Using new edges for anomaly detection in computer networks

Neil, Joshua Charles

Advanced Search OptionsAdvanced Search queries use a traditional Term Search. For more info, see our FAQ.

All Fields:

Patent Title:

Abstract:

Assignee:

Inventor(s):

Patent Number:

Patent Classification (CPC):

All Classifications
A - human necessities
A01 - agriculture
A21 - baking
A22 - butchering
A23 - foods or foodstuffs
A24 - tobacco
A41 - wearing apparel
A42 - headwear
A43 - footwear
A44 - haberdashery
A45 - hand or travelling articles
A46 - brushware
A47 - furniture
A61 - medical or veterinary science
A62 - life-saving
A63 - sports
A99 - subject matter not otherwise provided for in this section
B - performing operations
B01 - physical or chemical processes or apparatus in general
B02 - crushing, pulverising, or disintegrating
B03 - separation of solid materials using liquids or using pneumatic tables or jigs
B04 - centrifugal apparatus or machines for carrying-out physical or chemical processes
B05 - spraying or atomising in general
B06 - generating or transmitting mechanical vibrations in general
B07 - separating solids from solids
B08 - cleaning
B09 - disposal of solid waste
B21 - mechanical metal-working without essentially removing material
B22 - casting
B23 - machine tools
B24 - grinding
B25 - hand tools
B26 - hand cutting tools
B27 - working or preserving wood or similar material
B28 - working cement, clay, or stone
B29 - working of plastics
B30 - presses
B31 - making articles of paper, cardboard or material worked in a manner analogous to paper
B32 - layered products
B33 - additive manufacturing technology
B41 - printing
B42 - bookbinding
B43 - writing or drawing implements
B44 - decorative arts
B60 - vehicles in general
B61 - railways
B62 - land vehicles for travelling otherwise than on rails
B63 - ships or other waterborne vessels
B64 - aircraft
B65 - conveying
B66 - hoisting
B67 - opening, closing {or cleaning} bottles, jars or similar containers
B68 - saddlery
B81 - microstructural technology
B82 - nanotechnology
B99 - subject matter not otherwise provided for in this section
C - chemistry
C01 - inorganic chemistry
C02 - treatment of water, waste water, sewage, or sludge
C03 - glass
C04 - cements
C05 - fertilisers
C06 - explosives
C07 - organic chemistry
C08 - organic macromolecular compounds
C09 - dyes
C10 - petroleum, gas or coke industries
C11 - animal or vegetable oils, fats, fatty substances or waxes
C12 - biochemistry
C13 - sugar industry
C14 - skins
C21 - metallurgy of iron
C22 - metallurgy
C23 - coating metallic material
C25 - electrolytic or electrophoretic processes
C30 - crystal growth
C40 - combinatorial technology
C99 - subject matter not otherwise provided for in this section
D - textiles
D01 - natural or man-made threads or fibres
D02 - yarns
D03 - weaving
D04 - braiding
D05 - sewing
D06 - treatment of textiles or the like
D07 - ropes
D10 - indexing scheme associated with sublasses of section d, relating to textiles
D21 - paper-making
D99 - subject matter not otherwise provided for in this section
E - fixed constructions
E01 - construction of roads, railways, or bridges
E02 - hydraulic engineering
E03 - water supply
E04 - building
E05 - locks
E06 - doors, windows, shutters, or roller blinds in general
E21 - earth drilling
E99 - subject matter not otherwise provided for in this section
F - mechanical engineering
F01 - machines or engines in general
F02 - combustion engines
F03 - machines or engines for liquids
F04 - positive - displacement machines for liquids
F05 - indexing schemes relating to engines or pumps in various subclasses of classes f01-f04
F15 - fluid-pressure actuators
F16 - engineering elements and units
F17 - storing or distributing gases or liquids
F21 - lighting
F22 - steam generation
F23 - combustion apparatus
F24 - heating
F25 - refrigeration or cooling
F26 - drying
F27 - furnaces
F28 - heat exchange in general
F41 - weapons
F42 - ammunition
F99 - subject matter not otherwise provided for in this section
G - physics
G01 - measuring
G02 - optics
G03 - photography
G04 - horology
G05 - controlling
G06 - computing
G07 - checking-devices
G08 - signalling
G09 - education
G10 - musical instruments
G11 - information storage
G12 - instrument details
G16 - information and communication technology [ict] specially adapted for specific application fields
G21 - nuclear physics
G99 - subject matter not otherwise provided for in this section
H - electricity
H01 - basic electric elements
H02 - generation
H03 - basic electronic circuitry
H04 - electric communication technique
H05 - electric techniques not otherwise provided for
H99 - subject matter not otherwise provided for in this section
Y - new / cross sectional technologies
Y02 - technologies or applications for mitigation or adaptation against climate change
Y04 - information or communication technologies having an impact on other technology areas
Y10 - technical subjects covered by former uspc

More Options ...

Title: Using new edges for anomaly detection in computer networks

Abstract

Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.

