Network intrusion detection with distributed correlation

US 9,560,068 B2
Filed: 07/12/2013
Issued: 01/31/2017
Est. Priority Date: 01/13/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:

receiving, at a first host machine, one or more security reports relating to one or more host machines of the plurality of host machines in the network, the one or more security reports summarizing security data based on network traffic at a respective host machine indicative of a possible intrusion attempt and/or context data local to the respective host machine;

correlating, at the first host machine, the one or more security reports with security data based on network traffic at the first host machine;

associating, at the first host machine, a level of security concern based at least on the correlation exceeding a threshold; and

based at least on the level of security concern indicating a network intrusion attempt, notifying at least one other host machine of the plurality of host machines of the level of security concern.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken.

31 Citations

View as Search Results

20 Claims

1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
- receiving, at a first host machine, one or more security reports relating to one or more host machines of the plurality of host machines in the network, the one or more security reports summarizing security data based on network traffic at a respective host machine indicative of a possible intrusion attempt and/or context data local to the respective host machine;
  
  correlating, at the first host machine, the one or more security reports with security data based on network traffic at the first host machine;
  
  associating, at the first host machine, a level of security concern based at least on the correlation exceeding a threshold; and
  
  based at least on the level of security concern indicating a network intrusion attempt, notifying at least one other host machine of the plurality of host machines of the level of security concern.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the correlation of the one or more security reports is performed by a second host machine of the plurality of host machines.
  - 3. The method of claim 1, further comprising:
    - removing a security report from consideration when the security report is associated with a compromised one of the plurality of host machines.
  - 4. The method of claim 1, wherein the first host machine is connected to the network by a wireless connection.
  - 5. The method of claim 1, wherein the first host machine is a virtual machine.
  - 6. The method of claim 1, further comprising:
    - monitoring, at the first host machine, local network activity at the first host machine; and
      
      decrypting network traffic data received at the first host machine.
  - 7. The method of claim 1, wherein the one or more security reports comprises data generated by at least one host protection technology operatively connected to a second host machine.

8. A system for detecting a security threat to a network comprising a plurality of host machines, the system comprising:
- a first processor and a memory, the first processor executing instructions that;
  
  receives one or more security reports relating to one or more host machines of the plurality of host machines, the one or more security reports based on security data associated with network traffic at a respective host machine indicative of a possible intrusion attempt at the respective host machine;
  
  correlates the one or more security reports with security data from the first processor;
  
  associates a level of security concern based on the correlation exceeding a threshold; and
  
  based at least on the level of security concern indicating a network intrusion attempt, generates a second security report indicating a suspected network intrusion attempt.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the first processor correlates the one or more security reports with known patterns indicative of an intrusion attempt.
  - 10. The system of claim 8, wherein the first processor sends the second security report to at least one other host machine of the plurality of host machines.
  - 11. The system of claim 8, wherein the one or more security reports include a source of network traffic associated with an intrusion attempt.
  - 12. The system of claim 8, wherein the one or more security reports include information on local network interactions at a particular one of the plurality of host machines.
  - 13. The system of claim 8, wherein at least one of the plurality of the host machines is a virtual machine.
  - 14. The system of claim 8, wherein at least one of the one or more security reports include security data that has been correlated by a respective host machine with security data received from at least another one of the plurality of host machines.
  - 15. The system of claim 8, the first processor executing further instructions that removes a security report from consideration when the security report is associated with a compromised one of the plurality of host machines.

16. A device, comprising:
- at least one processor and a memory;
  
  the at least one processor configured to;
  
  receive at least one security report relating to one or more host machines in a network, the at least one security report based on security data associated with network traffic at a respective host machine indicative of a possible intrusion attempt at the respective host machine;
  
  correlate the at least one security report with security data associated with the device;
  
  associate a level of security concern based on the correlation exceeding a threshold; and
  
  based at least on the level of security concern indicating a network intrusion attempt, generate a second security report indicating a suspected network intrusion attempt.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The device of claim 16, wherein the level of security concern is associated with a percentage or weighted combination of other host machines indicating a security concern about a common intrusion or a sequence of events.
  - 18. The device of claim 16, wherein the correlation of the security reports is performed by a second host machine.
  - 19. The device of claim 16, wherein the security data includes one or more of:
    - hardware associated with the device;
      
      software installed on the device;
      
      tasks being executed on the device at a time of a suspected intrusion attempt; and
      
      recent activity occurring prior to a time of a suspected intrusion attempt.
  - 20. The device of claim 16, wherein the at least one processor is further configured to:
    - monitor local network activity at the device; and
      
      decrypt network traffic data received at the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Figlin, Igal, Zavalkovsky, Arthur, Arzi, Lior, Hudis, Efim, Lemond, Jennifer R., Fitzgerald, Robert Eric, Ahmed, Khaja E., Williams, Jeffrey S., Hardy, Edward W.
Primary Examiner(s)
LE, CHAU D

Application Number

US13/941,067
Publication Number

US 20130305371A1
Time in Patent Office

1,299 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/205   involving negotiation or de...

Network intrusion detection with distributed correlation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network intrusion detection with distributed correlation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links