Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-11-09
2001-11-20
Heckler, Thomas M. (Department: 2182)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S224000
Reexamination Certificate
active
06321338
ABSTRACT:
REFERENCE TO APPENDIX
A microfiche appendix is included as part of the specification. The microfiche appendix includes material subject to copyright protection. The copyright owner does not object to the reproduction of the microfiche appendix, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights. This application contains Microfiche Appendix containing ten (10) slides and 956 frames.
BACKGROUND
The invention relates to computer networks.
Computer networks offer users ease and efficiency in exchanging information. Networks tend to include conglomerates of integrated commercial and custom-made components, interoperating and sharing information at increasing levels of demand and capacity. Such varying networks manage a growing list of needs including transportation, commerce, energy management, communications, and defense.
Unfortunately, the very interoperability and sophisticated integration of technology that make networks such valuable assets also make them vulnerable to attack, and make dependence on networks a potential liability. Numerous examples of planned network attacks, such as the Internet worm, have shown how interconnectivity can be used to spread harmful program code. Accidental outages such as the 1980 ARPAnet collapse and the 1990 AT&T collapse illustrate how seemingly localized triggering events can have globally disastrous effects on widely distributed systems. In addition, organized groups have performed malicious and coordinated attacks against various online targets.
SUMMARY
In general, in one aspect, a method of network surveillance includes receiving network packets (e.g., TCP/IP packets) handled by a network entity and building at least one long-term and at least one short-term statistical profile from at least one measure of the network packets that monitors data transfers, errors, or network connections. A comparison of at least one long-term and at least one short-term statistical profile is used to determine whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.
Embodiments may include one or more of the following features. The measure may monitor data transfers by monitoring network packet data transfer commands, data transfer errors, and/or monitoring network packet data transfer volume. The measure may monitor network connections by monitoring network connection requests, network connection denials, and/or a correlation of network connections requests and network connection denials. The measure may monitor errors by monitoring error codes included in a network packet such as privilege error codes and/or error codes indicating a reason a packet was rejected.
The method may also include responding based on the determining whether the difference between a short-term statistical profile and a long-term statistical profile indicates suspicious network activity. A response may include altering analysis of network packets and/or severing a communication channel. A response may include transmitting an event record to a network monitor, such as hierarchically higher network monitor and/or a network monitor that receives event records from multiple network monitors.
The network entity may be a gateway, a router, or a proxy server. The network entity may instead be a virtual private network entity (e.g., node).
In general, in another aspect, a method of network surveillance includes monitoring network packets handled by a network entity and building a long-term and multiple short-term statistical profiles of the network packets. A comparison of one of the multiple short-term statistical profiles with the long-term statistical profile is used to determine whether the difference between the short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.
Embodiments may include one or more of the following. The multiple short-term statistical profiles may monitor different anonymous FTP sessions. Building multiple short-term statistical profiles may include deinterleaving packets to identify a short-term statistical profile.
In general, in another aspect, a computer program product, disposed on a computer readable medium, includes instructions for causing a processor to receive network packets handled by a network entity and to build at least one long-term and at least one short-term statistical profile from at least one measure of the network packets that monitors data transfers, errors, or network connections. The instructions compare a short-term and a long-term statistical profile to determine whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.
In general, in another aspect, a method of network surveillance includes receiving packets at a virtual private network entity and statistically analyzing the received packets to determine whether the packets indicate suspicious network activity. The packets may or may not be decrypted before statistical analysis.
Advantages may include one or more of the following. Using long-term and a short-term statistical profiles from measures that monitor data transfers, errors, or network connections protects network components from intrusion. As long-term profiles represent “normal” activity, abnormal activity may be detected without requiring an administrator to catalog each possible attack upon a network. Additionally, the ability to deinterleave packets to create multiple short-term profiles for comparison against a long-term profile enables the system to detect abnormal behavior that may be statistically ameliorated if only a single short-term profile was created.
The scheme of communication network monitors also protects networks from more global attacks. For example, an attack made upon one network entity may cause other entities to be alerted. Further, a monitor that collects event reports from different monitors may correlate activity to identify attacks causing disturbances in more than one network entity.
Additionally, statistical analysis of packets handled by a virtual private network enable detection of suspicious network activity despite virtual private network security techniques such as encryption of the network packets.
Other features and advantages will become apparent from the following description, including the drawings, and from the claims.
REFERENCES:
patent: 4672609 (1987-06-01), Humphrey et al.
patent: 4773028 (1988-09-01), Tallman
patent: 5210704 (1993-05-01), Husseiny
patent: 5539659 (1996-07-01), McKee et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5706210 (1998-01-01), Kumano et al.
patent: 5790799 (1998-08-01), Mogul
patent: 5974237 (1999-10-01), Shurmer et al.
patent: 6009467 (1999-12-01), Ratcliff et al.
Debar et al., “A Neural Network Component for an Intrusion Detection System,”© 1992 IEEE.
Denning et al., “Prototype IDES: A Real-Time Intrusion-Detection Expert System,” SRI Project ECU 7508, SRI International, MenloPark, California, Aug. 1987.
Denning et al., “Requirements and Model For IDES—A Real-Time Intrusion-Detection Expert System,” SRI Project 6169, SRI International, Menlo Park, CA, Aug. 1985.
Denning, “An Intrusion-Detection Model,” SRI International, Menlo Park, CA, Technical Report CSL-149, Nov. 1985.
Dowell, “The Computerwatch Data Reduction Tool,” AT&T Bell Laboratories, Whippany, New Jersey.
Fox et al., “A Neural Network Approach Towards Intrusion Detection,” Harris Corporation, Government Information Systems Division, Melbourne, FL, Jul. 2, 1990.
Garvey et al., “Model-Based Intrusion Detection,” Proceedings of the 14th National Computer Security Conference, Washington, DC, Oct. 1991.
Ilgun et al., State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions on Software Engineering, vol. 21, No. 3, Mar. 1995.
Javitz et al., “The SRI IDES Statistical Anomaly Detector,” Proceedings, 1991 IEEE Symposium on Security and Privacy, Oakland, California, May 1991.
Porras Phillip A.
Valdes Alfonso
Fish & Richardson P.C.
Heckler Thomas M.
SRI - International
LandOfFree
Network surveillance does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network surveillance, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network surveillance will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2608408