at least the type (T) of network services,—forming symbols based on a combination of one or more of said parameters, and—modeling and analyzing individual user behavior based on sequences of occurrence of said symbols (S).

104 Citations

View as Search Results

15 Claims

1. Method of detecting anomalous behavior in a computer network comprising the steps of:
- monitoring network traffic flowing in a computer network system,authenticating users to which network packets of the network traffic are associated, comprising receiving kernel events requesting a connection, modifying the kernel events, transmitting the modified kernel events to a kernel of the operating system, generating connection and authentication information in the kernel, and sending authentication packets containing the authentication information and connection request information to an anomaly detection system in the computer network,extracting parameters associated to authentication packets for each user, said parameters including at least a type (T) of network services, and a network internet protocol group (N) being addressed,forming symbols based on a combination of one or more of said parameters, wherein at least some said symbols are based on a combination of a plurality of said parameters, andmodeling and analyzing individual user behavior based on sequences of occurrence of said symbols (S).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. Method according to claim 1, wherein the parameters extracted include a frequency (F) of connections in a service.
  - 3. Method according to claim 2, wherein the parameters extracted include a duration (D) between first and last connection in a service.
  - 4. Method according to claim 3, wherein the parameters of frequency (F) and duration (D) of user services are quantified with either a fixed step quantification algorithm or a K-means clustering algorithm.
  - 5. Method according to claim 1, wherein the parameters extracted include a period of day and a number of bytes.
  - 6. Method according to claim 1, wherein each different combination of parameters extracted forms a different symbol.
  - 7. Method according to claim 1, wherein user behavior is modeled by modeling the sequences of symbols (S) using Hidden Markov Models (HMM).
  - 8. Method according to claim 1, wherein the symbols are classified in a form of a hierarchical tree of decreasing importance, where a highest level includes generic symbols for each type of service with any value in network internet protocol group, frequency and duration, a next lower level includes a type of network internet protocol group with any value in frequency and duration and subsequent levels correspond to symbols including frequency and duration.
  - 9. Method according to claim 8, wherein a number of symbols are reduced by selecting an S most frequent symbols at a lowest level and summing a rest of the symbols at the lowest level to form a rest symbol value R.
  - 10. Method according to claim 9, wherein, if a value of the rest symbol R is greater than a value M_sof a least frequent selected symbol, symbols are fused to a next higher level.
  - 11. Method according to claim 1, wherein the type of network service parameter (T) is derived from a logical port.

12. Anomaly detection system comprising an authentication module and anomaly detection system platform installed and deployed in a protected computer network system and configured tomonitor, with a computer, network traffic flowing in a computer network system,authenticate, with a computer, users to which network packets of the network traffic are associated by means of the authentication module, comprising receiving kernel events requesting a connection, modifying the kernel events, transmitting the modified kernel events to a kernel of the operating system, generating connection and authentication information in the kernel, and sending authentication packets containing the authentication information and connection request information to the anomaly detection system platform,extract, with a computer, parameters associated to authentication packets for each user, said parameters including at least a type (T) of network services, and a network internet protocol group (N) being addressed,form, with a computer, symbols based on a combination of one or more of said parameters, wherein at least some said symbols are based on a combination of a plurality of said parameters, andmodel and analyze, with a computer individual user behavior based on sequences of occurrence of said symbols (S).
- View Dependent Claims (13, 14, 15)
- - 13. System according to claim 12, wherein the authentication module is deployed within a high priority thread to which maximum available central processing unit time is assigned.
  - 14. System according to claim 12, further comprising a synchronization functional block for controlling and organizing incoming connections into corresponding User threads.
  - 15. System according to claim 14, further comprising a User thread functional block for generating User models from isolated independent User threads received from the synchronization functional block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecole polytechnique fãdãrale de lausanne epfl (Schweizerische Eidgenossenschaft)
Original Assignee
Ecole polytechnique fãdãrale de lausanne epfl (Schweizerische Eidgenossenschaft)
Inventors
Belakhdar, Omar, Bados, Pedro, Faltings, Boi
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Branske, Hilary

Application Number

US11/578,866
Publication Number

US 20070240207A1
Time in Patent Office

3,192 Days
Field of Search

726/3, 726/12, 726/13, 726/22, 726/23, 726/25, 713/150, 713/153, 713/154, 713/162, 706/16, 706/22, 706/26, 706/31, 706/45, 706/46, 706/47, 706/48, 706/934
US Class Current

726/3
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

Method of detecting anomalous behaviour in a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

104 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method of detecting anomalous behaviour in a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links