Alphabet – Ioannis Giokas, Crypteia Networks SA
Abstract for “System and Method for Identifying Infected Networks and Systems from Unknown Attacks”
“Systems and methods of the present disclosure can be directed to a network security monitoring monitor. A log of a second network can be sent to the monitor. This will allow the monitor to determine the status of that network. Based on log format, the monitor can create indexed logs. A database can be used to retrieve a list of threat indicator from the monitor. The database is based on a collection of threat indicators that were received from multiple heterogeneous repositories through the first computer network. The monitor can also compare the list with the indexed logs. A report can be generated by the monitor based on the comparison to identify a threat.
Background for “System and Method for Identifying Infected Networks and Systems from Unknown Attacks”
Computer networks and systems could have vulnerabilities that could be exploited in an attack or threat. A vulnerability that is exploited can negatively affect the network’s operation, such as slowing down data flow over the network or preventing users from accessing resources.
“The present disclosure is general in nature and relates to network security measures, such as intrusion detection system (?IDS/IPS?) or intrusion prevention system (?IDS/IPS). A network security tool can identify networks and systems infected by an unknown attack. The network security tool can collect log information from a protected system and threat indicator information, such as information from large networks or third-party networks, from various organizations, standards bodies, or corporations. The network security monitor can use a schema to index logs and threat indicator lists and determine if the network is being compromised by an advanced persistent threat (APTs). That persists in networks for extended periods (e.g., many weeks, several months or hundreds of days). To collect and manipulate network data.”
Computer networks are used by companies, private groups, and organizations to communicate, store and execute transactions and schedule services. Computer networks can be isolated but most computer networks are connected to the internet so that information can be sent to remote locations. A private network that is hosted over the internet can link multiple company locations together to create a network. This allows information such as word documents to be sent quickly between distant locations. You can also set up networks so that other parties can communicate with the network via the internet. This is the case for electronic commerce, which is one of the most popular and widely used business practices on the internet. It is possible to grant external access in certain situations. For example, a network member or employee of a company can access information on the network even if they are not physically located at that company’s location. These benefits include remote access and electronic commerce, as well as other interactions with the network.
However, outside access to a network can have several drawbacks. For example, external attackers may attempt to harm the network or steal data from it. The owners of a network may suffer a lot if they are able to steal confidential or proprietary information, such as password lists or design plans. Sometimes, the stolen information can be used for malicious purposes, including identity theft, further information theft and asset theft. These malicious activities can prove costly to victims. It is therefore important to minimize the risk of a breach in network security.
Networks can have and maintain network security in response to threats against them, such as intrusion detection systems, intrusion prevention system, firewalls and intrusion detection and detection systems. Firewalls are security measures that control information flow into a network. This is done by inspecting the data packets that are coming in and comparing them with a set of rules. The firewall will drop any malicious packets that are deemed to be infected. Firewalls can detect malicious traffic and drop it. The firewall can protect the network against a variety external threats.
“An intrusion detection device detects malicious attacks, raises an alarm so that an authorized administrator can be notified and take appropriate action to stop it. An intrusion prevention system detects potential attacks and automatically takes appropriate actions to stop or disrupt them. An intrusion prevention system might notify system administrators when an attack has been detected and stopped by the system. The combination of intrusion detection and prevention systems (IDPSs) can detect potential attacks, alert system administrators, and then move to stop the attack. If the attack is stopped successfully, the IDPS will notify system administrators. However, it may also notify an administrator if the attack continues.
Advanced persistent threat (?APT?) is one type of threat that can be made to secured networks. Information holders should be concerned about advanced persistent threats for many reasons. APTs can be invisible to network users, unlike viruses and brute force attacks that infiltrate networks and cause significant damage. An APT can silently infiltrate a network and gather information, spreading its influence across the network so that it can have greater access to the network’s protected information. Sometimes, APTs can stay in a network for hundreds (e.g. 100 to 400 days) and collect and distribute information without being noticed or detected. APTs can be targeted at high-value targets, which allows them to steal valuable information. Malicious entities can use the stolen data to advance their agendas. The APT lifecycle can be illustrated by four stages: preparation, infection and deployment. Maintenance is the last stage. Large organizations with extensive information networks face a costly and destructive threat from APTs because of their persistent and recurring nature. APTs could also affect the military, defense contractors and state organizations.
“Systems and methods disclosed herein detect and alert network administrators to the existence of an APT so that they can take appropriate actions to remove it and repair any damage done by it. The present disclosure provides a network security monitor that can detect networks and systems infected by known or unknown attacks. The network security monitoring can detect APTs in the network before the network security monitor is initiated. It also detects APTs that attempt to penetrate the network after the network security watch has been integrated.
“In certain embodiments, the network security monitoring is targeted at detection of APTs. To detect threats, the network security monitor may use lists of malware, exploits and untrustworthy IP addresses. These lists can be periodically, constantly, dynamically, continuously, or in real-time updated. The network security monitor might update the lists using crowd sourcing in some instances. Crowd sourcing could refer to the contribution of members of an online community to one or more of the following: malware, exploits and untrustworthy IP addresses; IPS signatures and IDS signatures. The network security monitor can receive, retrieve, parse or otherwise obtain one or more crowd-sourced lists. This improves network security monitor’s coverage for APTs. In some instances, the network security monitor may employ techniques related to Knowledge Management and Semantics to assist with updating the list.
“At minimum one aspect of this disclosure is directed at a method for managing security on network infrastructure. The method may include a log collector that receives a plurality logs from a second computer network. A processor in a network security monitor is used to configure the log collector to receive the plurality logs from a first computer network. A plurality of logs can indicate the status of the second network. The status can be determined using a monitoring agent that runs on the second network. A log indexer can be used to generate indexed logs from the plurality logs that are based on log format. A log indexer can be installed on the network security watchdog. This method includes the network security monitor retrieving threat indicators from a data base. A schema can be used to store the list. A plurality or heterogeneous collection of threat indicators can be used to create the list of threat indicator. A log correlation engine, which is installed on the network security monitor, can be used to compare the threat indicator list with the indexed logs. A report engine can be installed on the network security monitor to generate a report based upon the comparison to identify a threat.
“In some embodiments, the method can include an aggregator that receives one or more threat indicator from a plurality heterogeneous sources over the first computer network. A normalizer can be used to transform one or more threat indicator to the list of threats. The list of threat indicators may contain structured information that can be used by the correlation engine.
“In some embodiments, the method might include the aggregator of network security monitors obtaining a first configuration to access a first repository via the initial computer network. The aggregator may obtain a second configuration to access a second repository via a first computer network. The aggregator may use the first configuration to establish a connection with the first repository via a first computer network. The second configuration may be used by the aggregator to establish a second connection via the first computer network with the second repository. This method could include network security monitor updates, which are based upon the schema and the list of threat indicator based on at least one threat indicator received from the second repository.
“In some embodiments, this may include the network security monitoring receiving via the first computer network a first threat indicator in a first format from a repository. The network security monitor may receive, via the first network, a second threat indication from a second repository. The first repository might be different than the second repository. Also, the first format could be different from that of the second format. This could include the network security monitor transform the first and second threat indicators to create the list of threat indicator based on the schema.
“In some embodiments, this may include the network security monitoring initiating the comparing via the log correlation engine response at receiving at least one update to the list or new log of second computer network.”
“In certain embodiments, the method might include the log correlation engine searching to find a correlation between indexed logs from the second computer network. The log correlation engine may be used to identify a match between the indexed logs of the second computer network and the list with threat indicators.
“In certain embodiments, the method might include the log correlation engine that identifies a portion the plurality logs as corresponding with a first type log format. The log correlation engine may be used to identify one or more threat indicator from the list of threat indicators that correspond to the first type. The log correlation engine may be used to match the plurality logs with one or more threat indicator in order to find a match.
“In some embodiments, this method includes the log correlation engines that compare historical logs and current logs with one or more threat indicators to identify matches.”
“In some embodiments the method also includes the log correlation engine instructing or informing the report engine to create the report responsive to identifying the match based upon the comparing.”
“In some embodiments, a second computer network is a secure network that blocks unauthorized access. Some embodiments include a collection of logs generated from the monitoring agent. This includes at least one of an anti-virus tool, a network security element or intrusion detection system. The plurality of logs may include at least one log from a general system log or network security log, as well as an intrusion detection log, intrusion prevention system log and intrusion detection system log. Some embodiments include at least two log formats: a threat log map, traffic log mapping and an email log mapping.
“In some embodiments, this method involves the network security monitor entering, via an interface the indexed logs into memory configured with a data format corresponding to those indexed logs. The network security monitor transmits the report via the first computer networks to an administrator device that is associated with the second computer networks in some embodiments.
“Another aspect is directed at a system for managing security on network infrastructure. The system may include a log collector that is connected to a processor of a network safety monitor. The log collector can receive, via a computer network, multiple logs from a second network. A monitoring agent running on the second network determines the status of the second network from the plurality of logs. On the network security monitor, there is a log indexer. The log indexer generates indexed logs using the plurality logs that are based on log format. Further, the network security monitor can retrieve a list containing threat indicators from a database that is based on a schema derived from a plurality heterogeneous repositories over the first computer network. A log correlation engine is used to compare the threat indicator list with the indexed logs. A report engine is built into the network security monitor and generates a report using the information to identify a threat.
“Some embodiments include an aggregator as well as a normalizer. The first computer network may allow the aggregator to receive threat indicators from multiple heterogeneous sources. The schema may be used by the normalizer to transform one or more threat indicator to the list. The correlation engine can use structured information from the list of threat indicators.
“In some embodiments, the system contains an aggregator that is configured to obtain a first configuration in order to access a first repository via the initial computer network. An aggregator can also be configured to access a second repository via the same computer network. To establish a first connection to the first repository via the computer network, the aggregator can also be configured to use the initial configuration. To establish a second connection to the second repository via the first network, the aggregator can also be configured to use the second configuration. You can further configure the network security monitor to update, based upon the schema, the list or threat indicators based at least one of the first or second repository.
“In some instances, the network security monitor can be further configured to receive via the first computer network a first threat indicator in a particular format from a first repository. A second threat indicator can be received by the network security monitor via the first computer network. The first repository may be different than the second, and the first format could be different from that of the second. In some cases, the network security monitor converts the first and second threat indicators to the list of threat indicator based on the schema.
“In some embodiments, a log correlation engine can be further configured to identify a certain portion of the plurality logs as corresponding with a first log format. Further configurations of the log correlation engine allow it to identify one or more of the threat indicator list that corresponds to the first type. To identify a match, the log correlation engine can compare the plurality logs with one or more threat indicator.
“In certain embodiments, the log correlation engines is further configured to respond to the identification of a match based upon the comparing. The report engine is then used to generate the report.”
“The following sections of the specification with their respective contents can be useful for reading the descriptions of various embodiments:”
“Section A” describes a computing environment and network environment that may be helpful in the practice of embodiments.
“Section A describes systems and methods that can be used to secure a network.”
“A. Computing and Network Environment.”
“Before we discuss specific embodiments of this solution, it might be useful to describe aspects such as the operating environment and associated system components (e.g. hardware elements) in relation to the methods or systems described herein. Referring to FIG. FIG. 1A shows an example of a network environment. The network environment includes one to three clients 102a-102n (also known as client(s), 102 and client(s), 102), client node(s), 102 and client(s), 102), client computer(s), 102, and client machine(s), 102), client client(s), 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102. Client device(s), 102. Endpoint(s), 106 or remote machine(s). A client 102 can be used as both a client node that seeks access to server resources and as a server that provides access to server resources for other clients.
“Although FIG. FIG. 1A depicts a network of 104 between clients 102, servers 106. However, clients 102 may be on the same network (104). Some embodiments may have multiple networks 104 connecting the servers 106 and clients 102. One of these embodiments may have a network 104. A network 104 could be a private network, while a network (not shown), may be public. A network 104 could be a private network, while a network 104.1 may be a public network. A public network. Networks 104 and104 are also possible in another embodiment. Both networks 104 and 104 may be private networks.”
“The network 104 can be connected via either wired or wireless links. Digital Subscriber Line (DSL), coaxial cables lines or optical fiber lines can all be connected via wired links. Wireless links can include BLUETOOTH and Wi-Fi (Worldwide Interoperability for Microwave Access) as well as an infrared channel, satellite band, or BLUETOOTH. Wireless links can also include any cellular network standard used to communicate between mobile devices. This includes standards that are 1G, 2G or 3G. If the network standards meet a specified or set of standards, they may be considered one or more generations of mobile telecommunications standards. The 3G standards, for example, may correspond to the International Mobile Telecommunications-2000 (IMT-2000) specification, and the 4G standards may correspond to the International Mobile Telecommunications Advanced (IMT-Advanced) specification. AMPS, GSM and UMTS are some examples of cellular network standards. Cellular network standards may use various channel access methods e.g. FDMA/TDMA/CDMA, SDMA. Different types of data can be transmitted using different standards and links in some embodiments. Other embodiments allow the transmission of identical data via different standards and links.
The network 104 can be any type or form of network. The network 104’s geographical coverage can vary greatly. It could be a body-area network (BAN), personal area network, or a local-area network. Intranet, metropolitan area network (MAN), wide area network(WAN), or Internet. The network 104’s topology can be any type and could include any combination of: bus, star or ring, tree, point-to-point, bus or star. The network 104 could be an overlay network that is virtual and sits on top one or more layers from other networks 104?. The network 104 can be any network topology known to ordinary skill in the art and capable of supporting operations. The network 104 can use different protocols and layers, such as the Ethernet protocol, TCP/IP, the ATM (Asynchronous Transfer Mode), SONET (Synchronous Optical Networking), or SDH (Synchronous Digital Hierarchy). TCP/IP’s internet protocol suite can include the application layer, transport layer and internet layer (including IPv6). Network 104 could be classified as a broadcast network or a telecommunications network. It also may include a data communication network or computer network.
“In some embodiments, multiple servers may be logically grouped 106. One of these embodiments may refer to the logical grouping of servers as either a server farm 38, or a machine farm 38. Another embodiment may allow the servers 106 to be geographically dispersed. A machine farm 38 can be managed as one entity in other embodiments. Another embodiment of the machine farm 38 may include a number of machine farms 38. Each machine farm 38 may contain multiple machines farms 38.
In one embodiment, the servers 106 of the machine farm 38 could be stored in rack systems with high density and associated storage systems. They would then be located in an enterprise-level data center. This embodiment consolidates the servers 106 to improve system management, data security, and system performance. Servers 106 and high-performance storage systems are located on localized high-performance networks. The centralization of the servers 106, storage systems, and their coupling with advanced system management tools allows for more efficient use.