Inventors:: Neil, Joshua Charles

Issue Date:: Tue May 19 00:00:00 EDT 2015

Research Org.:: Los Alamos National Laboratory (LANL), Los Alamos, NM (United States)

Sponsoring Org.:: USDOE

OSTI Identifier:: 1179789

Patent Number(s):: 9038180

Application Number:: 13/826,995

Assignee:: Los Alamos National Security, LLC (Los Alamos, NM)

Patent Classifications (CPCs):: G - PHYSICS G06 - COMPUTING G06F - ELECTRIC DIGITAL DATA PROCESSING

G - PHYSICS G06 - COMPUTING G06N - COMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS

Show more

G - PHYSICS G06 - COMPUTING G06F - ELECTRIC DIGITAL DATA PROCESSING
G06F21/577 - {Assessing vulnerabilities and evaluating computer system security}

G - PHYSICS G06 - COMPUTING G06N - COMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS
G06N5/02 - Knowledge representation
G06N5/022 - {Knowledge engineering
G06N5/045 - {Explanation of inference steps}

H - ELECTRICITY H04 - ELECTRIC COMMUNICATION TECHNIQUE H04L - TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
H04L1/002 - {Algorithms with memory of the previous states, e.g. Markovian models}
H04L2463/144 - Detection or countermeasures against botnets
H04L63/1408 - {by monitoring network traffic
H04L63/1416 - {Event detection, e.g. attack signature detection}
H04L63/1425 - {Traffic logging, e.g. anomaly detection}
H04L63/1433 - {Vulnerability analysis}

Show less

DOE Contract Number:: AC52-06NA25396

Resource Type:: Patent

Resource Relation:: Patent File Date: 2013 Mar 14

Country of Publication:: United States

Language:: English

Subject:: 97 MATHEMATICS AND COMPUTING

Citation Formats


                    Neil, Joshua Charles. Using new edges for anomaly detection in computer networks.  United States: N. p., 2015. 
        Web.

Copy to clipboard


                    Neil, Joshua Charles. Using new edges for anomaly detection in computer networks.  United States.

Copy to clipboard


                    Neil, Joshua Charles. Tue .  
        "Using new edges for anomaly detection in computer networks".  United States.  https://www.osti.gov/servlets/purl/1179789.

Copy to clipboard


                    
@article{osti_1179789,

  title        = {Using new edges for anomaly detection in computer networks},

  author       = {Neil, Joshua Charles},

  abstractNote = {Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.},

  doi          = {},

  journal      = {},
number       = ,

  volume       = ,

  place        = {United States},

  year         = {Tue May 19 00:00:00 EDT 2015},

  month        = {Tue May 19 00:00:00 EDT 2015}

}

Copy to clipboard

Patent:

Save / Share:

Export Metadata

Save to My Library

Works referenced in this record:

Bayesian anomaly detection methods for social networks
journal, August 2010

Heard, Nicholas A.; Weston, David J.; Platanioti, Kiriaki
The Annals of Applied Statistics, Vol. 4, Issue 2, p. 645-662
https://doi.org/10.1214/10-AOAS329

Scan Statistics on Enron Graphs
journal, October 2005

Priebe, Carey E.; Conroy, John M.; Marchette, David J.
Computational and Mathematical Organization Theory, Vol. 11, Issue 3, p. 229-247
https://doi.org/10.1007/s10588-005-5378-z

The link-prediction problem for social networks
journal, January 2007

Liben-Nowell, David; Kleinberg, Jon
Journal of the American Society for Information Science and Technology, Vol. 58, Issue 7, p. 1019-1031
https://doi.org/10.1002/asi.20591

A survey of coordinated attacks and collaborative intrusion detection
journal, February 2010

Zhou, Chenfeng Vincent; Leckie, Christopher; Karunasekera, Shanika
Computers & Security, Vol. 29, Issue 1, p. 124-140
https://doi.org/10.1016/j.cose.2009.06.008

Alert correlation in a cooperative intrusion detection framework
conference, January 2002

Cuppens, F.; Miege, A.
Proceedings 2002 IEEE Symposium on Security and Privacy
https://doi.org/10.1109/SECPRI.2002.1004372

Botnets: A survey
journal, February 2013

Silva, Sérgio S. C.; Silva, Rodrigo M. P.; Pinto, Raquel C. G.
Computer Networks, Vol. 57, Issue 2, p. 378-403
https://doi.org/10.1016/j.comnet.2012.07.021

Identifying botnets by capturing group activities in DNS traffic
journal, January 2012

Choi, Hyunsang; Lee, Heejo
Computer Networks, Vol. 56, Issue 1, p. 20-33
https://doi.org/10.1016/j.comnet.2011.07.018

Probabilistic Alert Correlation
book, January 2001

Valdes, Alfonso; Skinner, Keith; Goos, Gerhard
Recent Advances in Intrusion Detection, p. 54-68
https://doi.org/10.1007/3-540-45474-8_4