“Servers 106 and 106 from each machine farm 38 don’t need to be physically close to other servers 106 in the machine farm 38. The machine farm 38 group of servers 106 may be connected using either a metropolitan-area (MAN) or wide-area (WAN) connection. A machine farm 38 could include servers 106 located on different continents, in different areas of a country, state, city or campus. The data transmission speeds between the server 106 of the machine farm 38 can increase if they are connected via a local-area networking (LAN) connection, or another type of direct connection. A heterogeneous machine farms 38 could also include servers 106 that operate according to one type of operating system and one or two other servers 106 that run one or several types of hypervisors. Hypervisors can be used in these embodiments to simulate virtual hardware, partition and virtualize physical hardware, as well as to execute virtual machines that allow access to computing environments. Multiple operating systems may run simultaneously on the host computer. Native hypervisors can run directly on the host machine. VMware ESX/ESXi, made by VMWare, Inc. of Palo Alto, Calif., and the Xen hypervisor, which is an open-source product whose development was overseen by Citrix System, Inc., as well as the HYPERV hypervisors that Microsoft or other companies provide. Hosted hypervisors can run in an operating system at a second level. VIRTUALBOX and VMware Workstation are two examples of hosted hypervisors.
“Management of the machine farms 38 could be decentralized. One or more servers 106 could be composed of components, subsystems, and modules that support one or several management services for the machine farms 38. One or more servers 106 are used to manage dynamic data. This includes techniques for managing failover, replication and increasing the resilience of the machine farm. Each server 106 can communicate with both a persistent store or, in certain embodiments, a dynamic store.
“Server106” may be a file, application, web, proxy, server, firewall, gateway, gateway, virtualization, deployment, SSL VPN server or firewall. The server 106 can be called a remote machine, or a node in one embodiment. A plurality of nodes (290) may be located in the path between two communicating servers.
Referring to FIG. “Referring to FIG. 1B, a cloud computing ecosystem is depicted. Client 102 may have access to one or more resources through a cloud computing environment. One or more clients 102a-102n may be part of the cloud computing environment. They can communicate with the cloud 108 via one or several networks 104. Clients 102 could include thick clients, thin client, or zero clients. Even if the client is disconnected from servers 106 or cloud 108, a thick client can still provide some functionality. To provide functionality, a thin client or zero client might depend on the connection with the cloud 108 and server 106. Zero clients may depend on the cloud108, other networks 104, or servers 106 for operating system data retrieval. The cloud 108 could include back end platforms such as servers 106, storage, data centers, or server farms.
“Cloud 108 can be either public, private or hybrid. Public clouds could include public servers106 that are managed by third parties for clients 102 or their owners. Servers 106 could be located in remote locations, as described above. The servers 106 may be connected over public networks to other public clouds. Private clouds could include servers 106 that are owned by clients 102. Private clouds can be connected to servers 106 via a private network. Hybrid clouds (108) may connect to both public and private networks 104 and servers106.
“Cloud 108 may include a cloud-based delivery, e.g. Software as a Service 110, Platform as a Service 112, and Infrastructure as a Service 114. IaaS can refer to renting infrastructure resources for a specific time period. IaaS providers can offer large amounts of storage, networking, servers, or virtualization resources. This allows users to scale up quickly and access more resources as they need them. IaaS may include infrastructure and services such as OVH HOSTING, Montreal, Quebec, Canada, AMAZON Web Services, Amazon.com, Inc., Seattle, Wash., Rackspace US, Inc., San Antonio, Tex., Google Compute Engine, Google Inc., Mountain View, Calif., RIGHTSCALE, Inc., Santa Barbara, Calif., and WINDOWS AZURE provided by Microsoft Corporation of Redmond, Wash., Google App Engine, Google Inc., and HEROKU, Heroku, Inc. WINDOWS AZURE, provided by Microsoft Corporation of Redmond, Wash., Google App Engine, provided by Google Inc., HEROKU provided By Heroku, Inc. of San Francisco, Calif. These are examples of PaaS. They may provide the same resources as PaaS, such as storage, networking, servers, virtualization, operation system, middleware, runtime resources, and operating system resources. SaaS providers can offer additional resources, such as data and application resources, in some instances. SaaS includes GOOGLE APPS offered by Google Inc., SALESFORCE offered by Salesforce.com Inc. San Francisco, Calif. or OFFICE 365 offered by Microsoft Corporation. Data storage providers may also be included in SaaS, for example. DROPBOX provided Dropbox, Inc., San Francisco, Calif., Microsoft SKYDRIVE provided Microsoft Corporation, Google Drive provided Google Inc., and Apple ICLOUD provided Apple Inc., Cupertino, Calif.
Clients 102 can access IaaS resources using one or more IaaS standard, such as Amazon Elastic Compute Cloud, Open Cloud Computing Interface, Cloud Infrastructure Management Interface, or OpenStack standards. Clients may be able to access resources via HTTP using some IaaS standards. These standards may use the Representational state Transfer (REST), Simple Object Access Protocols (SOAP) protocols. Clients with 102 clients may have access to PaaS resources using different PaaS interfaces. Some PaaS interfaces may use HTTP packages, JavaMail APIs, Java Data Objects(JDO), Java Persistence APIs (JPA), Python APIs and web integration APIs. These APIs can be used for various programming languages, such as Rack for Ruby, WSGI For Python, PSGI for Perl or any other APIs that are built on REST or HTTP, XML or other protocols. Clients 102 can access SaaS resources via web-based user interfaces provided by a browser (e.g. GOOGLE CHROME and Microsoft INTERNET Explorer are some examples of SaaS resources that clients 102 can access. Clients 102 can also access SaaS resources via smartphone or tablet apps, such as Salesforce Sales Cloud or Google Drive app. Clients 102 can also access SaaS resources via the client operating system. This includes, e.g. Windows file system for Dropbox.
“In certain embodiments, access may be authenticated to IaaS or PaaS resources. A server or authentication server might authenticate a user using security certificates, HTTPS, and API keys. API keys can include different encryption standards, such as Advanced Encryption Standard, (AES). “Data resources can be sent via Transport Layer Security (TLS), or Secure Sockets Layers (SSL).
“The client102 and server106 can be deployed on any type of computing device and/or executed from it, e.g. A computer, network device, or appliance that can communicate on any type of network and perform the operations described herein. FIGS. FIGS. 1C and 1D show block diagrams of a computing unit 100 that can be used to practice an embodiment of client 102 or server 106. FIGS. 1C and 1D show that each computing device 100 has a central processing module 121 and a main storage unit 122. FIG. FIG. 1C shows that a computing device 100 can include a storage device 128, a installation device 116 and a network interface 118. Display devices 124 a-124 n are shown. A keyboard 126 is also shown. A mouse. Without limitation, the storage device 128 can include an operating system, software, or a software of network security monitor (NSM 120). FIG. FIG. 1D shows that each computing device 100 can also have additional elements, e.g. A memory port 103, bridge 170, input/output devices 130a-130n (generally referred by using reference number 130), and a cache storage 140 in communication to the central processing unit.
“The central processing module 121 is any logic circuitry which responds and processes instructions from the main memory device 122. A microprocessor unit is often used to provide the central processing unit (121) in many embodiments. Those manufactured by Intel Corporation, Mountain View, Calif., and those manufactured at Motorola Corporation, Schaumburg (Ill.); the ARM processor with TEGRA system on a Chip (SoC), manufactured by Nvidia, Santa Clara, Calif. ; the POWER7 process, manufactured by International Business Machines, White Plains, N.Y., or those manufactured at Advanced Micro Devices, Sunnyvale, Calif. These processors or any other processor that can operate as described herein may be used to create the computing device 100. The central processing unit (121) may use instruction level parallelism or thread level parallelism. It can also utilize different levels of cache and multi-core processors. Multi-core processors may contain multiple processing units within a single computing unit. Multi-core processors include, for example, the AMD PHENOM IIX2, the INTEL Core i5 or INTEL CPU i7.
“Main memory unit (122) may contain one or more memory chips that can store data and allow any storage location to directly be accessed by the microprocessor. 121 Main memory unit 122, which may be volatile, can store more data than 128 memory. The main memory unit 122 can be Dynamic random-access memory (DRAM), or any variants thereof, Burst SRAM/SynchBurst SRAM(BSRAM), Fast Page Mode (FPM) DRAM, Extended Data Output RAM/EDO RAM, Extended Data Output (EDO DRAM), Burst Extended DRAM/BEDO DRAM), Single data rate synchronous DRAM/SDR SDRAM), Double data rate SDRAM/DDR SDRAM), Direct Rambus RAMbus DRAM/DRDRAM (DRDRAM/XDRDRAM/DRDRAM (DRDRAM), and DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRAM), DRAM/DRDRAM (DRDRAM), DRAM/DR DRAM/XDR DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), Direct Rambus DRAM/DRAM (DRDRAM), DRAM), or DRAM adRAM), In some embodiments, the main memory 122 or the storage 128 may be non-volatile; e.g., non-volatile read access memory (NVRAM), flash memory non-volatile static RAM (nvSRAM), Ferroelectric RAM (FeRAM), Magnetoresistive RAM (MRAM), Phase-change memory (PRAM), conductive-bridging RAM (CBRAM), Silicon-Oxide-Nitride-Oxide-Silicon (SONOS), Resistive RAM (RRAM), Racetrack, Nano-RAM (NRAM), or Millipede memory. You can use any of the memory chips described above, or any other memory chips that are capable of operating in accordance with this invention. FIG. FIG. 1C shows how the processor 121 communicates via a system bus 150 with main memory (described below). FIG. FIG. 1D shows an embodiment of a computing system 100, in which the processor communicates with main memory via a memory port. FIG. FIG. 1D may show DRDRAM as the main memory 122.
“FIG. “FIG. Other embodiments of the main processor 121 connect with cache memory 140 via the system bus 150. Cache memory 140 is usually faster than main memory 122 in response times and is typically supplied by SRAM (BSRAM), EDRAM or EDRAM. FIG. 1D shows how the processor 121 communicates via a local bus 150 with I/O devices 130. There are many buses that can be used to link the central processing unit 121 with any I/O device 130. These include a PCI bus or a PCIX bus or a PCI Express bus or a NuBus. In embodiments where the I/O device 124 is a video monitor, the processor 121 can use an Advanced Graphics Port to communicate with the display (124) or the I/O controller (123 for the display 124) FIG. FIG. 1D shows an example of a computer 100 where the main processor 121 can communicate directly with I/O device 130b or other processors. via HYPERTRANSPORT or RAPIDIO communications technology. FIG. FIG. 1D shows another embodiment where local buses and direct communication are combined: processor 121 uses a local interconnect bus to communicate with I/O devices 130a while also communicating directly with 130b.
The computing device 100 may contain a variety of I/O devices 130a-130n. Trackpads, trackpads and trackballs can be used as input devices. Video displays, graphical displays and speakers can be output devices.
“Devices 130a-130n may contain multiple input or output devices such as Microsoft KINECT or Nintendo Wiimote, Nintendo WII U GAMEPAD or Apple IPHONE. Some devices 130 a-13 n can combine some inputs and outputs to allow gesture recognition inputs. Devices 130 a-130n allow facial recognition, which can be used for authentication or other commands. Devices 130 a-130n provide voice recognition and inputs such as Microsoft KINECT by Apple, SIRI to IPHONE by Apple or Google Now.
“Additional devices 130a-130n can be used as input or output devices. They include haptic feedback devices and touchscreen displays. Multi-touch screens, touchpads and touch mice may use different technologies to sense touch. These technologies include capacitive (surface capacitive), projected capacitive (PCT), resistive (infrared), waveguide, dispersive touch (DST), in cell optical, surface acoustic (SAW), bendingwave touch (BWT) or force-based sensing technology. Multi-touch devices can allow for two or more contact points with the surfaces, which allows advanced functionality such as pinch, rotate, scroll or other gestures. Some touchscreen devices, such as Microsoft PIXELSENSE and Multi-Touch Collaboration Wall may have larger surfaces like on a table-top, or on a wall. They may also interact with other electronic gadgets. A group of I/O devices 130a-130n, display devices 124-64 n and some other devices could be augment reality. An I/O controller 123 may control the I/O devices as shown in FIG. 1C. 1C. An I/O device can also be used to store and/or install the computing device 100. Other embodiments may also provide USB connections (not illustrated) for receiving handheld USB storage devices. An I/O device 130 can be used as a bridge between system bus 150, external communication buses, e.g. A USB bus, a SCSI Bus, a FireWire Bus, a FireWire Bus, an Ethernet Bus, a Gigabit Ethernetbus, a Fibre Channel Bus, or a Thunderboltbus.
In some embodiments, display devices 124a-124n can be connected to I/O control 123. Display devices include liquid crystal displays (LCD), thin-film transistor LCD (TFTLCD), blue-phase LCD, electronic papers, (e-ink), and liquid crystal on silicon displays (LCOS). They may also be connected to I/O controller 123. Some examples of 3D displays include: Stereoscopy, polarization filters or active shutters are some examples of 3D displays. Display devices 124a-124n can also be head-mounted displays (HMD). Display devices 124 a?124 n and the corresponding I/O control units 123 can be controlled or have hardware support OPENGL, DIRECTX API or any other graphics library in some embodiments.
“In some instances, the computing device 100 can connect to multiple display devices (124 a-124n), which may be the same type or different. Any of the I/O device 130 a?130 n or the I/O controller123 can include any type or combination of hardware, software, and hardware to enable, support, enable, or provide for multiple display devices 124a?124n. The computing device 100 could include any type or form of video adapter or video card, driver and/or library to connect, communicate, connect, or otherwise use multiple display devices. Software may be developed and built to work with another computer’s display device 124a. One example is that an Apple iPad can connect to a computing device 100, and the display of the 100 may be used as an additional screen. This could allow the user to use the 100’s display as an extended desktop. A computing device 100 can be configured to support multiple display devices 124a-124n. One who is skilled in the art will appreciate and recognize the many ways that this configuration may be possible.
“Referring to FIG. “Referring again to FIG. 1C, the computing device 100 may include a storage device 128 (e.g. One example of a storage device 128 is a hard disk drive (HDD), optical drive including CD, DVD, or Blu-ray drive, solid-state drive(SSD), USB flash drive, and any other device that can store data. Many storage devices can include both volatile and nonvolatile memories. This includes solid-state hybrid drives, which combine hard disks with solid states cache. One storage device 128 could be read-only, non-volatile or mutable. One storage device 128 could be internal and connect via a bus 150 to the computing device 100. One storage device 128 can be external and connects to the computing device 100 via an I/O device 130. This provides an external bus. One storage device 128 can connect to the computing devices 100 via the network interface 118. This network 104 includes, e.g. the Remote Disk For MACBOOK AIR from Apple. Client devices 100 may not need a non-volatile data storage device 128. They may also be thin clients or zero clients. A storage device 128 can also be used to install software or programs 116. The operating system and software can also be run from a bootable media, such as a CD or DVD. KNOPPIX is a bootable CD that runs GNU/Linux. It can be downloaded from knoppix.net.
Client device 100 can also download software from an application distribution platform. The App Store for iOS, provided by Apple, Inc., is the Mac App Store provided to Apple, Inc., GOOGLE LAY for Android OS provided o Google Inc., Chrome Webstore CHROME OS provided o Google Inc., Amazon Appstore for Android OS, KINDLE FIRE, provided by Amazon.com, Inc., are all examples of application distribution platforms. A repository of applications may be included in an application distribution platform. This can be on a server (106) or cloud 108 that clients 102 a-102n can access via a network (104). A distribution platform could include applications developed by different developers. An application distribution platform allows users of client devices 102 to select, buy and/or download applications.
“Moreover, the computing device 100 can include a network interface 118 that allows it to connect to the network 104 via a variety connections such as standard telephone lines LAN/WAN links (e.g. 802.11, T3, Gigabit Ethernet and Infiniband), broadband connections (e.g. ISDN, Frame Relay ATM, Gigabit Ethernet or Ethernet-over-SONET), ADSL, VDSL BPON, GPON or fiber optical including FiOS), or a combination of all of these connections. TCP/IP can establish connections using a variety communication protocols, such as Ethernet, ARCNET and SONET, SDH. Fiber Distributed Data Interface (FDDI), IEEE 802.21/b/g/n/ac CDMA. GSM, WiMax, and direct asynchronous connections. One embodiment shows that the computing device 100 can communicate with computing devices 100. Any type and/or combination of tunneling protocols or gateways, e.g. Secure Socket Layer, Transport Layer Security, or Citrix Gateway Protocol, manufactured by Citrix Systems, Inc., Ft. Lauderdale, Fla. The network interface 118 can include a built-in network connector, network card or PCMCIA network card. It may also contain an EXPRESSCARD networkcard, EXPRESSCARD card network card, card bus adapter and wireless network adapter. Modems, or any other device that is capable of interfacing with the computing device 100 to any network that can communicate the operations described in this article.
“A computing device 100, of the type shown in FIGS. “A computing device 100 of the type shown in FIGS. 1B and 1C can be controlled by an operating system that controls access to system resources and scheduling. Any operating system can run on computing device 100, including any version of MICROSOFT WINDOWS, Unix or Linux releases, any embedded operating software, any real-time operation system, any proprietary system, any mobile operating system or any proprietary operating program. WINDOWS 2000, WINDOWS server 2012, WINDOWS CE, WINDOWS Phone, WINDOWS XP, WINDOWS VISTA and WINDOWS 7 all manufactured by Microsoft Corporation of Redmond, Wash., MAC OS, iOS, manufactured Apple, Inc. of Cupertino, Calif., and Linux, a freely available operating system, e.g. Linux Mint distribution (?distro?) Ubuntu distributed by Canonical Ltd. in London, United Kingdom. Unix or other Unix like derivative operating systems. Android designed by Google, Mountain View, Calif. Certain operating systems, such as the CHROME OS from Google, can be used on zero clients and thin clients including, for example, CHROMEBOOKS.
“The computer system 100 may include any computer system that can communicate with a computer network, such as a desktop, phone, notebook, computer, computer or telephone, netbook, ULTRABOOK or tablet, server or handheld computer, mobile telephone, smartphone, tablet or mobile computing device, media player, gaming system, mobile computing device or any other form of computing, telecommunications, or media device. The computer system 100 is equipped with sufficient memory and processor power to carry out the operations described. The computing device 100 can have different operating systems and processors depending on its configuration. Samsung GALAXY smartphones, for example, are controlled by the Android operating system, developed by Google, Inc. GALAXY phones receive input via a touch interface.
“In some embodiments, a computing device 100 may be a gaming system. The computer system 100 could include, for example, a PLAYSTATION 3 or PERSONAL PLAYSTATION PORTABLE(PSP), or a PLAYSTATION VITA manufactured by the Sony Corporation, Tokyo, Japan, a NINTENDO DS, NINTENDO 3DS, NINTENDO WII, NINTENDO WII, NINTENDO WII U manufactured by Nintendo Co., Ltd., Kyoto, Japan, and an XBOX 360 manufactured by Microsoft Corporation, Redmond, Wash
“In certain embodiments, the computing devices 100 are digital audio players such as the Apple IPOD Touch, IPOD Touch and IPOD NANO line of devices manufactured by Apple Computer in Cupertino (Calif.). Other functionality may be available for some digital audio players, such as a gaming system, or functionality that is made available by applications from a digital distribution platform. The IPOD Touch can access the Apple App Store. The computing device 100 may be a portable media player, digital audio player, or a portable media player that supports file formats such as MP3, WAV and M4A/AAC Protected AAC and Apple Lossless audio file format.
“In certain embodiments, the computing devices 100 are a tablet e.g. The IPAD line of Apple devices; the GALAXY TAB series of Samsung devices; or KINDLE IRE, by Amazon.com, Inc., Seattle, Wash. The computing device 100 can also be used as an eBook reader. The KINDLE family devices by Amazon.com, and the NOOK family devices by Barnes & Noble, Inc., New York City, N.Y.”
“In some embodiments, the communication device 102 may include a combination of devices. A combination of a smartphone and a digital audio or portable media player. One example of one of these embodiments would be a smartphone. The IPHONE smartphone family manufactured by Apple, Inc., a Samsung GALAXY smartphone family manufactured by Samsung, Inc., or a Motorola DROID smartphone family. Another embodiment of the communications device102 is a computer or laptop that has a web browser, microphone, and speaker system. a telephony headset. These communications devices 102 can be web-enabled to receive and initiate calls. A laptop or desktop computer may also be equipped with a webcam, or another video capture device that allows for video chat and video calling.
“In some embodiments, one or more machines 102 and 106 are monitored as part of network management. One of these embodiments may identify the status of a machine by identifying load information (e.g. the number and type of processes running on it, their CPU utilization, memory usage), port information (e.g. the number and addresses of the available communication ports), or session status (e.g. the duration and type and whether they are active or inactive). Another embodiment of this type of information can be identified using a variety of metrics. The plurality may be used at least partially to make decisions regarding load distribution, network traffic management and network failure recovery, as well as other aspects of the operations described herein. The systems and methods described herein will make it easy to see aspects of the components and operating environments mentioned above.
“B. “B.
“Systems and methods of the present disclosure can be used to identify networks and systems infected by unknown attacks. A network security monitor from the present disclosure, as an example, can detect threats known to be advanced persistent threats (APTs) and provide network security. APTs can stay in networks for a long time (e.g., many days, weeks or months), and they can be persistent. APTs can access and retrieve data, damage networks, and cause extensive network damage. This could lead to information theft.
“An illustration system in the present disclosure interacts or includes a protected networking, an APT intelligence platform, a database and a communication method. The network security monitor can protect the protected network by protecting information exchange and storage networks. Network security monitors can alert network operators about threats to the protected network or attempts by outside forces to penetrate the network. The network security monitor can alert network operators of any APTs, whether they are currently or previously, that may be trying to compromise the network’s security.
“The network security platform or APT intelligence platform detects any APTs that are in the network or trying to infiltrate it. A network security monitor, or APT intelligence platform, may be a computing device, a server, one or several processors, an app, or a specialized algorithm that combines or invokes multiple functionalities to detect APTs on information networking. One or more of these components may be part of the APT intelligence platform: a log collector; log indexer; log correlation engine and a report generator. The log collector can receive system logs from the protected networks. The APT intelligence platform or network security monitor can analyze system logs that may have been generated by the protected networks. You can send the system logs to APT intelligence platform through a secure network connection.
The log indexer organizes the system logs that are provided by the protected network to the network security watcher. There may be a variety of logs in the system logs. These logs could include general system logs as well as network security logs like those generated by IDSs or IPSs. They also might contain logs created by anti-virus software. The network security monitor organizes these logs so that they can be compared with extensive lists of threat indicators to determine if the protected network has been infected by APTs. The system can index logs that are provided to it to increase efficiency and reduce the computing resource required to run it.
The network security monitor could include a log correlation engines that take logs from the protected network, index them by the log indexer, then compare those logs with the databases of threat indicators. A log correlation engine may include a specially-designed heuristic algorithm that searches through logs from the protected network simultaneously and compares them with the threat indicator lists. Log correlation engines may search for correlations or similarities between logs from the protected network and threat indicator lists.
The log correlation engine detects a similarity and initiates the report engine to create a threat report. This report can be sent to network operators (e.g. for display on a display device that is communicatively connected to the network security monitor) Report engine generates and compiles reports that inform network operators of the possibility of an APT being present in their network. The report engine generates a report using correlations and similarities found by the log correlation engines. It then illustrates these similarities in the report so that network operators can identify or determine the nature of APTs potentially affecting their protected network. The report engine can deliver the report to network operators via protected or external networks.
“The network security monitor may have access to or include a database. The database can be stored on a memory stick, hard drive, storage or any other computer-readable medium. The database may also contain threat indicator lists. To detect APTs, the log correlation engine can use threat indicator lists. The threat indicator lists can be used by the log correlation engine to perform a comparative function with the system logs that are provided by the network. The log correlation engine can detect potential APTs by analyzing their behavior and patterns within the system. These patterns may not be obvious but are possible to be identified by the engine’s analysis. One or more threat indicators can be used to identify APTs in different ways, from different perspectives, and/or different types. The threat indicators could include IP addresses, malicious code samples and IPS signatures. Log correlation can be used to detect the presence of APTs within the protected network.
“The database contains threat indicator lists that can be updated by the network security monitor. To update the threat indicator list, the network security monitor can crowd source threat information from an external network (e.g. via the Internet). Crowdsourcing threat information allows the network security monitor to use threat identification lists that are contributed by the public. This information can be used to detect different APTs. FIG. 9. The network security monitor has the ability to access private and open source threat intelligence repositories, including IP addresses, malicious code samples and IPS signatures, through an Internet connection. The network security monitor is able to aggregate and store threat intelligence in a database infrastructure, e.g., fileserver, file system), using a threat intelligence format/scheme for organizing and making the aggregated threat information manageable and easily maintained. The schema can be used by the network security monitor to normalize threat intelligence.
The network security monitor uses a schema/format to organize the threat intelligence. This makes it easy to maintain and manage the threat intelligence database. Threat intelligence schema/format is applicable to threat indicators aggregated form different private and open-source threat intelligence repositories, including e.g. IP addresses, malware samples and malicious code samples. IPS signatures can be structured and expressed for consumption by the log correlation engine. The threat intelligence schema/format can be used to transform threat information gathered by an aggregator into structured information that is ready for use by the log correlation engines.
An example of a network security monitor threat intelligence aggregator can make connections to private and open source threat information repositories over the Internet using protocols like HTTP, FTP or P2P. Configuration details can be provided by the aggregator to allow access to the repository. Configuration details can include URLs for a repository, information transfer protocol and/or authentication credentials as specified by vendors of repositories. The network security monitor can pass the aggregated threat information to the normalizer once the threat intelligence has been gathered by the aggregator. The threat intelligence schema/format can be identified by the normalizer. This transforms the aggregated generic threat information into structured information that is ready for the log correlation engine. The schema/format can be modified or updated as new threat intelligence repositories become accessible to the aggregator. This allows the normalizer to format the intelligence from each repository properly. The normalized threat information may be stored in the threat intelligence database by the network security monitor.
“The network security device may use one or more communication methods to send a report to the network operators of the protected networks or other entities. Any type of modern communication can be used, including electronic mail, instant messaging SMS, notifications and push alerts. The report may be received by network operators via a variety modern computing devices such as tablet computers, smart phones and notebook computers, mobile telecoms devices, smart watches and smart watches.
Referring to FIG. 2. A block diagram showing an embodiment of a 200-member system with a network security monitor is displayed. The system 200 contains a network security monitor 120 (or?NSM?). The system 200 includes a network security monitor 120 (?NSM?) that allows data to be sent and received via protected networks 204 and/or external networks 104. One or more clients 102a-n, and/or one/more servers 106a-n may be part of the system that can access protected network 204. Security intelligence repositories (202 a-n) may be included in the system, such as crowd-sourced threat intelligence providers and third-party threat information providers. An interface 205 can be included in the network security monitor 120 to allow access to the protected network (204) and external network (104). Interface 205 can also be used to facilitate communication or interactions between modules, engines or databases of network security monitor 120. A log collector 210 may be included in the network security monitor 120. This collects logs to protect the network. A log indexer 215 may be included in the network security monitor 120. This indexes logs collected by the log collector 215. A log correlation engine 225 may be included in the network security monitor 120. This engine compares the logs to threat intelligence stored at the database 240. The database 240 could include stored logs and threat intelligence, schema, reports and profiles (e.g. configuration details to access a repository). An aggregator 220 may be used to obtain threat intelligence information from one or several repositories. A normalizer 235 normalizes the aggregated threat data. A report engine 230 may be part of the network security monitor. This generates a report on whether or not a threat has been detected in protected networks and then communicates it to clients 102 a.n via protected network 204, or any other entity.
“The network security monitor 120 may include interface 205 and log collector 210 and log indexer 215. The aggregator 220 and log correlation engine 225, log engine 225, report generator 230, normalizer 235, and database 240. They could each contain one or more processing units, or other logic devices, such as programmable array engines, modules or circuitry that facilitates managing security on a network’s infrastructure.
“The network security monitor 120 also includes an interface 205. Interface 205 can be constructed and designed to allow communication via an external network or protected network. Protected network 204 can refer to a private network. This is the network that the network security monitoring 120 is trying to protect or monitor. This network could be an intranet or company network. Interface 205 can be used to communicate with an external network 104 such as the World Wide Web. Interface 205 can facilitate communication or interaction between one or more components or modules of the tool 120 or their associated components, such as log collector 210 and log indexer 215, log aggregator 220 and log correlation engine 225, log engine 225, log report engine 230, normalizer 235, or database 240. Interface 205 can interface directly with modules or networks 104 or 204. Or, the interface may communicate via an intermediary device or application program interface with modules or networks.
“The network security monitor 120 could include a log collector, 210 that is designed and built to collect logs. Log collector 210 can receive logs via interface205 or another interface of log collector 215. Log collector 210 can securely receive logs from protected network 204 (e.g. encrypted network, password protected network or access restricted network), etc. Log collector 210 can request, retrieve, retrieve, or obtain logs from protected network 204 to indicate the status of protected network. Logs can indicate activity on protected network 2014, including traffic, threats, emails, authorization and accounting (AAA), VPN and access control information. Logs may contain a log identifier that can indicate information about the network activity, such as device identifiers and domains, time stamps, domains and severity of log events. This includes session source port, session destination IP, log URL, log identifier, and log identifier. The tables 1-8 show an example of what information can be obtained by log collectors 210.
The log collector 210 may obtain logs based upon a time interval. The log collector 210 can receive logs continuously in some embodiments. For example, logs may be received as they are created. The log collector 210 might receive logs in accordance with a time interval, or as a batch process (e.g. multiple logs stored within one or more data file). Log collector 210, for example, may be able to receive logs every hour, every 24 hours or every two weeks. Or any other time interval that is set by the administrator of the network security monitoring 120. This allows the administrator to manage the security of the protected networks 204. The network security monitor 120 may, in some embodiments, receive logs upon a request for logs.
“The log collector210 may request logs from agents executing on protected network 204 such as a monitoring agency. A monitoring agent may execute on server 106 a.n. of the protected network 2004, or client 102. A monitoring agent could include an antivirus tool, network security element, intrusion prevention system or intrusion detection system. The log collector 210 can, in some instances, obtain network information from vulnerability assessment tools (e.g. Open Vulnerability Assessment System (OpenVAS)). The framework may contain several tools and services that offer vulnerability scanning and management solutions. One or more logs may be created by the monitoring agent, including general system logs and network security logs.
Logs may be received by the log collector (210) in any format that contains information about network activity on the protected network. 204 Log files can be plain text, comma delimited, binary, or spreadsheets in some instances. A text file can be comma-delimited in order to reflect headers for each column. Depending on the monitoring agent’s preference, a log folder may be created that contains several log files. One file per day for some embodiments. The log files can be called MMDDYYYY.log. MMDDYYYY is the date of the log entries.
“In some embodiments, the monitoring agents may store log files on a predetermined directory on a client or server of the protected network. Log collector 210 can access the directory according to a time interval (e.g. periodically, upon request or another time interval) in order to determine if there are any new or updated logs. The log collector 210 may retrieve logs or store them in database 240. Log collector 210 can store logs from all previous periods, and aggregate logs by type. It may also delete logs after a certain time period .
The log indexer 215 may be part of the network security monitor. It is designed to organize logs collected by the log collector 215. Logs can include logs from different sources, including general system logs, network security and logs created by IDSs and IPSs. Log indexer 215 allows you to organize logs so that they can be compared to large lists of threat indicators to determine if the protected network has been infected. The network security monitor 120 can index logs that are provided to it and use this to increase efficiency. It compares logs with the appropriate lists of threat indicators to reduce the computing resource required by the network security watch.
The log indexer 220 may either receive logs from the log collector 220 or access the database 244 to retrieve them after the log collector 220 has deposited the logs in the database 234. The log indexer can index logs based upon threat indicators. Log indexer 215 has a log normalizations schema. This allows log indexer to manage logs from various types of devices, collectors and tools. Each monitoring agent might use a different log representation. Therefore, it is important to index all logs received using the same log format or schema. This will increase the efficiency of the log correlation engine (225).
The log indexer210 can analyze and process received logs in order to identify a specific type of log (e.g. threat logs, traffic logs, email logs, authentication logs, etc.). The log indexer 210 can also be used to identify the type of log, such as threat logs, email logs and traffic logs. The log indexer 215 can then index the log according to the type of log (e.g. threat log) and organize the data or parameters using a log format. Log indexer 215 can index logs from the past, and new logs received from the log collector 210. Log indexer 215 can index logs as they arrive or may run a batch process that indexes logs based on a time interval (e.g. hourly, daily or any other time period that allows for managing security of the network).
The following tables 1-8 show examples of a log format/schem used by the log indexer 215. It is used to organize, index, and normalize logs that are received by the log collector 215 or stored in the database 244. The type of log may dictate which format or schema the log indexer 215 uses. This format or schema may be used by the log indexer 215 for all received logs of the same type. Table 1 shows an example of a schema or log format for mapping received messages to indexed threat logs. Table 2 shows an example of a schema or log format for mapping sent messages to indexed traffic logs. Table 3 shows an embodiment for a schema or log format for mapping sent messages to indexed performance logs. Table 5 illustrates a schema or log format for mapping read logs into indexed AAA logs. Table 7 illustrates a schema or log format for mapping receipt logs back to indexed VPN logs.
“TABLE 1\nThreat Log Mapping\nField Name Field Description\n@timestamp Time stamp of the event\nDevname ID of the device\nDevid Name of the device\nDomain Name of the virtual device\nLogid ID of the event\nType (threat) Type of the event\nSubtype (anomaly, Subtype of the event\nvirus, signature)\nlevel Severity of the event\nsrcport Source port of the session\nsrcip Source IP of the session\nsrcintf Source interface of the session\ndstintf Destination interface of the session\ndstip Destination IP of the session\ndstport Destination port of the session\nservice Service of the session\nsessionid Session ID\npolicyid Identification number of the policy\nidentidx Authentication policy ID\nuser Identified user of the session\ngroup Identified user’s group of the session\nprofile Security profile that recognizes the threat\nproto\nStatus (blocked, Action performed for the current threat\npassthrough,\nmonitored,\nanalytics,\ndetected,\ndropped, reset)\nattackname Name of the threat\nref Reference URL\nfile Name of the file infected\nchecksum Checksum of the file infected\nquarskip Quarantine action\nurl Source URL of the threat (malware)\nfrom Sender’s email address in case of threat\nthrough email\nto Recipient’s email address in case of threat\nthrough email\nseverity Severity of the threat\ncount Number of packets\nattackid Identification of the threat\nincidentserialno Incident serial number”
“TABLE 2\nTraffic log mapping\nField Name Field Description\n@timestamp Timestamp of the event\nDevname Name of the system\nDevid Unique identification number of the system\nLogid Log identification number\nType Type of the event value: traffic\nSubtype Subtype of the event\nDomain Virtual domain of the system\nLevel Severity of the event\nSrcport Source port of the session\nSrcip Source IP of the session\nSrcintf Source interface of the session\nDstintf Destination interface of the session\nDstip Destination IP of the session\nDstport Destination port of the session\nSrccountry Source country\nDstcountry Destination country\nPolicyid Identification number of the security policy\ntraffic passthrough\nIdentidx Identify-based policy identification number\nSessionid Serial number of the session\nService Service of the session\nUser Identified user of the session\ngroup Identified user’s group of the session\napplist Application sensor that recognizes the\napplication\nstatus Status of the traffic session\nappid Identification number of the application\napp Name of the application\nappcat Category of the application\nduration Duration of session in seconds\nsentbyte Number of sent bytes\nrcvdbyte Number of received bytes\ntotalbytes Total bytes\nsentpkt Number of sent packets\nrcvdpkt Number of received packets\ntrandisp Type of NAT\ntranip Translated IP in NAT mode\ntransip Translated source IP in NAT mode\ntranport Translated port\ntransport Translated source port\nproto IP protocol”
“TABLE 3\nEmail log mapping\nField Name Field Description\n@timestamp Timestamp of event\nDevid ID of the device\nDevname Name of the device\nDomain Name of the virtual device\nLogid ID of the event\nType (email) Type of the event\nSubtype (spam Subtype of the event\nregular)\nlevel Severity of the event\nsrcport Source port of the session\nSrcport Source port of the session\nSrcip Source IP of the session\nSrcintf Source interface of the session\nDstintf Destination interface of the session\nDstip Destination IP of the session\nDstport Destination port of the session\nservice Service of the session\nsessionid ID of the session\npolicyid ID of the policy\nidentidx ID of the identification policy\nuser Name of the user\ngroup Name of the group to which user belongs\nprofile Name of the security profile\nStatus (detected, Status of the action taken\nblocked,\nexempted)\nfrom Sender of the email\nto Recipient of the email\nmsg Information related to the spam mechanism\nsubject Subject of the email\nsize Size of the email\ncc CC of the email\nAttachment Whether the email includes an attachment\n(yes, no)”
“TABLE 4\nPerformance log mapping\nField Name Field Description\n@timestamp Timestamp of event\nDevid ID of the device\nDevname Name of the device\nDomain Name of the virtual device\nLogid ID of the event\nType (perf) Type of the event\nSubtype (sys) Subtype of the event\ncpu Percentage of CPU usage\nmem Percentage of memory usage\ntotalsession Total number of system’s sessions”
“TABLE 5\nAAA (authentication, authorization and accounting) log mapping\nField Name Field Description\n@timestamp Timestamp of the event\nDevname Unique identification number of the system\nDevid Log identification number\nLogid Type of the event (value: traffic)\nType (aaa) Subtype of the event\nSubtype (authen, Virtual domain of the system\nauthor, acc)\ndomain Virtual domain of the system\nlevel Severity of the event\nScope (local, Authentication scope\nssl-web)\nAction (login, Action\nlogout)\nsrcport Source port of the session\ndstport Destination port\nsrcip Source IP\nStatus (success, Whether the AAA succeeded or failed\nfailed)\nprofile User profile\nduration Duration\nreason Reason for failure\nuser User\ngroup Group\ntunnelid Identification of the tunnel”
“TABLE 6\nVPN log mapping\nField Name Field Description\n@timestamp Timestamp of the event\n@id Identification of the event\nlogid Log identification number\nLevel Severity of the event\nType (vpn) Type of the event (value: traffic)\nSubtype (ssl, ipsec) Subtype of the event\ndevid Unique identification number of the system\ndevname Name of the system\nvdev Virtual domain of the system\ntunnelid Tunnel ID\nremoteip Remote IP\ntunnelip Tunnel IP\nStatus (up, down)\nuser User\ngroup Group\nsentybte Sent byte\nrcvdbyte Receive byte\nduration Duration\nreason Reason\ntunneltype Tunnel type”
“TABLE 7\nAccess Control log mapping\nField Name Field Description\n@timestamp Timestamp of the event\ndevname ID of the device\ndevid Name of the device\ndomain Name of the virtual device\nlogid ID of the event\nType (acc. ctrl) Type of the event\nSubtype (app web) Subtype of the event\nlevel Severity of the event\nsrcport Source port of the session\nsrcip Source IP of the session\nSrcintf Source interface of the session\nDstintf Destination interface of the session\nDstip Destination IP of the session\nDstport Destination port of the session\nService Service of the session\nSessionid ID of the session\nPolicyid ID of the security policy\nIdentidx ID of the identification policy\nUser Identified user of the session\nGroup Identified user’s group of the session\nprofile Security profile that catches the\napplication\nproto Protocol number in IPv4 packets\nStatus (pass, Status of the action taken\nblock, reset,\nreject,\npassthrough,\nmonitor)\napp Application name\nappid Application ID\ncount Number of packets\nhostname Hostname of the destination\nurl URL of the destination\nReqtype (direct, HTTP request type\nreferral)\nmethod Method use\nsentbyte Sent bytes\nrcvdbyte Received bytes\ncat Category of the application0\ncatdesc Description of the category”
“TABLE 8\nAccumulated Standard fields mapping\nCategory Field Description\nStandard fields @timestamp\n(always present) @id\n@srcevent\nDevid\nLogid\nType\nSubtype\nLevel”
“The network security monitor 120 could include an aggregator 220-designed and built to receive, retrieve, and obtain threat intelligence from one or several repositories. The aggregator 220 has the ability to access one or more threat repositories through the external network (104), such as security intelligence repositories (202 a-n), using protocols such HTTP, FTP and P2P. The aggregator 220 can obtain configuration details from database 240, including URLs of repository 202a-n, information transmission protocol and authentication credentials. The connection allows the aggregator 220 to periodically ping, receive or otherwise obtain the most current information from the security intelligence resource or database 202 a.n. This information can be provided by security communities or crowd-sourced and accessed via an externe network 104. The network security monitor 120 may have the ability to determine whether the information is current by identifying if it has been time stamped or flagged. The network security monitor 120 can receive a real time data feed of security information in some instances. Crowd-sourced information can be in many forms, including Vulnerabilities and Exploits, signatures. MD5s. IP Reputation. Domains Reputation. Traffic Patterns. From public and private repositories like CERTs. TOR forums. social networking feeds. Security Vendors. Academia. Private Security Researchers. Metasploit. ExploitDB.
A vulnerability could refer to software, hardware, firmware, or other weaknesses in the protected network 204, system, or component thereof. Such weakness might allow an adversary to violate the confidentiality, the availability, and the integrity of the system, its processes/applications, as well as, the data the system generate and manage. A vulnerability in network security could refer to a weakness of a station or device that could allow unauthorised intrusion into the network. Social engineering techniques can also exploit human vulnerabilities regarding information security sensitivity. There are many vulnerability schemes and registries in the security industry. These have been created and maintained by different organizations, research institutions, and enterprises. For example, such registries include the CERT Advisories maintained at Carnegie Mellon University of Pittsburgh (Pa.), the CVE scheme maintained in Bedford, Mass. by MITRE Corporation, and the Bugtraq vulnerability listing maintained by Security Focus of SYMANTEC Co. of Mountain View, Calif. Public vulnerability registries may be maintained by various entities, corporations, and software companies regarding products that they create in the relevant web sites. The network security monitor 120 can, in various configurations, be set up to access, lookup, process, analyze, or otherwise obtain and use information from one or more vulnerability lists or registries in one, several formats, standards or schemes. The network security monitor 120 can, for example, be set up to use the CVE vulnerability schema created by MITRE Corporation via the aggregator 221. In some cases, however, the tool may be used without a vulnerability scheme.
An exploit can be a piece or chunk of software, data or a sequence or commands that take advantage of a bug, vulnerability, or any combination thereof, to cause unintended or unexpected behavior in computer software or hardware. This behavior could be used to take control of a system and allow privilege escalation or denial-of service attacks. The signatures may refer to the attack patterns that are used with the tool. Signatures or patterns can be used to identify attacks at a network, network node, or networked device at a host-level.
“The aggregator 220 has access to the security intelligence repositories and resource 202 a.n. This allows them to update the threat indicators lists in the database 244. An external network 104 can be used by the aggregator 220 to crowdsource threat information. This is done to update the threat indicator lists using open and private threat intelligence repositories, including IP addresses, malicious code samples and IPS signatures. The network security monitor may aggregate and store threat intelligence in a database infrastructure (e.g. file server, file systems) by using a threat intelligence format/scheme for organizing and making the aggregated threat information manageable and maintainable.
“In certain embodiments, the aggregater 220 can access multiple heterogeneous security information repositories (202 a-n) to retrieve threat intelligence. These repositories can be called heterogeneous because they offer different types of threat information (e.g., IP addresses, malware code and malicious code, as well as IPS signatures) in different formats or an unstructured. The aggregator 220 can access configuration details and a profile in the database 240 to gain access to security intelligence repositories (202 a-n). Access credentials include a username, password or token. To allow the aggregator access to threat intelligence. The configuration details and credentials of some or all the repositories may be included in the profile stored in database 244. In some embodiments, the aggregate 220 may keep an open connection to one or more repositories (202 a?n) in order to continually obtain up-to date threat intelligence information. In other embodiments, the Aggregator 220 may periodically push notifications or ping one or two repositories (202 a?n) in order receive new threat intelligence.
Summary for “System and Method for Identifying Infected Networks and Systems from Unknown Attacks”
Computer networks and systems could have vulnerabilities that could be exploited in an attack or threat. A vulnerability that is exploited can negatively affect the network’s operation, such as slowing down data flow over the network or preventing users from accessing resources.
“The present disclosure is general in nature and relates to network security measures, such as intrusion detection system (?IDS/IPS?) or intrusion prevention system (?IDS/IPS). A network security tool can identify networks and systems infected by an unknown attack. The network security tool can collect log information from a protected system and threat indicator information, such as information from large networks or third-party networks, from various organizations, standards bodies, or corporations. The network security monitor can use a schema to index logs and threat indicator lists and determine if the network is being compromised by an advanced persistent threat (APTs). That persists in networks for extended periods (e.g., many weeks, several months or hundreds of days). To collect and manipulate network data.”
Computer networks are used by companies, private groups, and organizations to communicate, store and execute transactions and schedule services. Computer networks can be isolated but most computer networks are connected to the internet so that information can be sent to remote locations. A private network that is hosted over the internet can link multiple company locations together to create a network. This allows information such as word documents to be sent quickly between distant locations. You can also set up networks so that other parties can communicate with the network via the internet. This is the case for electronic commerce, which is one of the most popular and widely used business practices on the internet. It is possible to grant external access in certain situations. For example, a network member or employee of a company can access information on the network even if they are not physically located at that company’s location. These benefits include remote access and electronic commerce, as well as other interactions with the network.
However, outside access to a network can have several drawbacks. For example, external attackers may attempt to harm the network or steal data from it. The owners of a network may suffer a lot if they are able to steal confidential or proprietary information, such as password lists or design plans. Sometimes, the stolen information can be used for malicious purposes, including identity theft, further information theft and asset theft. These malicious activities can prove costly to victims. It is therefore important to minimize the risk of a breach in network security.
Networks can have and maintain network security in response to threats against them, such as intrusion detection systems, intrusion prevention system, firewalls and intrusion detection and detection systems. Firewalls are security measures that control information flow into a network. This is done by inspecting the data packets that are coming in and comparing them with a set of rules. The firewall will drop any malicious packets that are deemed to be infected. Firewalls can detect malicious traffic and drop it. The firewall can protect the network against a variety external threats.
“An intrusion detection device detects malicious attacks, raises an alarm so that an authorized administrator can be notified and take appropriate action to stop it. An intrusion prevention system detects potential attacks and automatically takes appropriate actions to stop or disrupt them. An intrusion prevention system might notify system administrators when an attack has been detected and stopped by the system. The combination of intrusion detection and prevention systems (IDPSs) can detect potential attacks, alert system administrators, and then move to stop the attack. If the attack is stopped successfully, the IDPS will notify system administrators. However, it may also notify an administrator if the attack continues.
Advanced persistent threat (?APT?) is one type of threat that can be made to secured networks. Information holders should be concerned about advanced persistent threats for many reasons. APTs can be invisible to network users, unlike viruses and brute force attacks that infiltrate networks and cause significant damage. An APT can silently infiltrate a network and gather information, spreading its influence across the network so that it can have greater access to the network’s protected information. Sometimes, APTs can stay in a network for hundreds (e.g. 100 to 400 days) and collect and distribute information without being noticed or detected. APTs can be targeted at high-value targets, which allows them to steal valuable information. Malicious entities can use the stolen data to advance their agendas. The APT lifecycle can be illustrated by four stages: preparation, infection and deployment. Maintenance is the last stage. Large organizations with extensive information networks face a costly and destructive threat from APTs because of their persistent and recurring nature. APTs could also affect the military, defense contractors and state organizations.
“Systems and methods disclosed herein detect and alert network administrators to the existence of an APT so that they can take appropriate actions to remove it and repair any damage done by it. The present disclosure provides a network security monitor that can detect networks and systems infected by known or unknown attacks. The network security monitoring can detect APTs in the network before the network security monitor is initiated. It also detects APTs that attempt to penetrate the network after the network security watch has been integrated.
“In certain embodiments, the network security monitoring is targeted at detection of APTs. To detect threats, the network security monitor may use lists of malware, exploits and untrustworthy IP addresses. These lists can be periodically, constantly, dynamically, continuously, or in real-time updated. The network security monitor might update the lists using crowd sourcing in some instances. Crowd sourcing could refer to the contribution of members of an online community to one or more of the following: malware, exploits and untrustworthy IP addresses; IPS signatures and IDS signatures. The network security monitor can receive, retrieve, parse or otherwise obtain one or more crowd-sourced lists. This improves network security monitor’s coverage for APTs. In some instances, the network security monitor may employ techniques related to Knowledge Management and Semantics to assist with updating the list.
“At minimum one aspect of this disclosure is directed at a method for managing security on network infrastructure. The method may include a log collector that receives a plurality logs from a second computer network. A processor in a network security monitor is used to configure the log collector to receive the plurality logs from a first computer network. A plurality of logs can indicate the status of the second network. The status can be determined using a monitoring agent that runs on the second network. A log indexer can be used to generate indexed logs from the plurality logs that are based on log format. A log indexer can be installed on the network security watchdog. This method includes the network security monitor retrieving threat indicators from a data base. A schema can be used to store the list. A plurality or heterogeneous collection of threat indicators can be used to create the list of threat indicator. A log correlation engine, which is installed on the network security monitor, can be used to compare the threat indicator list with the indexed logs. A report engine can be installed on the network security monitor to generate a report based upon the comparison to identify a threat.
“In some embodiments, the method can include an aggregator that receives one or more threat indicator from a plurality heterogeneous sources over the first computer network. A normalizer can be used to transform one or more threat indicator to the list of threats. The list of threat indicators may contain structured information that can be used by the correlation engine.
“In some embodiments, the method might include the aggregator of network security monitors obtaining a first configuration to access a first repository via the initial computer network. The aggregator may obtain a second configuration to access a second repository via a first computer network. The aggregator may use the first configuration to establish a connection with the first repository via a first computer network. The second configuration may be used by the aggregator to establish a second connection via the first computer network with the second repository. This method could include network security monitor updates, which are based upon the schema and the list of threat indicator based on at least one threat indicator received from the second repository.
“In some embodiments, this may include the network security monitoring receiving via the first computer network a first threat indicator in a first format from a repository. The network security monitor may receive, via the first network, a second threat indication from a second repository. The first repository might be different than the second repository. Also, the first format could be different from that of the second format. This could include the network security monitor transform the first and second threat indicators to create the list of threat indicator based on the schema.
“In some embodiments, this may include the network security monitoring initiating the comparing via the log correlation engine response at receiving at least one update to the list or new log of second computer network.”
“In certain embodiments, the method might include the log correlation engine searching to find a correlation between indexed logs from the second computer network. The log correlation engine may be used to identify a match between the indexed logs of the second computer network and the list with threat indicators.
“In certain embodiments, the method might include the log correlation engine that identifies a portion the plurality logs as corresponding with a first type log format. The log correlation engine may be used to identify one or more threat indicator from the list of threat indicators that correspond to the first type. The log correlation engine may be used to match the plurality logs with one or more threat indicator in order to find a match.
“In some embodiments, this method includes the log correlation engines that compare historical logs and current logs with one or more threat indicators to identify matches.”
“In some embodiments the method also includes the log correlation engine instructing or informing the report engine to create the report responsive to identifying the match based upon the comparing.”
“In some embodiments, a second computer network is a secure network that blocks unauthorized access. Some embodiments include a collection of logs generated from the monitoring agent. This includes at least one of an anti-virus tool, a network security element or intrusion detection system. The plurality of logs may include at least one log from a general system log or network security log, as well as an intrusion detection log, intrusion prevention system log and intrusion detection system log. Some embodiments include at least two log formats: a threat log map, traffic log mapping and an email log mapping.
“In some embodiments, this method involves the network security monitor entering, via an interface the indexed logs into memory configured with a data format corresponding to those indexed logs. The network security monitor transmits the report via the first computer networks to an administrator device that is associated with the second computer networks in some embodiments.
“Another aspect is directed at a system for managing security on network infrastructure. The system may include a log collector that is connected to a processor of a network safety monitor. The log collector can receive, via a computer network, multiple logs from a second network. A monitoring agent running on the second network determines the status of the second network from the plurality of logs. On the network security monitor, there is a log indexer. The log indexer generates indexed logs using the plurality logs that are based on log format. Further, the network security monitor can retrieve a list containing threat indicators from a database that is based on a schema derived from a plurality heterogeneous repositories over the first computer network. A log correlation engine is used to compare the threat indicator list with the indexed logs. A report engine is built into the network security monitor and generates a report using the information to identify a threat.
“Some embodiments include an aggregator as well as a normalizer. The first computer network may allow the aggregator to receive threat indicators from multiple heterogeneous sources. The schema may be used by the normalizer to transform one or more threat indicator to the list. The correlation engine can use structured information from the list of threat indicators.
“In some embodiments, the system contains an aggregator that is configured to obtain a first configuration in order to access a first repository via the initial computer network. An aggregator can also be configured to access a second repository via the same computer network. To establish a first connection to the first repository via the computer network, the aggregator can also be configured to use the initial configuration. To establish a second connection to the second repository via the first network, the aggregator can also be configured to use the second configuration. You can further configure the network security monitor to update, based upon the schema, the list or threat indicators based at least one of the first or second repository.
“In some instances, the network security monitor can be further configured to receive via the first computer network a first threat indicator in a particular format from a first repository. A second threat indicator can be received by the network security monitor via the first computer network. The first repository may be different than the second, and the first format could be different from that of the second. In some cases, the network security monitor converts the first and second threat indicators to the list of threat indicator based on the schema.
“In some embodiments, a log correlation engine can be further configured to identify a certain portion of the plurality logs as corresponding with a first log format. Further configurations of the log correlation engine allow it to identify one or more of the threat indicator list that corresponds to the first type. To identify a match, the log correlation engine can compare the plurality logs with one or more threat indicator.
“In certain embodiments, the log correlation engines is further configured to respond to the identification of a match based upon the comparing. The report engine is then used to generate the report.”
“The following sections of the specification with their respective contents can be useful for reading the descriptions of various embodiments:”
“Section A” describes a computing environment and network environment that may be helpful in the practice of embodiments.
“Section A describes systems and methods that can be used to secure a network.”
“A. Computing and Network Environment.”
“Before we discuss specific embodiments of this solution, it might be useful to describe aspects such as the operating environment and associated system components (e.g. hardware elements) in relation to the methods or systems described herein. Referring to FIG. FIG. 1A shows an example of a network environment. The network environment includes one to three clients 102a-102n (also known as client(s), 102 and client(s), 102), client node(s), 102 and client(s), 102), client computer(s), 102, and client machine(s), 102), client client(s), 102, 102, 102, 102, 102, 102, 102, 102, 102, 102, 102. Client device(s), 102. Endpoint(s), 106 or remote machine(s). A client 102 can be used as both a client node that seeks access to server resources and as a server that provides access to server resources for other clients.
“Although FIG. FIG. 1A depicts a network of 104 between clients 102, servers 106. However, clients 102 may be on the same network (104). Some embodiments may have multiple networks 104 connecting the servers 106 and clients 102. One of these embodiments may have a network 104. A network 104 could be a private network, while a network (not shown), may be public. A network 104 could be a private network, while a network 104.1 may be a public network. A public network. Networks 104 and104 are also possible in another embodiment. Both networks 104 and 104 may be private networks.”
“The network 104 can be connected via either wired or wireless links. Digital Subscriber Line (DSL), coaxial cables lines or optical fiber lines can all be connected via wired links. Wireless links can include BLUETOOTH and Wi-Fi (Worldwide Interoperability for Microwave Access) as well as an infrared channel, satellite band, or BLUETOOTH. Wireless links can also include any cellular network standard used to communicate between mobile devices. This includes standards that are 1G, 2G or 3G. If the network standards meet a specified or set of standards, they may be considered one or more generations of mobile telecommunications standards. The 3G standards, for example, may correspond to the International Mobile Telecommunications-2000 (IMT-2000) specification, and the 4G standards may correspond to the International Mobile Telecommunications Advanced (IMT-Advanced) specification. AMPS, GSM and UMTS are some examples of cellular network standards. Cellular network standards may use various channel access methods e.g. FDMA/TDMA/CDMA, SDMA. Different types of data can be transmitted using different standards and links in some embodiments. Other embodiments allow the transmission of identical data via different standards and links.
The network 104 can be any type or form of network. The network 104’s geographical coverage can vary greatly. It could be a body-area network (BAN), personal area network, or a local-area network. Intranet, metropolitan area network (MAN), wide area network(WAN), or Internet. The network 104’s topology can be any type and could include any combination of: bus, star or ring, tree, point-to-point, bus or star. The network 104 could be an overlay network that is virtual and sits on top one or more layers from other networks 104?. The network 104 can be any network topology known to ordinary skill in the art and capable of supporting operations. The network 104 can use different protocols and layers, such as the Ethernet protocol, TCP/IP, the ATM (Asynchronous Transfer Mode), SONET (Synchronous Optical Networking), or SDH (Synchronous Digital Hierarchy). TCP/IP’s internet protocol suite can include the application layer, transport layer and internet layer (including IPv6). Network 104 could be classified as a broadcast network or a telecommunications network. It also may include a data communication network or computer network.
“In some embodiments, multiple servers may be logically grouped 106. One of these embodiments may refer to the logical grouping of servers as either a server farm 38, or a machine farm 38. Another embodiment may allow the servers 106 to be geographically dispersed. A machine farm 38 can be managed as one entity in other embodiments. Another embodiment of the machine farm 38 may include a number of machine farms 38. Each machine farm 38 may contain multiple machines farms 38.
In one embodiment, the servers 106 of the machine farm 38 could be stored in rack systems with high density and associated storage systems. They would then be located in an enterprise-level data center. This embodiment consolidates the servers 106 to improve system management, data security, and system performance. Servers 106 and high-performance storage systems are located on localized high-performance networks. The centralization of the servers 106, storage systems, and their coupling with advanced system management tools allows for more efficient use.
“Servers 106 and 106 from each machine farm 38 don’t need to be physically close to other servers 106 in the machine farm 38. The machine farm 38 group of servers 106 may be connected using either a metropolitan-area (MAN) or wide-area (WAN) connection. A machine farm 38 could include servers 106 located on different continents, in different areas of a country, state, city or campus. The data transmission speeds between the server 106 of the machine farm 38 can increase if they are connected via a local-area networking (LAN) connection, or another type of direct connection. A heterogeneous machine farms 38 could also include servers 106 that operate according to one type of operating system and one or two other servers 106 that run one or several types of hypervisors. Hypervisors can be used in these embodiments to simulate virtual hardware, partition and virtualize physical hardware, as well as to execute virtual machines that allow access to computing environments. Multiple operating systems may run simultaneously on the host computer. Native hypervisors can run directly on the host machine. VMware ESX/ESXi, made by VMWare, Inc. of Palo Alto, Calif., and the Xen hypervisor, which is an open-source product whose development was overseen by Citrix System, Inc., as well as the HYPERV hypervisors that Microsoft or other companies provide. Hosted hypervisors can run in an operating system at a second level. VIRTUALBOX and VMware Workstation are two examples of hosted hypervisors.
“Management of the machine farms 38 could be decentralized. One or more servers 106 could be composed of components, subsystems, and modules that support one or several management services for the machine farms 38. One or more servers 106 are used to manage dynamic data. This includes techniques for managing failover, replication and increasing the resilience of the machine farm. Each server 106 can communicate with both a persistent store or, in certain embodiments, a dynamic store.
“Server106” may be a file, application, web, proxy, server, firewall, gateway, gateway, virtualization, deployment, SSL VPN server or firewall. The server 106 can be called a remote machine, or a node in one embodiment. A plurality of nodes (290) may be located in the path between two communicating servers.
Referring to FIG. “Referring to FIG. 1B, a cloud computing ecosystem is depicted. Client 102 may have access to one or more resources through a cloud computing environment. One or more clients 102a-102n may be part of the cloud computing environment. They can communicate with the cloud 108 via one or several networks 104. Clients 102 could include thick clients, thin client, or zero clients. Even if the client is disconnected from servers 106 or cloud 108, a thick client can still provide some functionality. To provide functionality, a thin client or zero client might depend on the connection with the cloud 108 and server 106. Zero clients may depend on the cloud108, other networks 104, or servers 106 for operating system data retrieval. The cloud 108 could include back end platforms such as servers 106, storage, data centers, or server farms.
“Cloud 108 can be either public, private or hybrid. Public clouds could include public servers106 that are managed by third parties for clients 102 or their owners. Servers 106 could be located in remote locations, as described above. The servers 106 may be connected over public networks to other public clouds. Private clouds could include servers 106 that are owned by clients 102. Private clouds can be connected to servers 106 via a private network. Hybrid clouds (108) may connect to both public and private networks 104 and servers106.
“Cloud 108 may include a cloud-based delivery, e.g. Software as a Service 110, Platform as a Service 112, and Infrastructure as a Service 114. IaaS can refer to renting infrastructure resources for a specific time period. IaaS providers can offer large amounts of storage, networking, servers, or virtualization resources. This allows users to scale up quickly and access more resources as they need them. IaaS may include infrastructure and services such as OVH HOSTING, Montreal, Quebec, Canada, AMAZON Web Services, Amazon.com, Inc., Seattle, Wash., Rackspace US, Inc., San Antonio, Tex., Google Compute Engine, Google Inc., Mountain View, Calif., RIGHTSCALE, Inc., Santa Barbara, Calif., and WINDOWS AZURE provided by Microsoft Corporation of Redmond, Wash., Google App Engine, Google Inc., and HEROKU, Heroku, Inc. WINDOWS AZURE, provided by Microsoft Corporation of Redmond, Wash., Google App Engine, provided by Google Inc., HEROKU provided By Heroku, Inc. of San Francisco, Calif. These are examples of PaaS. They may provide the same resources as PaaS, such as storage, networking, servers, virtualization, operation system, middleware, runtime resources, and operating system resources. SaaS providers can offer additional resources, such as data and application resources, in some instances. SaaS includes GOOGLE APPS offered by Google Inc., SALESFORCE offered by Salesforce.com Inc. San Francisco, Calif. or OFFICE 365 offered by Microsoft Corporation. Data storage providers may also be included in SaaS, for example. DROPBOX provided Dropbox, Inc., San Francisco, Calif., Microsoft SKYDRIVE provided Microsoft Corporation, Google Drive provided Google Inc., and Apple ICLOUD provided Apple Inc., Cupertino, Calif.
Clients 102 can access IaaS resources using one or more IaaS standard, such as Amazon Elastic Compute Cloud, Open Cloud Computing Interface, Cloud Infrastructure Management Interface, or OpenStack standards. Clients may be able to access resources via HTTP using some IaaS standards. These standards may use the Representational state Transfer (REST), Simple Object Access Protocols (SOAP) protocols. Clients with 102 clients may have access to PaaS resources using different PaaS interfaces. Some PaaS interfaces may use HTTP packages, JavaMail APIs, Java Data Objects(JDO), Java Persistence APIs (JPA), Python APIs and web integration APIs. These APIs can be used for various programming languages, such as Rack for Ruby, WSGI For Python, PSGI for Perl or any other APIs that are built on REST or HTTP, XML or other protocols. Clients 102 can access SaaS resources via web-based user interfaces provided by a browser (e.g. GOOGLE CHROME and Microsoft INTERNET Explorer are some examples of SaaS resources that clients 102 can access. Clients 102 can also access SaaS resources via smartphone or tablet apps, such as Salesforce Sales Cloud or Google Drive app. Clients 102 can also access SaaS resources via the client operating system. This includes, e.g. Windows file system for Dropbox.
“In certain embodiments, access may be authenticated to IaaS or PaaS resources. A server or authentication server might authenticate a user using security certificates, HTTPS, and API keys. API keys can include different encryption standards, such as Advanced Encryption Standard, (AES). “Data resources can be sent via Transport Layer Security (TLS), or Secure Sockets Layers (SSL).
“The client102 and server106 can be deployed on any type of computing device and/or executed from it, e.g. A computer, network device, or appliance that can communicate on any type of network and perform the operations described herein. FIGS. FIGS. 1C and 1D show block diagrams of a computing unit 100 that can be used to practice an embodiment of client 102 or server 106. FIGS. 1C and 1D show that each computing device 100 has a central processing module 121 and a main storage unit 122. FIG. FIG. 1C shows that a computing device 100 can include a storage device 128, a installation device 116 and a network interface 118. Display devices 124 a-124 n are shown. A keyboard 126 is also shown. A mouse. Without limitation, the storage device 128 can include an operating system, software, or a software of network security monitor (NSM 120). FIG. FIG. 1D shows that each computing device 100 can also have additional elements, e.g. A memory port 103, bridge 170, input/output devices 130a-130n (generally referred by using reference number 130), and a cache storage 140 in communication to the central processing unit.
“The central processing module 121 is any logic circuitry which responds and processes instructions from the main memory device 122. A microprocessor unit is often used to provide the central processing unit (121) in many embodiments. Those manufactured by Intel Corporation, Mountain View, Calif., and those manufactured at Motorola Corporation, Schaumburg (Ill.); the ARM processor with TEGRA system on a Chip (SoC), manufactured by Nvidia, Santa Clara, Calif. ; the POWER7 process, manufactured by International Business Machines, White Plains, N.Y., or those manufactured at Advanced Micro Devices, Sunnyvale, Calif. These processors or any other processor that can operate as described herein may be used to create the computing device 100. The central processing unit (121) may use instruction level parallelism or thread level parallelism. It can also utilize different levels of cache and multi-core processors. Multi-core processors may contain multiple processing units within a single computing unit. Multi-core processors include, for example, the AMD PHENOM IIX2, the INTEL Core i5 or INTEL CPU i7.
“Main memory unit (122) may contain one or more memory chips that can store data and allow any storage location to directly be accessed by the microprocessor. 121 Main memory unit 122, which may be volatile, can store more data than 128 memory. The main memory unit 122 can be Dynamic random-access memory (DRAM), or any variants thereof, Burst SRAM/SynchBurst SRAM(BSRAM), Fast Page Mode (FPM) DRAM, Extended Data Output RAM/EDO RAM, Extended Data Output (EDO DRAM), Burst Extended DRAM/BEDO DRAM), Single data rate synchronous DRAM/SDR SDRAM), Double data rate SDRAM/DDR SDRAM), Direct Rambus RAMbus DRAM/DRDRAM (DRDRAM/XDRDRAM/DRDRAM (DRDRAM), and DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRAM), DRAM/DRDRAM (DRDRAM), DRAM/DR DRAM/XDR DRAM/DRDRAM (DRDRAM), DRAM/DRDRAM (DRDRAM), Direct Rambus DRAM/DRAM (DRDRAM), DRAM), or DRAM adRAM), In some embodiments, the main memory 122 or the storage 128 may be non-volatile; e.g., non-volatile read access memory (NVRAM), flash memory non-volatile static RAM (nvSRAM), Ferroelectric RAM (FeRAM), Magnetoresistive RAM (MRAM), Phase-change memory (PRAM), conductive-bridging RAM (CBRAM), Silicon-Oxide-Nitride-Oxide-Silicon (SONOS), Resistive RAM (RRAM), Racetrack, Nano-RAM (NRAM), or Millipede memory. You can use any of the memory chips described above, or any other memory chips that are capable of operating in accordance with this invention. FIG. FIG. 1C shows how the processor 121 communicates via a system bus 150 with main memory (described below). FIG. FIG. 1D shows an embodiment of a computing system 100, in which the processor communicates with main memory via a memory port. FIG. FIG. 1D may show DRDRAM as the main memory 122.
“FIG. “FIG. Other embodiments of the main processor 121 connect with cache memory 140 via the system bus 150. Cache memory 140 is usually faster than main memory 122 in response times and is typically supplied by SRAM (BSRAM), EDRAM or EDRAM. FIG. 1D shows how the processor 121 communicates via a local bus 150 with I/O devices 130. There are many buses that can be used to link the central processing unit 121 with any I/O device 130. These include a PCI bus or a PCIX bus or a PCI Express bus or a NuBus. In embodiments where the I/O device 124 is a video monitor, the processor 121 can use an Advanced Graphics Port to communicate with the display (124) or the I/O controller (123 for the display 124) FIG. FIG. 1D shows an example of a computer 100 where the main processor 121 can communicate directly with I/O device 130b or other processors. via HYPERTRANSPORT or RAPIDIO communications technology. FIG. FIG. 1D shows another embodiment where local buses and direct communication are combined: processor 121 uses a local interconnect bus to communicate with I/O devices 130a while also communicating directly with 130b.
The computing device 100 may contain a variety of I/O devices 130a-130n. Trackpads, trackpads and trackballs can be used as input devices. Video displays, graphical displays and speakers can be output devices.
“Devices 130a-130n may contain multiple input or output devices such as Microsoft KINECT or Nintendo Wiimote, Nintendo WII U GAMEPAD or Apple IPHONE. Some devices 130 a-13 n can combine some inputs and outputs to allow gesture recognition inputs. Devices 130 a-130n allow facial recognition, which can be used for authentication or other commands. Devices 130 a-130n provide voice recognition and inputs such as Microsoft KINECT by Apple, SIRI to IPHONE by Apple or Google Now.
“Additional devices 130a-130n can be used as input or output devices. They include haptic feedback devices and touchscreen displays. Multi-touch screens, touchpads and touch mice may use different technologies to sense touch. These technologies include capacitive (surface capacitive), projected capacitive (PCT), resistive (infrared), waveguide, dispersive touch (DST), in cell optical, surface acoustic (SAW), bendingwave touch (BWT) or force-based sensing technology. Multi-touch devices can allow for two or more contact points with the surfaces, which allows advanced functionality such as pinch, rotate, scroll or other gestures. Some touchscreen devices, such as Microsoft PIXELSENSE and Multi-Touch Collaboration Wall may have larger surfaces like on a table-top, or on a wall. They may also interact with other electronic gadgets. A group of I/O devices 130a-130n, display devices 124-64 n and some other devices could be augment reality. An I/O controller 123 may control the I/O devices as shown in FIG. 1C. 1C. An I/O device can also be used to store and/or install the computing device 100. Other embodiments may also provide USB connections (not illustrated) for receiving handheld USB storage devices. An I/O device 130 can be used as a bridge between system bus 150, external communication buses, e.g. A USB bus, a SCSI Bus, a FireWire Bus, a FireWire Bus, an Ethernet Bus, a Gigabit Ethernetbus, a Fibre Channel Bus, or a Thunderboltbus.
In some embodiments, display devices 124a-124n can be connected to I/O control 123. Display devices include liquid crystal displays (LCD), thin-film transistor LCD (TFTLCD), blue-phase LCD, electronic papers, (e-ink), and liquid crystal on silicon displays (LCOS). They may also be connected to I/O controller 123. Some examples of 3D displays include: Stereoscopy, polarization filters or active shutters are some examples of 3D displays. Display devices 124a-124n can also be head-mounted displays (HMD). Display devices 124 a?124 n and the corresponding I/O control units 123 can be controlled or have hardware support OPENGL, DIRECTX API or any other graphics library in some embodiments.
“In some instances, the computing device 100 can connect to multiple display devices (124 a-124n), which may be the same type or different. Any of the I/O device 130 a?130 n or the I/O controller123 can include any type or combination of hardware, software, and hardware to enable, support, enable, or provide for multiple display devices 124a?124n. The computing device 100 could include any type or form of video adapter or video card, driver and/or library to connect, communicate, connect, or otherwise use multiple display devices. Software may be developed and built to work with another computer’s display device 124a. One example is that an Apple iPad can connect to a computing device 100, and the display of the 100 may be used as an additional screen. This could allow the user to use the 100’s display as an extended desktop. A computing device 100 can be configured to support multiple display devices 124a-124n. One who is skilled in the art will appreciate and recognize the many ways that this configuration may be possible.
“Referring to FIG. “Referring again to FIG. 1C, the computing device 100 may include a storage device 128 (e.g. One example of a storage device 128 is a hard disk drive (HDD), optical drive including CD, DVD, or Blu-ray drive, solid-state drive(SSD), USB flash drive, and any other device that can store data. Many storage devices can include both volatile and nonvolatile memories. This includes solid-state hybrid drives, which combine hard disks with solid states cache. One storage device 128 could be read-only, non-volatile or mutable. One storage device 128 could be internal and connect via a bus 150 to the computing device 100. One storage device 128 can be external and connects to the computing device 100 via an I/O device 130. This provides an external bus. One storage device 128 can connect to the computing devices 100 via the network interface 118. This network 104 includes, e.g. the Remote Disk For MACBOOK AIR from Apple. Client devices 100 may not need a non-volatile data storage device 128. They may also be thin clients or zero clients. A storage device 128 can also be used to install software or programs 116. The operating system and software can also be run from a bootable media, such as a CD or DVD. KNOPPIX is a bootable CD that runs GNU/Linux. It can be downloaded from knoppix.net.
Client device 100 can also download software from an application distribution platform. The App Store for iOS, provided by Apple, Inc., is the Mac App Store provided to Apple, Inc., GOOGLE LAY for Android OS provided o Google Inc., Chrome Webstore CHROME OS provided o Google Inc., Amazon Appstore for Android OS, KINDLE FIRE, provided by Amazon.com, Inc., are all examples of application distribution platforms. A repository of applications may be included in an application distribution platform. This can be on a server (106) or cloud 108 that clients 102 a-102n can access via a network (104). A distribution platform could include applications developed by different developers. An application distribution platform allows users of client devices 102 to select, buy and/or download applications.
“Moreover, the computing device 100 can include a network interface 118 that allows it to connect to the network 104 via a variety connections such as standard telephone lines LAN/WAN links (e.g. 802.11, T3, Gigabit Ethernet and Infiniband), broadband connections (e.g. ISDN, Frame Relay ATM, Gigabit Ethernet or Ethernet-over-SONET), ADSL, VDSL BPON, GPON or fiber optical including FiOS), or a combination of all of these connections. TCP/IP can establish connections using a variety communication protocols, such as Ethernet, ARCNET and SONET, SDH. Fiber Distributed Data Interface (FDDI), IEEE 802.21/b/g/n/ac CDMA. GSM, WiMax, and direct asynchronous connections. One embodiment shows that the computing device 100 can communicate with computing devices 100. Any type and/or combination of tunneling protocols or gateways, e.g. Secure Socket Layer, Transport Layer Security, or Citrix Gateway Protocol, manufactured by Citrix Systems, Inc., Ft. Lauderdale, Fla. The network interface 118 can include a built-in network connector, network card or PCMCIA network card. It may also contain an EXPRESSCARD networkcard, EXPRESSCARD card network card, card bus adapter and wireless network adapter. Modems, or any other device that is capable of interfacing with the computing device 100 to any network that can communicate the operations described in this article.
“A computing device 100, of the type shown in FIGS. “A computing device 100 of the type shown in FIGS. 1B and 1C can be controlled by an operating system that controls access to system resources and scheduling. Any operating system can run on computing device 100, including any version of MICROSOFT WINDOWS, Unix or Linux releases, any embedded operating software, any real-time operation system, any proprietary system, any mobile operating system or any proprietary operating program. WINDOWS 2000, WINDOWS server 2012, WINDOWS CE, WINDOWS Phone, WINDOWS XP, WINDOWS VISTA and WINDOWS 7 all manufactured by Microsoft Corporation of Redmond, Wash., MAC OS, iOS, manufactured Apple, Inc. of Cupertino, Calif., and Linux, a freely available operating system, e.g. Linux Mint distribution (?distro?) Ubuntu distributed by Canonical Ltd. in London, United Kingdom. Unix or other Unix like derivative operating systems. Android designed by Google, Mountain View, Calif. Certain operating systems, such as the CHROME OS from Google, can be used on zero clients and thin clients including, for example, CHROMEBOOKS.
“The computer system 100 may include any computer system that can communicate with a computer network, such as a desktop, phone, notebook, computer, computer or telephone, netbook, ULTRABOOK or tablet, server or handheld computer, mobile telephone, smartphone, tablet or mobile computing device, media player, gaming system, mobile computing device or any other form of computing, telecommunications, or media device. The computer system 100 is equipped with sufficient memory and processor power to carry out the operations described. The computing device 100 can have different operating systems and processors depending on its configuration. Samsung GALAXY smartphones, for example, are controlled by the Android operating system, developed by Google, Inc. GALAXY phones receive input via a touch interface.
“In some embodiments, a computing device 100 may be a gaming system. The computer system 100 could include, for example, a PLAYSTATION 3 or PERSONAL PLAYSTATION PORTABLE(PSP), or a PLAYSTATION VITA manufactured by the Sony Corporation, Tokyo, Japan, a NINTENDO DS, NINTENDO 3DS, NINTENDO WII, NINTENDO WII, NINTENDO WII U manufactured by Nintendo Co., Ltd., Kyoto, Japan, and an XBOX 360 manufactured by Microsoft Corporation, Redmond, Wash
“In certain embodiments, the computing devices 100 are digital audio players such as the Apple IPOD Touch, IPOD Touch and IPOD NANO line of devices manufactured by Apple Computer in Cupertino (Calif.). Other functionality may be available for some digital audio players, such as a gaming system, or functionality that is made available by applications from a digital distribution platform. The IPOD Touch can access the Apple App Store. The computing device 100 may be a portable media player, digital audio player, or a portable media player that supports file formats such as MP3, WAV and M4A/AAC Protected AAC and Apple Lossless audio file format.
“In certain embodiments, the computing devices 100 are a tablet e.g. The IPAD line of Apple devices; the GALAXY TAB series of Samsung devices; or KINDLE IRE, by Amazon.com, Inc., Seattle, Wash. The computing device 100 can also be used as an eBook reader. The KINDLE family devices by Amazon.com, and the NOOK family devices by Barnes & Noble, Inc., New York City, N.Y.”
“In some embodiments, the communication device 102 may include a combination of devices. A combination of a smartphone and a digital audio or portable media player. One example of one of these embodiments would be a smartphone. The IPHONE smartphone family manufactured by Apple, Inc., a Samsung GALAXY smartphone family manufactured by Samsung, Inc., or a Motorola DROID smartphone family. Another embodiment of the communications device102 is a computer or laptop that has a web browser, microphone, and speaker system. a telephony headset. These communications devices 102 can be web-enabled to receive and initiate calls. A laptop or desktop computer may also be equipped with a webcam, or another video capture device that allows for video chat and video calling.
“In some embodiments, one or more machines 102 and 106 are monitored as part of network management. One of these embodiments may identify the status of a machine by identifying load information (e.g. the number and type of processes running on it, their CPU utilization, memory usage), port information (e.g. the number and addresses of the available communication ports), or session status (e.g. the duration and type and whether they are active or inactive). Another embodiment of this type of information can be identified using a variety of metrics. The plurality may be used at least partially to make decisions regarding load distribution, network traffic management and network failure recovery, as well as other aspects of the operations described herein. The systems and methods described herein will make it easy to see aspects of the components and operating environments mentioned above.
“B. “B.
“Systems and methods of the present disclosure can be used to identify networks and systems infected by unknown attacks. A network security monitor from the present disclosure, as an example, can detect threats known to be advanced persistent threats (APTs) and provide network security. APTs can stay in networks for a long time (e.g., many days, weeks or months), and they can be persistent. APTs can access and retrieve data, damage networks, and cause extensive network damage. This could lead to information theft.
“An illustration system in the present disclosure interacts or includes a protected networking, an APT intelligence platform, a database and a communication method. The network security monitor can protect the protected network by protecting information exchange and storage networks. Network security monitors can alert network operators about threats to the protected network or attempts by outside forces to penetrate the network. The network security monitor can alert network operators of any APTs, whether they are currently or previously, that may be trying to compromise the network’s security.
“The network security platform or APT intelligence platform detects any APTs that are in the network or trying to infiltrate it. A network security monitor, or APT intelligence platform, may be a computing device, a server, one or several processors, an app, or a specialized algorithm that combines or invokes multiple functionalities to detect APTs on information networking. One or more of these components may be part of the APT intelligence platform: a log collector; log indexer; log correlation engine and a report generator. The log collector can receive system logs from the protected networks. The APT intelligence platform or network security monitor can analyze system logs that may have been generated by the protected networks. You can send the system logs to APT intelligence platform through a secure network connection.
The log indexer organizes the system logs that are provided by the protected network to the network security watcher. There may be a variety of logs in the system logs. These logs could include general system logs as well as network security logs like those generated by IDSs or IPSs. They also might contain logs created by anti-virus software. The network security monitor organizes these logs so that they can be compared with extensive lists of threat indicators to determine if the protected network has been infected by APTs. The system can index logs that are provided to it to increase efficiency and reduce the computing resource required to run it.
The network security monitor could include a log correlation engines that take logs from the protected network, index them by the log indexer, then compare those logs with the databases of threat indicators. A log correlation engine may include a specially-designed heuristic algorithm that searches through logs from the protected network simultaneously and compares them with the threat indicator lists. Log correlation engines may search for correlations or similarities between logs from the protected network and threat indicator lists.
The log correlation engine detects a similarity and initiates the report engine to create a threat report. This report can be sent to network operators (e.g. for display on a display device that is communicatively connected to the network security monitor) Report engine generates and compiles reports that inform network operators of the possibility of an APT being present in their network. The report engine generates a report using correlations and similarities found by the log correlation engines. It then illustrates these similarities in the report so that network operators can identify or determine the nature of APTs potentially affecting their protected network. The report engine can deliver the report to network operators via protected or external networks.
“The network security monitor may have access to or include a database. The database can be stored on a memory stick, hard drive, storage or any other computer-readable medium. The database may also contain threat indicator lists. To detect APTs, the log correlation engine can use threat indicator lists. The threat indicator lists can be used by the log correlation engine to perform a comparative function with the system logs that are provided by the network. The log correlation engine can detect potential APTs by analyzing their behavior and patterns within the system. These patterns may not be obvious but are possible to be identified by the engine’s analysis. One or more threat indicators can be used to identify APTs in different ways, from different perspectives, and/or different types. The threat indicators could include IP addresses, malicious code samples and IPS signatures. Log correlation can be used to detect the presence of APTs within the protected network.
“The database contains threat indicator lists that can be updated by the network security monitor. To update the threat indicator list, the network security monitor can crowd source threat information from an external network (e.g. via the Internet). Crowdsourcing threat information allows the network security monitor to use threat identification lists that are contributed by the public. This information can be used to detect different APTs. FIG. 9. The network security monitor has the ability to access private and open source threat intelligence repositories, including IP addresses, malicious code samples and IPS signatures, through an Internet connection. The network security monitor is able to aggregate and store threat intelligence in a database infrastructure, e.g., fileserver, file system), using a threat intelligence format/scheme for organizing and making the aggregated threat information manageable and easily maintained. The schema can be used by the network security monitor to normalize threat intelligence.
The network security monitor uses a schema/format to organize the threat intelligence. This makes it easy to maintain and manage the threat intelligence database. Threat intelligence schema/format is applicable to threat indicators aggregated form different private and open-source threat intelligence repositories, including e.g. IP addresses, malware samples and malicious code samples. IPS signatures can be structured and expressed for consumption by the log correlation engine. The threat intelligence schema/format can be used to transform threat information gathered by an aggregator into structured information that is ready for use by the log correlation engines.
An example of a network security monitor threat intelligence aggregator can make connections to private and open source threat information repositories over the Internet using protocols like HTTP, FTP or P2P. Configuration details can be provided by the aggregator to allow access to the repository. Configuration details can include URLs for a repository, information transfer protocol and/or authentication credentials as specified by vendors of repositories. The network security monitor can pass the aggregated threat information to the normalizer once the threat intelligence has been gathered by the aggregator. The threat intelligence schema/format can be identified by the normalizer. This transforms the aggregated generic threat information into structured information that is ready for the log correlation engine. The schema/format can be modified or updated as new threat intelligence repositories become accessible to the aggregator. This allows the normalizer to format the intelligence from each repository properly. The normalized threat information may be stored in the threat intelligence database by the network security monitor.
“The network security device may use one or more communication methods to send a report to the network operators of the protected networks or other entities. Any type of modern communication can be used, including electronic mail, instant messaging SMS, notifications and push alerts. The report may be received by network operators via a variety modern computing devices such as tablet computers, smart phones and notebook computers, mobile telecoms devices, smart watches and smart watches.
Referring to FIG. 2. A block diagram showing an embodiment of a 200-member system with a network security monitor is displayed. The system 200 contains a network security monitor 120 (or?NSM?). The system 200 includes a network security monitor 120 (?NSM?) that allows data to be sent and received via protected networks 204 and/or external networks 104. One or more clients 102a-n, and/or one/more servers 106a-n may be part of the system that can access protected network 204. Security intelligence repositories (202 a-n) may be included in the system, such as crowd-sourced threat intelligence providers and third-party threat information providers. An interface 205 can be included in the network security monitor 120 to allow access to the protected network (204) and external network (104). Interface 205 can also be used to facilitate communication or interactions between modules, engines or databases of network security monitor 120. A log collector 210 may be included in the network security monitor 120. This collects logs to protect the network. A log indexer 215 may be included in the network security monitor 120. This indexes logs collected by the log collector 215. A log correlation engine 225 may be included in the network security monitor 120. This engine compares the logs to threat intelligence stored at the database 240. The database 240 could include stored logs and threat intelligence, schema, reports and profiles (e.g. configuration details to access a repository). An aggregator 220 may be used to obtain threat intelligence information from one or several repositories. A normalizer 235 normalizes the aggregated threat data. A report engine 230 may be part of the network security monitor. This generates a report on whether or not a threat has been detected in protected networks and then communicates it to clients 102 a.n via protected network 204, or any other entity.
“The network security monitor 120 may include interface 205 and log collector 210 and log indexer 215. The aggregator 220 and log correlation engine 225, log engine 225, report generator 230, normalizer 235, and database 240. They could each contain one or more processing units, or other logic devices, such as programmable array engines, modules or circuitry that facilitates managing security on a network’s infrastructure.
“The network security monitor 120 also includes an interface 205. Interface 205 can be constructed and designed to allow communication via an external network or protected network. Protected network 204 can refer to a private network. This is the network that the network security monitoring 120 is trying to protect or monitor. This network could be an intranet or company network. Interface 205 can be used to communicate with an external network 104 such as the World Wide Web. Interface 205 can facilitate communication or interaction between one or more components or modules of the tool 120 or their associated components, such as log collector 210 and log indexer 215, log aggregator 220 and log correlation engine 225, log engine 225, log report engine 230, normalizer 235, or database 240. Interface 205 can interface directly with modules or networks 104 or 204. Or, the interface may communicate via an intermediary device or application program interface with modules or networks.
“The network security monitor 120 could include a log collector, 210 that is designed and built to collect logs. Log collector 210 can receive logs via interface205 or another interface of log collector 215. Log collector 210 can securely receive logs from protected network 204 (e.g. encrypted network, password protected network or access restricted network), etc. Log collector 210 can request, retrieve, retrieve, or obtain logs from protected network 204 to indicate the status of protected network. Logs can indicate activity on protected network 2014, including traffic, threats, emails, authorization and accounting (AAA), VPN and access control information. Logs may contain a log identifier that can indicate information about the network activity, such as device identifiers and domains, time stamps, domains and severity of log events. This includes session source port, session destination IP, log URL, log identifier, and log identifier. The tables 1-8 show an example of what information can be obtained by log collectors 210.
The log collector 210 may obtain logs based upon a time interval. The log collector 210 can receive logs continuously in some embodiments. For example, logs may be received as they are created. The log collector 210 might receive logs in accordance with a time interval, or as a batch process (e.g. multiple logs stored within one or more data file). Log collector 210, for example, may be able to receive logs every hour, every 24 hours or every two weeks. Or any other time interval that is set by the administrator of the network security monitoring 120. This allows the administrator to manage the security of the protected networks 204. The network security monitor 120 may, in some embodiments, receive logs upon a request for logs.
“The log collector210 may request logs from agents executing on protected network 204 such as a monitoring agency. A monitoring agent may execute on server 106 a.n. of the protected network 2004, or client 102. A monitoring agent could include an antivirus tool, network security element, intrusion prevention system or intrusion detection system. The log collector 210 can, in some instances, obtain network information from vulnerability assessment tools (e.g. Open Vulnerability Assessment System (OpenVAS)). The framework may contain several tools and services that offer vulnerability scanning and management solutions. One or more logs may be created by the monitoring agent, including general system logs and network security logs.
Logs may be received by the log collector (210) in any format that contains information about network activity on the protected network. 204 Log files can be plain text, comma delimited, binary, or spreadsheets in some instances. A text file can be comma-delimited in order to reflect headers for each column. Depending on the monitoring agent’s preference, a log folder may be created that contains several log files. One file per day for some embodiments. The log files can be called MMDDYYYY.log. MMDDYYYY is the date of the log entries.
“In some embodiments, the monitoring agents may store log files on a predetermined directory on a client or server of the protected network. Log collector 210 can access the directory according to a time interval (e.g. periodically, upon request or another time interval) in order to determine if there are any new or updated logs. The log collector 210 may retrieve logs or store them in database 240. Log collector 210 can store logs from all previous periods, and aggregate logs by type. It may also delete logs after a certain time period .
The log indexer 215 may be part of the network security monitor. It is designed to organize logs collected by the log collector 215. Logs can include logs from different sources, including general system logs, network security and logs created by IDSs and IPSs. Log indexer 215 allows you to organize logs so that they can be compared to large lists of threat indicators to determine if the protected network has been infected. The network security monitor 120 can index logs that are provided to it and use this to increase efficiency. It compares logs with the appropriate lists of threat indicators to reduce the computing resource required by the network security watch.
The log indexer 220 may either receive logs from the log collector 220 or access the database 244 to retrieve them after the log collector 220 has deposited the logs in the database 234. The log indexer can index logs based upon threat indicators. Log indexer 215 has a log normalizations schema. This allows log indexer to manage logs from various types of devices, collectors and tools. Each monitoring agent might use a different log representation. Therefore, it is important to index all logs received using the same log format or schema. This will increase the efficiency of the log correlation engine (225).
The log indexer210 can analyze and process received logs in order to identify a specific type of log (e.g. threat logs, traffic logs, email logs, authentication logs, etc.). The log indexer 210 can also be used to identify the type of log, such as threat logs, email logs and traffic logs. The log indexer 215 can then index the log according to the type of log (e.g. threat log) and organize the data or parameters using a log format. Log indexer 215 can index logs from the past, and new logs received from the log collector 210. Log indexer 215 can index logs as they arrive or may run a batch process that indexes logs based on a time interval (e.g. hourly, daily or any other time period that allows for managing security of the network).
The following tables 1-8 show examples of a log format/schem used by the log indexer 215. It is used to organize, index, and normalize logs that are received by the log collector 215 or stored in the database 244. The type of log may dictate which format or schema the log indexer 215 uses. This format or schema may be used by the log indexer 215 for all received logs of the same type. Table 1 shows an example of a schema or log format for mapping received messages to indexed threat logs. Table 2 shows an example of a schema or log format for mapping sent messages to indexed traffic logs. Table 3 shows an embodiment for a schema or log format for mapping sent messages to indexed performance logs. Table 5 illustrates a schema or log format for mapping read logs into indexed AAA logs. Table 7 illustrates a schema or log format for mapping receipt logs back to indexed VPN logs.
“TABLE 1\nThreat Log Mapping\nField Name Field Description\n@timestamp Time stamp of the event\nDevname ID of the device\nDevid Name of the device\nDomain Name of the virtual device\nLogid ID of the event\nType (threat) Type of the event\nSubtype (anomaly, Subtype of the event\nvirus, signature)\nlevel Severity of the event\nsrcport Source port of the session\nsrcip Source IP of the session\nsrcintf Source interface of the session\ndstintf Destination interface of the session\ndstip Destination IP of the session\ndstport Destination port of the session\nservice Service of the session\nsessionid Session ID\npolicyid Identification number of the policy\nidentidx Authentication policy ID\nuser Identified user of the session\ngroup Identified user’s group of the session\nprofile Security profile that recognizes the threat\nproto\nStatus (blocked, Action performed for the current threat\npassthrough,\nmonitored,\nanalytics,\ndetected,\ndropped, reset)\nattackname Name of the threat\nref Reference URL\nfile Name of the file infected\nchecksum Checksum of the file infected\nquarskip Quarantine action\nurl Source URL of the threat (malware)\nfrom Sender’s email address in case of threat\nthrough email\nto Recipient’s email address in case of threat\nthrough email\nseverity Severity of the threat\ncount Number of packets\nattackid Identification of the threat\nincidentserialno Incident serial number”
“TABLE 2\nTraffic log mapping\nField Name Field Description\n@timestamp Timestamp of the event\nDevname Name of the system\nDevid Unique identification number of the system\nLogid Log identification number\nType Type of the event value: traffic\nSubtype Subtype of the event\nDomain Virtual domain of the system\nLevel Severity of the event\nSrcport Source port of the session\nSrcip Source IP of the session\nSrcintf Source interface of the session\nDstintf Destination interface of the session\nDstip Destination IP of the session\nDstport Destination port of the session\nSrccountry Source country\nDstcountry Destination country\nPolicyid Identification number of the security policy\ntraffic passthrough\nIdentidx Identify-based policy identification number\nSessionid Serial number of the session\nService Service of the session\nUser Identified user of the session\ngroup Identified user’s group of the session\napplist Application sensor that recognizes the\napplication\nstatus Status of the traffic session\nappid Identification number of the application\napp Name of the application\nappcat Category of the application\nduration Duration of session in seconds\nsentbyte Number of sent bytes\nrcvdbyte Number of received bytes\ntotalbytes Total bytes\nsentpkt Number of sent packets\nrcvdpkt Number of received packets\ntrandisp Type of NAT\ntranip Translated IP in NAT mode\ntransip Translated source IP in NAT mode\ntranport Translated port\ntransport Translated source port\nproto IP protocol”
“TABLE 3\nEmail log mapping\nField Name Field Description\n@timestamp Timestamp of event\nDevid ID of the device\nDevname Name of the device\nDomain Name of the virtual device\nLogid ID of the event\nType (email) Type of the event\nSubtype (spam Subtype of the event\nregular)\nlevel Severity of the event\nsrcport Source port of the session\nSrcport Source port of the session\nSrcip Source IP of the session\nSrcintf Source interface of the session\nDstintf Destination interface of the session\nDstip Destination IP of the session\nDstport Destination port of the session\nservice Service of the session\nsessionid ID of the session\npolicyid ID of the policy\nidentidx ID of the identification policy\nuser Name of the user\ngroup Name of the group to which user belongs\nprofile Name of the security profile\nStatus (detected, Status of the action taken\nblocked,\nexempted)\nfrom Sender of the email\nto Recipient of the email\nmsg Information related to the spam mechanism\nsubject Subject of the email\nsize Size of the email\ncc CC of the email\nAttachment Whether the email includes an attachment\n(yes, no)”
“TABLE 4\nPerformance log mapping\nField Name Field Description\n@timestamp Timestamp of event\nDevid ID of the device\nDevname Name of the device\nDomain Name of the virtual device\nLogid ID of the event\nType (perf) Type of the event\nSubtype (sys) Subtype of the event\ncpu Percentage of CPU usage\nmem Percentage of memory usage\ntotalsession Total number of system’s sessions”
“TABLE 5\nAAA (authentication, authorization and accounting) log mapping\nField Name Field Description\n@timestamp Timestamp of the event\nDevname Unique identification number of the system\nDevid Log identification number\nLogid Type of the event (value: traffic)\nType (aaa) Subtype of the event\nSubtype (authen, Virtual domain of the system\nauthor, acc)\ndomain Virtual domain of the system\nlevel Severity of the event\nScope (local, Authentication scope\nssl-web)\nAction (login, Action\nlogout)\nsrcport Source port of the session\ndstport Destination port\nsrcip Source IP\nStatus (success, Whether the AAA succeeded or failed\nfailed)\nprofile User profile\nduration Duration\nreason Reason for failure\nuser User\ngroup Group\ntunnelid Identification of the tunnel”
“TABLE 6\nVPN log mapping\nField Name Field Description\n@timestamp Timestamp of the event\n@id Identification of the event\nlogid Log identification number\nLevel Severity of the event\nType (vpn) Type of the event (value: traffic)\nSubtype (ssl, ipsec) Subtype of the event\ndevid Unique identification number of the system\ndevname Name of the system\nvdev Virtual domain of the system\ntunnelid Tunnel ID\nremoteip Remote IP\ntunnelip Tunnel IP\nStatus (up, down)\nuser User\ngroup Group\nsentybte Sent byte\nrcvdbyte Receive byte\nduration Duration\nreason Reason\ntunneltype Tunnel type”
“TABLE 7\nAccess Control log mapping\nField Name Field Description\n@timestamp Timestamp of the event\ndevname ID of the device\ndevid Name of the device\ndomain Name of the virtual device\nlogid ID of the event\nType (acc. ctrl) Type of the event\nSubtype (app web) Subtype of the event\nlevel Severity of the event\nsrcport Source port of the session\nsrcip Source IP of the session\nSrcintf Source interface of the session\nDstintf Destination interface of the session\nDstip Destination IP of the session\nDstport Destination port of the session\nService Service of the session\nSessionid ID of the session\nPolicyid ID of the security policy\nIdentidx ID of the identification policy\nUser Identified user of the session\nGroup Identified user’s group of the session\nprofile Security profile that catches the\napplication\nproto Protocol number in IPv4 packets\nStatus (pass, Status of the action taken\nblock, reset,\nreject,\npassthrough,\nmonitor)\napp Application name\nappid Application ID\ncount Number of packets\nhostname Hostname of the destination\nurl URL of the destination\nReqtype (direct, HTTP request type\nreferral)\nmethod Method use\nsentbyte Sent bytes\nrcvdbyte Received bytes\ncat Category of the application0\ncatdesc Description of the category”
“TABLE 8\nAccumulated Standard fields mapping\nCategory Field Description\nStandard fields @timestamp\n(always present) @id\n@srcevent\nDevid\nLogid\nType\nSubtype\nLevel”
“The network security monitor 120 could include an aggregator 220-designed and built to receive, retrieve, and obtain threat intelligence from one or several repositories. The aggregator 220 has the ability to access one or more threat repositories through the external network (104), such as security intelligence repositories (202 a-n), using protocols such HTTP, FTP and P2P. The aggregator 220 can obtain configuration details from database 240, including URLs of repository 202a-n, information transmission protocol and authentication credentials. The connection allows the aggregator 220 to periodically ping, receive or otherwise obtain the most current information from the security intelligence resource or database 202 a.n. This information can be provided by security communities or crowd-sourced and accessed via an externe network 104. The network security monitor 120 may have the ability to determine whether the information is current by identifying if it has been time stamped or flagged. The network security monitor 120 can receive a real time data feed of security information in some instances. Crowd-sourced information can be in many forms, including Vulnerabilities and Exploits, signatures. MD5s. IP Reputation. Domains Reputation. Traffic Patterns. From public and private repositories like CERTs. TOR forums. social networking feeds. Security Vendors. Academia. Private Security Researchers. Metasploit. ExploitDB.
A vulnerability could refer to software, hardware, firmware, or other weaknesses in the protected network 204, system, or component thereof. Such weakness might allow an adversary to violate the confidentiality, the availability, and the integrity of the system, its processes/applications, as well as, the data the system generate and manage. A vulnerability in network security could refer to a weakness of a station or device that could allow unauthorised intrusion into the network. Social engineering techniques can also exploit human vulnerabilities regarding information security sensitivity. There are many vulnerability schemes and registries in the security industry. These have been created and maintained by different organizations, research institutions, and enterprises. For example, such registries include the CERT Advisories maintained at Carnegie Mellon University of Pittsburgh (Pa.), the CVE scheme maintained in Bedford, Mass. by MITRE Corporation, and the Bugtraq vulnerability listing maintained by Security Focus of SYMANTEC Co. of Mountain View, Calif. Public vulnerability registries may be maintained by various entities, corporations, and software companies regarding products that they create in the relevant web sites. The network security monitor 120 can, in various configurations, be set up to access, lookup, process, analyze, or otherwise obtain and use information from one or more vulnerability lists or registries in one, several formats, standards or schemes. The network security monitor 120 can, for example, be set up to use the CVE vulnerability schema created by MITRE Corporation via the aggregator 221. In some cases, however, the tool may be used without a vulnerability scheme.
An exploit can be a piece or chunk of software, data or a sequence or commands that take advantage of a bug, vulnerability, or any combination thereof, to cause unintended or unexpected behavior in computer software or hardware. This behavior could be used to take control of a system and allow privilege escalation or denial-of service attacks. The signatures may refer to the attack patterns that are used with the tool. Signatures or patterns can be used to identify attacks at a network, network node, or networked device at a host-level.
“The aggregator 220 has access to the security intelligence repositories and resource 202 a.n. This allows them to update the threat indicators lists in the database 244. An external network 104 can be used by the aggregator 220 to crowdsource threat information. This is done to update the threat indicator lists using open and private threat intelligence repositories, including IP addresses, malicious code samples and IPS signatures. The network security monitor may aggregate and store threat intelligence in a database infrastructure (e.g. file server, file systems) by using a threat intelligence format/scheme for organizing and making the aggregated threat information manageable and maintainable.
“In certain embodiments, the aggregater 220 can access multiple heterogeneous security information repositories (202 a-n) to retrieve threat intelligence. These repositories can be called heterogeneous because they offer different types of threat information (e.g., IP addresses, malware code and malicious code, as well as IPS signatures) in different formats or an unstructured. The aggregator 220 can access configuration details and a profile in the database 240 to gain access to security intelligence repositories (202 a-n). Access credentials include a username, password or token. To allow the aggregator access to threat intelligence. The configuration details and credentials of some or all the repositories may be included in the profile stored in database 244. In some embodiments, the aggregate 220 may keep an open connection to one or more repositories (202 a?n) in order to continually obtain up-to date threat intelligence information. In other embodiments, the Aggregator 220 may periodically push notifications or ping one or two repositories (202 a?n) in order receive new threat intelligence.
Click here to view the patent on Google Patents.