Scan Statistics for the Online Detection of Locally Anomalous Subgraphs
journal, August 2013

Neil, Joshua; Hash, Curtis; Brugh, Alexander
Technometrics, Vol. 55, Issue 4, p. 403-414
https://doi.org/10.1080/00401706.2013.822830

Features generation for use in computer network intrusion detection
patent, December 2003

Diep, Thanh A.; Botros, Sherif; Izenson, Martin D.
US Patent Document 6,671,811
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/6671811

Anomaly detection
patent, March 2008

Ide, Tsuyoshi; Yoda, Kunikazu; Kashima, Hisashi
US Patent Document 7,346,803
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/7346803

Intrusion detection system
patent, October 2009

Scheidell, Michael
US Patent Document 7,603,711
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/7603711

Method and system for content distribution network security
patent, March 2013

Macwan, Sanjay; Chawla, Deepak; de los Reyes, Gustavo
US Patent Document 8,397,298
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/8397298

Adaptive behavioral intrusion detection systems and methods
patent, May 2013

Stute, Michael Roy
US Patent Document 8,448,247
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/8448247

Peer-to-peer (P2P) botnet tracking at backbone level
patent, January 2014

Coskun, Baris; Baliga, Arati
US Patent Document 8,627,473
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/8627473

System and method for exposing malicious sources using mobile IP messages
patent, February 2014

Choyi, Vinod Kumar; Abdel-Aziz, Bassem
US Patent Document 8,650,630
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/8650630

Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures
patent-application, November 2002

Hrabik, Michael; Guilfoyle, Jeffrey; Mac Beaver, Edward
US Patent Application 10/196472; 20020178383
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20020178383

Flow-based detection of network intrusions
patent-application, June 2003

Copeland, John A. III
US Patent Application 10/000396; 20030105976
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20030105976

Network security monitoring system
patent-application, July 2004

Bhattacharya, Partha; Lawrence, Jan Christian
US Patent Application 10/443946; 20040133672
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20040133672

Adaptive behavioral intrusion detection systems and methods
patent-application, February 2005

Stute, Michael
US Patent Application 10/504731; 20050044406
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20050044406

Method and system for analyzing multidimensional data
patent-application, March 2006

Ashiri, Amir
US Patent Application 11/199383; 20060053136
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20060053136

Systems and methods for testing and evaluating an intrusion detection system
patent-application, November 2006

Rubin, Shai A.; Jha, Somesh; Miller, Barton P.
US Patent Application 11/294585; 20060253906
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20060253906

Intelligent intrusion detection system utilizing enhanced graph-matching of network activity with context data
patent-application, September 2007

Coffman, Thayne Richard
US Patent Application 11/367943; 20070209074
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20070209074

Tactical And Strategic Attack Detection And Prediction
patent-application, September 2007

Gilbert, Logan; Morgan, Robert J.; Keen, Arthur A.
US Patent Application 11/688540; 20070226796
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20070226796

Method of Detecting Anomalous Behaviour in a Computer Network
patent-application, October 2007

Belakhdar, Omar; Bados, Pedro; Flatings, Boi
US Patent Application 11/578866; 20070240207
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20070240207

Methods and Systems for Determining Entropy Metrics for Networks
patent-application, January 2009

Johnson, Joseph E.
US Patent Application 12/158424; 20090024549
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20090024549

Systems And Methods For A Simulated Network Attack Generator
patent-application, December 2009

White, Christopher Dyson; Ratcliffe, III, Chester Randolph; Espinosa, John Christian
US Patent Application 12/487633; 20090320137
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20090320137

Intrusion Event Correlation System
patent-application, July 2010

Noel, Steven E.; Robertson, Eric B.; Jajodia, Sushil
US Patent Application 12/758135; 20100192226
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20100192226

Device and Method for Detecting and Diagnosing Correlated Network Anomalies
patent-application, June 2011

Wang, Jia; Lall, Ashwin; Mahimkar, Ajay
US Patent Application 12/646388; 20110154119
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20110154119

Generating A Multiple-Prerequisite Attack Graph
September 2011

Lippmann, Richard P.; Ingols, Kyle W.; Piwowarski, Keith J.
US Patent Application 13/104454; 20110231937
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20110231937

Systems and Methods for Virtualized Malware Detection
patent-application, May 2013

Golshan, Ali; Binder, James S.
US Patent Application 13/288917; 20130117849
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20130117849

Method And Apparatus For Machine To Machine Network Security Monitoring In A Communications Network
patent-application, May 2013

Sheleheda, Daniel; Bowen, Donald J.; Cama, Cynthia
US Patent Application 13/301529; 20130127618
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20130127618

Predicting Attacks Based On Probabilistic Game-Theory
patent-application, November 2013

Christodorescu, Mihai; Korzhyk, Dmytro; Sailer, Reiner
US Patent Application 13/478290; 20130318615
URL: https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20130318615

Works referencing / citing this record: