WO2004023714A2 - Computer network security system utilizing dynamic mobile sensor agents - Google Patents

Computer network security system utilizing dynamic mobile sensor agents Download PDF

Info

Publication number
WO2004023714A2
WO2004023714A2 PCT/US2003/027583 US0327583W WO2004023714A2 WO 2004023714 A2 WO2004023714 A2 WO 2004023714A2 US 0327583 W US0327583 W US 0327583W WO 2004023714 A2 WO2004023714 A2 WO 2004023714A2
Authority
WO
WIPO (PCT)
Prior art keywords
mobile sensor
network
agents
event data
computer network
Prior art date
Application number
PCT/US2003/027583
Other languages
French (fr)
Other versions
WO2004023714A3 (en
Inventor
Allen Eugene Ott
Frank Ernest Oldham
Original Assignee
Lockheed Martin Orincon Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lockheed Martin Orincon Corporation filed Critical Lockheed Martin Orincon Corporation
Priority to AU2003276862A priority Critical patent/AU2003276862A1/en
Priority to GB0506583A priority patent/GB2409784B/en
Publication of WO2004023714A2 publication Critical patent/WO2004023714A2/en
Publication of WO2004023714A3 publication Critical patent/WO2004023714A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates generally to computer network security systems. More particularly, the present invention relates to the managed distribution of mobile sensor agents within a protected computer network.
  • a computer network security system in accordance with the present invention provides an increased level of protection against sophisticated attacks, relative to most known security systems.
  • the network security system improves attack detection rates while reducing false alarms.
  • the network security system utilizes adaptive techniques that enable it to protect against known attack patterns and unknown attack methodologies.
  • the network security system can be easily reconfigured and updated because it need not rely on customized local applications.
  • a computer network security method that provides a number of mobile sensor agents for deployment in a computer network, receives event data from one or more of the mobile sensor agents, where the event data corresponds to detected event occurrences, and manages, in response to the event data, the distribution of mobile sensor agents in the computer network.
  • FIG. 1 is a schematic representation of a local area network in which the techniques of the present invention may be deployed
  • FIG. 2 is a schematic representation of a wide area network in which the techniques of the present invention may be deployed
  • FIG. 3 is a diagram that depicts the managed distribution of mobile sensor agents in a computer network
  • FIG. 4 is a schematic representation of a fusion component
  • FIG. 5 is a schematic representation of a sensor distribution manager
  • FIG. 6 is a flow diagram of a network security process.
  • the present invention may be described herein in terms of functional block components and various processing steps. It should be appreciated that such functional blocks may be realized by any number of hardware components configured to perform the specified functions. For example, the present invention may employ various integrated circuit components, e.g., memory elements, logic elements, look-up tables, and the like, which may carry out a variety of functions under the control of one or more microprocessors or other control devices. In addition, those skilled in the art will appreciate that the present invention may be practiced in conjunction with any number of computer system architectures and that the computer network described herein is merely one exemplary application for the invention.
  • FIG. 1 is a schematic representation of a local area network (LAN) 100 in which a network security system according to the present invention may be deployed.
  • LAN 100 includes at least one network server 102 and at least one client computer 104 (in a practical embodiment, LAN 100 can include any number of client computers).
  • client computers 104 are connected to network server 102 such that data can be routed between client computers 104 and network server 102.
  • LAN 100 maybe suitably configured to access the Internet, an Intranet, a wide area network, or the like.
  • FIG. 1 depicts LAN 100 having access to the Internet 106 via a firewall 108.
  • Firewall 108 which may be implemented in hardware, software, firmware, or a combination thereof, functions in a conventional manner to prevent unauthorized access to LAN 100 via the Internet 106.
  • a security server 110 may be connected to LAN 100. As described in more detail below, security server 110 is suitably configured to perform various network security processes related to the present invention.
  • WAN 200 may be considered to be a combination of two or more LANs.
  • WAN 200 may include a first network server 202 that supports a number of client computers 204, and a second network server 206 that supports a number of client computers 208 (in a practical embodiment, WAN 200 can include any number of client computers and any number of network servers interconnected to form any suitable architecture).
  • First network server 202 and second network server 206 may be connected via a conventional router 212.
  • WAN 200 can employ any number of firewalls 214 to protect against unwanted access via the Internet 216.
  • a preferred WAN deployment includes a plurality of security servers.
  • WAN 200 may include a first security server 218 that primarily protects client computers 204, a second security server 220 that primarily protects client computers 208, and a third security server 222 connected to router 212.
  • each of the client computers protected by the network security system is a personal computer (PC) having conventional hardware and software components, e.g., memory elements, a display monitor, an operating system, data communication ports for transmitting and receiving data via the respective network, a processor chip, any number of application programs, a web browser application, and the like.
  • the network security system may also be configured to protect other components or features of the protected network, e.g., peripherals, servers, routers, databases, and the like.
  • the currently preferred network security system utilizes mobile software agents written in Java. Consequently, the protected client computers are Java-compatible such that they can properly install and run the Java runtime environment as needed.
  • the protected client computers also employ a suitably configured agent server application that enables the client computers to receive, send, and process the mobile software agents.
  • the design of the agents and/or the agent server application may leverage any number of known technologies, such as the open source Aglets Software Development Kit available from IBM Corporation.
  • a security server is preferably realized as a stand-alone PC having a display monitor, a mouse, a keyboard (or other user interface), at least one data communication port configured to receive data from the protected client computers or other network components (e.g., event data from mobile sensor agents), and other common hardware and software features.
  • devoted security servers facilitate real-time monitoring of the network security status and/or manipulation of the network security system features by human operators.
  • each security server preferably includes memory space and processing power sufficient to support the operation of the network security system as described herein.
  • each security server includes one or more software programs that perform the various routines and processes described herein.
  • the functional block components shown in the figures can be implemented in a security server using one or more computer programs, hi a practical deployment, the functionality of the security server can be realized as one or more computer programs embodied on a computer-readable medium, e.g., a hard drive or other magnetic storage device, a CD-ROM, a floppy disk, a ROM chip, a firmware device, or the like.
  • the computer programs include computer-executable instructions for carrying out the various processing tasks described herein.
  • the security server After the security server (or servers) are physically connected to the network, or after the security server software is loaded onto an existing network server, the security server deploys a number of mobile sensor agents throughout the network.
  • the sensor agents detect occurrences of specified events; an event may be a component of a known attack signature or any detectable event associated with the operation of the protected client computers or the protected computer network.
  • the sensor agents communicate event data back to the respective security server for analysis and processing.
  • the security server processes the event data to determine the security status of the network and to determine whether it would be beneficial to obtain additional event data in order to better assess the security status of the network.
  • the security server manages the distribution of mobile sensor agents in the protected network according to the current security risk.
  • FIG. 3 is a diagram that depicts the managed distribution of mobile sensor agents in an example computer network 300 protected by a network security system according to the present invention.
  • computer network 300 includes a security server 302, a protected client computer 304, a protected client computer 306, and a network application 308.
  • Security server 302 maintains any number of "inactive" or "dormant" mobile sensor agents 310.
  • dormant mobile sensor agents 310 are capable of being distributed to various points in computer network 300; dormant mobile sensor agents are activated such that they can perform their designated tasks once they reach their destination in computer network 300. For the sake of illustration, dormant or inactive mobile sensor agents are shaded in FIG. 3.
  • a mobile sensor agent detects events and reports event data back to security server 302.
  • a field agent is a mobile sensor agent that is distributed from security server 302 to one specific protected client computer.
  • FIG. 3 depicts a number of field agents 312 associated with client computer 304 and a number of field agents 314 associated with client computer 306.
  • Field agents are deployed to a specific client computer (or other location in computer network 300), where they reside and function until withdrawn or deactivated or until they expire.
  • the security system may also employ a number of wandering sensor agents 316 that travel among a plurality of client computers (or other locations in computer network 300).
  • wandering sensor agent 316 maybe designed to perform a specified task at client computer 304, then travel to client computer 306 to perform the same specified task. Alternatively, wandering sensor agent 316 may be instructed to perform different tasks at different locations within computer network 300. The routine followed by wandering sensor agent 316 may be predetermined by security server 302, or it may be controlled in response to the changing security status of computer network 300 and/or in response to operator commands.
  • the security system may also support the deployment of one or more mobile sensor agents that function as broker agents.
  • a broker agent obtains raw event data from an application installed in the protected computer network, and sends co ⁇ esponding event data back to the security server.
  • FIG. 3 shows a network application 318 and a number of associated broker agents 320.
  • Network application 318 may be, for example, a network traffic analysis program, a user authentication program, an antivirus program, a firewall application, or the like.
  • Broker agents 320 receive data from "sensors" built into the network application and forward such data to the network security system. In this manner, the network security system can process and analyze event data obtained indirectly from other applications.
  • FIG. 3 shows mobile sensor agents 322 in transit between security server 302 and client computers 304, 306.
  • FIG. 3 also shows a mobile broker agent 324 in transit between security server 302 and network application 318.
  • FIG. 3 thus illustrates the dynamic and mobile nature of the various mobile sensor agents, which are distributed in computer network 300 under the control of security server 302.
  • security server 302 can distribute and/or allocate additional mobile sensor agents to appropriate locations within the network.
  • security server 302 can activate dormant sensor agents (e.g., mobile sensor agent 326 maintained by client computer 304), deactivate active mobile sensor agents, withdraw mobile sensor agents that are no longer needed, and/or terminate or delete mobile sensor agents that are no longer needed (a deleted or withdrawn mobile sensor agent 328 is shown in connection with client computer 306).
  • dormant sensor agents e.g., mobile sensor agent 326 maintained by client computer 304
  • deactivate active mobile sensor agents e.g., withdraw mobile sensor agents that are no longer needed
  • a deleted or withdrawn mobile sensor agent 328 is shown in connection with client computer 306.
  • the network security system is adaptable to accommodate new sensor agents 330 that detect additional events that are cu ⁇ ently unmonitored. For example, in response to new attack signatures or suspected network vulnerabilities, new mobile sensor agents 330 may be installed on security server 302 for managed distribution in computer network 300. hi this manner, every client computer in computer network 300 need not be periodically updated to provide protection against new threats.
  • a mobile sensor agent when deployed in the client computers, a mobile sensor agent resides in the application layer of the host processor, along with a suitable agent server.
  • the mobile sensor agent is configured to communicate directly with the operating system of the host processor, via the kernel layer.
  • the mobile sensor agents detect "low level" data corresponding to abstract events or activities rather than "high level” contextual data or data related to attack signatures.
  • the mobile sensor agents detect events even if the events themselves are not predefined components of an attack, i other words, rather than detect the occu ⁇ ence of an attack itself, the mobile sensor agents look for elemental evidence of activities and events that could be a constituent part of an attack, h this regard, the mobile sensor agents can be lightweight in design and they need not consume a large amount of the host processor resources.
  • Table 1 contains a list of example events co ⁇ espondmg to the functionality of different mobile sensor agents.
  • the events listed in Table 1 represent host-level event occu ⁇ ences related to protected client computer activity.
  • the set of events may never be finalized, and a complete and exhaustive set would include all sensors necessary to fully monitor all events within a network; such an implementation would be inefficient for practical applications.
  • the number of detectable events may increase as attackers learn to use different types of network and client activities to perpetrate their efforts.
  • the mobile sensor agents may also change as the attackers learn to use network and client activities in different ways, thus prompting enhancement of the sensor agent specifications.
  • a particular mobile sensor agent may be designed to detect one or more distinct event occu ⁇ ences.
  • one mobile sensor agent may be specifically limited to the detection of unauthorized software, while another mobile sensor agent may be designed to detect the number of SMTP connections and the number of FTP connections.
  • Each mobile sensor agent reports the detected event occu ⁇ ences back to the respective security server in the form of event data.
  • the event data may be formatted in accordance with any suitable scheme that enables the security server to receive, interpret, and process the event data.
  • FIG. 4 is a schematic representation of a fusion component 400 utilized by the network security system, a practical embodiment, each security server includes a fusion component 400 configured to process event data received from the mobile sensor agents.
  • Fusion component 400 can be implemented in software, hardware, firmware, or any combination thereof; in a prefe ⁇ ed embodiment, fusion component 400 is implemented in software.
  • fusion component 400 processes the event data using one or more fusion agents 402, each specializing in a potential network security issue.
  • a "network security issue" can be a component of a known attack, a known attack signature, a network vulnerability, a monitored network function or feature, or the like, hi FIG. 4, each ellipse represents a fusion agent 402, and the area within the rectangle represents all network vulnerabilities and potential attack scenarios.
  • the fusion agents 402 in combination will provide adequate protection against all potential attack scenarios, both known and unknown.
  • each fusion agent 402 will receive and process a limited amount of event data.
  • a fusion agent 402 will typically receive and process only a subset of the listed events, hi addition, any number of different fusion agents 402 can receive and process the same event data, i.e., event data need not be exclusive to any particular fusion agent 402.
  • any number of fusion agents 402 can process the event data using one or more intelligent decision-making techniques (e.g., artificial intelligence techniques, expert system techniques, neural network techniques, and the like).
  • any number of the fusion agents 402 may be collaborative fusion agents capable of communicating with one another. The collaborative nature of the fusion agents makes the network security system more interactive and adaptable to accommodate different security threats and attack patterns.
  • fusion agents 402 may be configured for travel or distribution from one security server to another security server.
  • Fusion component 400 analyzes the event data and, considering a set of operating guidelines dictated by the operator of the network security system, assesses the situation/risk status of the computer network based upon the event data.
  • the set of operating guidelines specify the security services available to network users, identify data accessible to certain users and the manner in which such data can be accessed, and the like.
  • fusion component 400 receives the relatively low level abstract event data and generates an output of relatively high level contextual information representing the cu ⁇ ent security status of the network.
  • fusion component 400 is further configured to determine the need for additional event data (to be obtained from additional mobile sensor agents) based upon the assessed situation/risk status, hi this regard, fusion component 400 is configured to generate requests for additional event data (i.e., fusion source data requirements).
  • a fusion agent 402 will analyze the cu ⁇ ent set of event data to which it has direct access, along with any event data (or other data) to which it has access via other fusion agents. Using its intelligent decision-making processes, the fusion agent 402 will determine whether a security threat is present and, if so, the severity of the security issue and/or the risk associated with the security issue. If the fusion agent 402 determines that little or no threat or risk is present, then it may generate fusion source data requirements co ⁇ esponding to no change in the status of the relevant mobile sensor agents.
  • fusion agent 402 may generate fusion source data requirements co ⁇ esponding to a request to reduce the amount of mobile sensor agents and/or other resources devoted to the detection of that particular threat.
  • fusion agent 402 may generate fusion source data requirements co ⁇ esponding to a request to increase the amount of mobile sensor agents and/or other resources devoted to the detection of that particular threat.
  • Fusion component 400 can also consider metadata related to the received event data, which is received and processed virtually in real-time.
  • metadata related to the event data may be: the username and password of the user of the client computer where the detected event occu ⁇ ed; the purpose or function of the respective client computer, e.g., server, workstation, or secretarial; the cu ⁇ ent security status of the respective client computer; the cu ⁇ ent security status of the protected network; a history of events for the respective client computer; a statistical profile of events for the respective client computer; the identities of other client computers that frequently communicate with the respective client computer; and the like.
  • Such metadata can be used, with or without event data, to evaluate the situation/risk status of the protected network over relatively long periods of time or to determine whether the protected network is being subjected to an organized distributed attack.
  • FIG. 5 is a schematic representation of a sensor distribution manager 500 utilized by the network security system.
  • Distribution manager 500 can be implemented in software, hardware, firmware, or any combination thereof; in a prefe ⁇ ed embodiment, distribution manager 500 is implemented in software.
  • a sensor distribution manager 500 is implemented in each security server employed by the network security system.
  • distribution manager 500 is configured to manage the distribution of mobile sensor agents in the computer network in response to a number of operating criteria and/or data inputs.
  • “managing the distribution" of mobile sensor agents encompasses a variety of functions, including, but not limited to: initially deploying sensor agents throughout the network; dispatching new or additional sensor agents to points in the network while the network security system is monitoring the network; allocating sensor agent resources for use in the network; controlling the movement of wandering sensor agents in the network; activating and deactivating sensor agents deployed in the network; withdrawing, deleting, and terminating sensor agents deployed in the network; monitoring the location and/or status of deployed sensor agents; and the like.
  • sensor distribution manager 500 includes an intelligent distribution controller 502 that cooperates with a sensor server 504. These functional components are shown as distinct elements in FIG. 5 to facilitate the description of distribution manager 500 - in reality, distribution manager 500 need not be partitioned into such functional elements.
  • Distribution controller 502 receives data that influences the distribution of mobile sensor agents in the protected computer network, and generates commands or instructions for controlling the distribution of the mobile sensor agents. The instructions are processed by sensor server 504, which responds by distributing, activating, withdrawing, deactivating, and/or moving one or more mobile sensor agents in the protected network.
  • distribution controller 502 may consider one or more of the following: fusion source data requirements (i.e., requests for additional event data, which may co ⁇ espond to the deployment of additional mobile sensor agents); operator recommendations; risk/protection guidelines; and host resource status data, hi addition to the above criteria, distribution controller 502 may process any number of additional criteria or data types.
  • sensor distribution manager 500 considers the results generated by fusion component 400. In other words, requests related to the collection of additional event data and or other fusion source data requirements are fed to distribution controller 502 for evaluation. Operator recommendations are explicit instructions provided by a user of the network security system.
  • a user stationed at a security server may request the deployment of one or more specific mobile sensor agents to a particular client computer in response to a perceived risk.
  • the security system may allow a user to recommend any number of changes or adjustments to the cu ⁇ ent security settings or mobile sensor agent deployment.
  • a user may be authorized to completely override the decisions made by distribution manager 500 or a user may only be permitted to enter suggestions or recommendations.
  • Risk/protection guidelines refer to general rules that govern the distribution of mobile sensor agents in a particular computer network, hi this regard, risk/protection guidelines can vary from application to application.
  • the risk/protection guidelines may define any number of operational rules, such as: the maximum amount of host processor resources that can be devoted to the network security system (which may vary depending upon the cu ⁇ ent risk assessment); a list of activities or events that must be continuously or periodically monitored; the number of mobile sensor agents that can be distributed to a single client computer (which may vary depending upon the cu ⁇ ent risk assessment); and the like.
  • Distribution controller 502 may also process data representing the cu ⁇ ent host resource status of one or more of the protected client computers in the network.
  • the network security system may only consume approximately three percent of the processing power of any client computer. However, in response to a heightened security risk, the security system may be authorized to consume more than three percent of the host processing power.
  • Distribution controller 502 can process the cu ⁇ ent status of the host resources to determine how best to manage the distribution of mobile sensor agents in the network.
  • the network security system evaluates the host processor performance, the amount of resources devoted to the security system, and the cu ⁇ ent risk assessment, and performs a trade-off between host processor performance and network protection, response to the fusion source data requirements, any operator recommendations, risk/protection guidelines for the protected network, the cu ⁇ ent host resource status, and possibly other criteria, distribution controller 502 generates one or more sensor distribution instructions to be carried out by sensor server 504. Consequently, distribution manager 500 can manage the distribution of mobile sensor agents in the protected network in response to user recommendations, established risk/protection guidelines, requests for additional event data (which may be generated by fusion component 400), and/or the resource status of at least one protected client computer in the network.
  • FIG. 6 is a flow diagram of a network security process 600 performed by a network security system configured in accordance with the present invention.
  • process 600 illustrates a number of common functions performed by a practical network security system, in actual use a security system may perform a number of additional or alternative functions.
  • Process 600 assumes that the respective client computers are suitably configured for compatibility with the network security system, and that a suitably configured security server (or servers) is installed on the protected computer network.
  • Network security process 600 begins by providing a number of mobile sensor agents for deployment in the protected network (task 602).
  • any number of mobile sensor agents can be provided to the security server at the initial installation of the security system or at any subsequent time, any number of broker agents can be directly provided to respective applications or information sources throughout the network, and/or any number of mobile sensor agents can be directly provided to one or more client computers.
  • a number of dormant sensor agents (and possibly a number of active sensor agents) will be provided to the security server during task 602, with little or no direct installation of sensor agents at the client level.
  • the security server may distribute one or more initial mobile sensor agents
  • the set of initially distributed mobile sensor agents, and the destinations of those sensor agents, are dictated by the specifications and requirements of the protected network. For example, one network may require a relatively low number of initial sensor agents, while another network may require a relatively complex initial installation of sensor agents. Once deployed and activated, these mobile sensor agents perform their designated functions and they begin monitoring for the occu ⁇ ence of specific activities on the protected network.
  • the security server receives event data from one or more mobile sensor agents (e.g., wandering sensor agents, broker agents, and/or field agents), where the event data co ⁇ esponds to detected event occu ⁇ ences (task 606).
  • data transmitted between client computers and security servers is encrypted using a suitable encryption algorithm.
  • the encryption of the event data adds a layer of security to the system and protects against the unauthorized interception of the security system communications.
  • the event occu ⁇ ences detected by the mobile sensor agents need not be components of a known or suspected attack. Rather, the events can relate to host processor activities that may be legitimate and normal under many circumstances.
  • the received event data may be abstract host-level event data related to protected client computer activity.
  • the security server analyzes and processes the received event data to assess the cu ⁇ ent situation/risk status (task 608).
  • the security server also generates source data requirements (e.g., requests for additional event data) in response to the received event data (task 610).
  • task 608 and task 610 are performed by fusion component 400.
  • the security server may receive the cu ⁇ ent host resource status from the protected client computers (task 612), along with any operator recommendations entered by an operator of the security server (task 614).
  • the security server receives the host resource status data via the network and via its data communication port, and it receives the operator recommendation data directly from a keyboard, a mouse, or any suitable user interface device.
  • the security server manages the distribution of one or more mobile sensor agents in the protected computer network (task 616).
  • the management of the mobile sensor agents by the security server is also responsive to the host resource status, the designated risk/protection guidelines, and operator recommendations.
  • the security server can manage, without limitation: the deployment of additional mobile sensor agents from the security server to protected client computers or elsewhere in the network; the activation of at least one dormant or deactivated mobile sensor agent installed in a client computer; the deactivation of at least one active mobile sensor agent installed in a client computer; and/or the withdrawal or deletion of at least one mobile sensor agent from a client computer.
  • the security server can be configured to manage any number of actions related to the distribution, allocation, movement, operation, control, and/or regulation of mobile sensor agents within the protected network.
  • the security system may utilize server and client packages to manage a number of issues such as: the deployment of sensor agents to a specific client computer; communication between the security server and sensor agents for purposes of sensor withdrawal, sensor reallocation, sensor deactivation, sensor activation, or designation of sensor functionality; and the like.
  • the security system can utilize a local security zone manager or security client that runs on the protected hosts and manages such issues.
  • the local security clients ensure that the host identification is available in the registry of the security server, ensure that the appropriate security provisions are in place for secure interaction (including encryption key management), and manages the three-way trade-off between local sensor configuration, data collection requests, and local host processing resources.
  • the network security system can display or otherwise convey the cu ⁇ ent situation/risk status of the protected network in virtually real-time to an operator of the system (task 618).
  • the security server includes a display monitor and the security server is capable of rendering a graphical representation of the network status for display on the monitor.
  • the situation/risk status of the network can be displayed in any convenient manner that enables an operator to quickly determine whether any given client computer is vulnerable or under attack.
  • the operator can make security decisions based on the displayed information.
  • the network security system is capable of providing dynamically adaptable protection for a computer network, and such protection is provided in a continuous manner. Accordingly, many of the tasks described in connection with network security process 600 are repeated and performed in a continuous manner.

Abstract

A computer network security system utilizes mobile sensor agents that detect host-level activities and report event occurrences to a security server connected to the protected network. The security server processes the event data, assesses the current situation/risk status of the network, and manages the distribution of mobile sensor agents in the network in response to the current status of the network. The security server employs intelligent data fusion techniques to obtain contextually relevant situation/risk data based upon the relatively abstract host-level activity data. The security server can deploy additional mobile sensor agents to monitor for specific events, withdraw active mobile sensor agents installed on client computers, move mobile sensor agents within the protected network, and perform other managerial and regulatory actions that govern the mobile sensor agents.

Description

COMPUTER NETWORK SECURITY SYSTEM UTILIZING DYNAMIC MOBILE
SENSOR AGENTS
FIELD OF THE INVENTION [0001] The present invention relates generally to computer network security systems. More particularly, the present invention relates to the managed distribution of mobile sensor agents within a protected computer network.
BACKGROUND OF THE INVENTION [0002] The prior art is replete with security systems designed to protect individual computers and/or computer networks. The sophistication of such prior art systems varies from simple virus detection software to more complex network intrusion detection applications. In this regard, a computer network can utilize a relatively simple virus protection program to detect known computer viruses and/or a relatively rigorous security application designed to thwart the efforts of highly skilled and malicious hackers.
[0003] Most computer network security techniques rely on the observation and analysis of incoming traffic via limited point entrances into the network, along with pattern recognition of known attack signatures. While these techniques may adequately protect the network against individual or unsophisticated attackers, they may not provide sufficient protection against sophisticated, well-organized, and highly funded attackers. For example, many known network security systems are incapable of detecting a network security breach that involves multiple points of attack and/or an attack that is slowly carried out over a long period of time. Indeed, security systems that employ attack signature recognition techniques will generally fail to detect new attacks that do not match any of the known attack signatures.
[0004] Many prior art computer network security systems are difficult to reconfigure with additional capabilities and/or upgrade to provide protection against newly discovered attack methodologies. Such known security systems often utilize local applications installed on each of the protected computers within the network. Upgrading such a security system requires the installation of new applications or patches on each of the protected computers. In the context of a large network, such upgrading can be very expensive and time consuming. Furthermore, conventional security systems collect and attempt to analyze increasing amounts of data in response to the discovery of new attack signatures and in response to the addition of protected computers. Consequently, the amount of resources devoted to the collection and analysis of security data increases significantly with the expansion of the protected network and/or the expansion of the scope of protection.
BRIEF SUMMARY OF THE INVENTION [0005] A computer network security system in accordance with the present invention provides an increased level of protection against sophisticated attacks, relative to most known security systems. The network security system improves attack detection rates while reducing false alarms. The network security system utilizes adaptive techniques that enable it to protect against known attack patterns and unknown attack methodologies. Furthermore, the network security system can be easily reconfigured and updated because it need not rely on customized local applications.
[0006] The above and other aspects of the present invention may be carried out in one form by a computer network security method that provides a number of mobile sensor agents for deployment in a computer network, receives event data from one or more of the mobile sensor agents, where the event data corresponds to detected event occurrences, and manages, in response to the event data, the distribution of mobile sensor agents in the computer network.
BRIEF DESCRIPTION OF THE DRAWINGS [0007] A more complete understanding of the present invention may be derived by referring to the detailed description and claims when considered in conjunction with the following Figures, wherein like reference numbers refer to similar elements throughout the Figures.
[0008] FIG. 1 is a schematic representation of a local area network in which the techniques of the present invention may be deployed;
[0009] FIG. 2 is a schematic representation of a wide area network in which the techniques of the present invention may be deployed;
[0010] FIG. 3 is a diagram that depicts the managed distribution of mobile sensor agents in a computer network;
[0011] FIG. 4 is a schematic representation of a fusion component;
[0012] FIG. 5 is a schematic representation of a sensor distribution manager; and
[0013] FIG. 6 is a flow diagram of a network security process.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT [0014] The present invention may be described herein in terms of functional block components and various processing steps. It should be appreciated that such functional blocks may be realized by any number of hardware components configured to perform the specified functions. For example, the present invention may employ various integrated circuit components, e.g., memory elements, logic elements, look-up tables, and the like, which may carry out a variety of functions under the control of one or more microprocessors or other control devices. In addition, those skilled in the art will appreciate that the present invention may be practiced in conjunction with any number of computer system architectures and that the computer network described herein is merely one exemplary application for the invention. [0015] It should be appreciated that the particular implementations shown and described herein are illustrative of the invention and its best mode and are not intended to otherwise limit the scope of the invention in any way. Indeed, for the sake of brevity, conventional techniques for data transmission, network control, and other functional aspects of the systems (and the individual operating components of the systems) may not be described in detail herein. Furthermore, the connecting lines shown in the various figures contained herein are intended to represent exemplary functional relationships and/or physical couplings between the various elements. It should be noted that many alternative or additional functional relationships or physical connections may be present in a practical embodiment.
[0016] The techniques of the present invention can be used to protect a computer network against hacker attacks, to protect the integrity of information stored on a computer network, to protect against unauthorized use of the computer network, and the like. In this regard, FIG. 1 is a schematic representation of a local area network (LAN) 100 in which a network security system according to the present invention may be deployed. LAN 100 includes at least one network server 102 and at least one client computer 104 (in a practical embodiment, LAN 100 can include any number of client computers). In accordance with conventional computer networking techniques and technologies, client computers 104 are connected to network server 102 such that data can be routed between client computers 104 and network server 102. For purposes of this description, the manner in which network server 102 and client computers 104 are interconnected is unimportant. LAN 100 maybe suitably configured to access the Internet, an Intranet, a wide area network, or the like. For example, FIG. 1 depicts LAN 100 having access to the Internet 106 via a firewall 108. Firewall 108, which may be implemented in hardware, software, firmware, or a combination thereof, functions in a conventional manner to prevent unauthorized access to LAN 100 via the Internet 106. hi a practical deployment, a security server 110 may be connected to LAN 100. As described in more detail below, security server 110 is suitably configured to perform various network security processes related to the present invention.
[0017] As shown in FIG. 2, the techniques of the present invention may also be utilized in the context of a wide area network (WAN) 200. Conceptually, WAN 200 may be considered to be a combination of two or more LANs. For example, WAN 200 may include a first network server 202 that supports a number of client computers 204, and a second network server 206 that supports a number of client computers 208 (in a practical embodiment, WAN 200 can include any number of client computers and any number of network servers interconnected to form any suitable architecture). First network server 202 and second network server 206 may be connected via a conventional router 212. As described above in connection with FIG. 1, WAN 200 can employ any number of firewalls 214 to protect against unwanted access via the Internet 216. Although not a requirement of the present invention, a preferred WAN deployment includes a plurality of security servers. For example, WAN 200 may include a first security server 218 that primarily protects client computers 204, a second security server 220 that primarily protects client computers 208, and a third security server 222 connected to router 212.
[0018] hi practice, each of the client computers protected by the network security system is a personal computer (PC) having conventional hardware and software components, e.g., memory elements, a display monitor, an operating system, data communication ports for transmitting and receiving data via the respective network, a processor chip, any number of application programs, a web browser application, and the like. Of course, the network security system may also be configured to protect other components or features of the protected network, e.g., peripherals, servers, routers, databases, and the like. As described in more detail below, the currently preferred network security system utilizes mobile software agents written in Java. Consequently, the protected client computers are Java-compatible such that they can properly install and run the Java runtime environment as needed. Furthermore, the protected client computers also employ a suitably configured agent server application that enables the client computers to receive, send, and process the mobile software agents. The design of the agents and/or the agent server application may leverage any number of known technologies, such as the open source Aglets Software Development Kit available from IBM Corporation.
[0019] Although not a requirement of the network security system, a security server is preferably realized as a stand-alone PC having a display monitor, a mouse, a keyboard (or other user interface), at least one data communication port configured to receive data from the protected client computers or other network components (e.g., event data from mobile sensor agents), and other common hardware and software features. In a practical deployment, devoted security servers facilitate real-time monitoring of the network security status and/or manipulation of the network security system features by human operators. Notably, each security server preferably includes memory space and processing power sufficient to support the operation of the network security system as described herein. In addition to a conventional operating system and (possibly) any number of conventional software applications, each security server includes one or more software programs that perform the various routines and processes described herein. In addition, the functional block components shown in the figures can be implemented in a security server using one or more computer programs, hi a practical deployment, the functionality of the security server can be realized as one or more computer programs embodied on a computer-readable medium, e.g., a hard drive or other magnetic storage device, a CD-ROM, a floppy disk, a ROM chip, a firmware device, or the like. In accordance with conventional computer science techniques, the computer programs include computer-executable instructions for carrying out the various processing tasks described herein.
[0020] After the security server (or servers) are physically connected to the network, or after the security server software is loaded onto an existing network server, the security server deploys a number of mobile sensor agents throughout the network. The sensor agents detect occurrences of specified events; an event may be a component of a known attack signature or any detectable event associated with the operation of the protected client computers or the protected computer network. The sensor agents communicate event data back to the respective security server for analysis and processing. The security server processes the event data to determine the security status of the network and to determine whether it would be beneficial to obtain additional event data in order to better assess the security status of the network. The security server manages the distribution of mobile sensor agents in the protected network according to the current security risk. In this manner, the number and type of mobile sensor agents and the amount of client computer resources devoted to the network security system are dynamically regulated, monitored, and managed in substantially real-time to provide an appropriate level of network protection. [0021] FIG. 3 is a diagram that depicts the managed distribution of mobile sensor agents in an example computer network 300 protected by a network security system according to the present invention. For purposes of this example, computer network 300 includes a security server 302, a protected client computer 304, a protected client computer 306, and a network application 308. Security server 302 maintains any number of "inactive" or "dormant" mobile sensor agents 310. These dormant mobile sensor agents 310 are capable of being distributed to various points in computer network 300; dormant mobile sensor agents are activated such that they can perform their designated tasks once they reach their destination in computer network 300. For the sake of illustration, dormant or inactive mobile sensor agents are shaded in FIG. 3.
[0022] Once deployed and installed on a client computer, a mobile sensor agent detects events and reports event data back to security server 302. As used herein, a field agent is a mobile sensor agent that is distributed from security server 302 to one specific protected client computer. FIG. 3 depicts a number of field agents 312 associated with client computer 304 and a number of field agents 314 associated with client computer 306. Field agents are deployed to a specific client computer (or other location in computer network 300), where they reside and function until withdrawn or deactivated or until they expire. The security system may also employ a number of wandering sensor agents 316 that travel among a plurality of client computers (or other locations in computer network 300). In this regard, wandering sensor agent 316 maybe designed to perform a specified task at client computer 304, then travel to client computer 306 to perform the same specified task. Alternatively, wandering sensor agent 316 may be instructed to perform different tasks at different locations within computer network 300. The routine followed by wandering sensor agent 316 may be predetermined by security server 302, or it may be controlled in response to the changing security status of computer network 300 and/or in response to operator commands.
[0023] The security system may also support the deployment of one or more mobile sensor agents that function as broker agents. As used herein, a broker agent obtains raw event data from an application installed in the protected computer network, and sends coπesponding event data back to the security server. In this regard, FIG. 3 shows a network application 318 and a number of associated broker agents 320. Network application 318 may be, for example, a network traffic analysis program, a user authentication program, an antivirus program, a firewall application, or the like. Broker agents 320 receive data from "sensors" built into the network application and forward such data to the network security system. In this manner, the network security system can process and analyze event data obtained indirectly from other applications.
[0024] FIG. 3 shows mobile sensor agents 322 in transit between security server 302 and client computers 304, 306. FIG. 3 also shows a mobile broker agent 324 in transit between security server 302 and network application 318. FIG. 3 thus illustrates the dynamic and mobile nature of the various mobile sensor agents, which are distributed in computer network 300 under the control of security server 302. In response to the changing risk and security status of computer network 300, security server 302 can distribute and/or allocate additional mobile sensor agents to appropriate locations within the network. In addition, security server 302 can activate dormant sensor agents (e.g., mobile sensor agent 326 maintained by client computer 304), deactivate active mobile sensor agents, withdraw mobile sensor agents that are no longer needed, and/or terminate or delete mobile sensor agents that are no longer needed (a deleted or withdrawn mobile sensor agent 328 is shown in connection with client computer 306). Furthermore, the network security system is adaptable to accommodate new sensor agents 330 that detect additional events that are cuπently unmonitored. For example, in response to new attack signatures or suspected network vulnerabilities, new mobile sensor agents 330 may be installed on security server 302 for managed distribution in computer network 300. hi this manner, every client computer in computer network 300 need not be periodically updated to provide protection against new threats.
[0025] The various types of mobile sensor agents (e.g., field agents, broker agents, and wandering agents) share many functional characteristics. For example, when deployed in the client computers, a mobile sensor agent resides in the application layer of the host processor, along with a suitable agent server. The mobile sensor agent is configured to communicate directly with the operating system of the host processor, via the kernel layer. The mobile sensor agents detect "low level" data corresponding to abstract events or activities rather than "high level" contextual data or data related to attack signatures. The mobile sensor agents detect events even if the events themselves are not predefined components of an attack, i other words, rather than detect the occuπence of an attack itself, the mobile sensor agents look for elemental evidence of activities and events that could be a constituent part of an attack, h this regard, the mobile sensor agents can be lightweight in design and they need not consume a large amount of the host processor resources.
[0026] Table 1 contains a list of example events coπespondmg to the functionality of different mobile sensor agents. The events listed in Table 1 represent host-level event occuπences related to protected client computer activity. In a practical deployment, the set of events may never be finalized, and a complete and exhaustive set would include all sensors necessary to fully monitor all events within a network; such an implementation would be inefficient for practical applications. The number of detectable events may increase as attackers learn to use different types of network and client activities to perpetrate their efforts. The mobile sensor agents may also change as the attackers learn to use network and client activities in different ways, thus prompting enhancement of the sensor agent specifications.
Figure imgf000010_0001
Figure imgf000011_0001
TABLE 1 -Detectable Events
[0027] A particular mobile sensor agent may be designed to detect one or more distinct event occuπences. For example, one mobile sensor agent may be specifically limited to the detection of unauthorized software, while another mobile sensor agent may be designed to detect the number of SMTP connections and the number of FTP connections. Each mobile sensor agent reports the detected event occuπences back to the respective security server in the form of event data. The event data may be formatted in accordance with any suitable scheme that enables the security server to receive, interpret, and process the event data.
[0028] FIG. 4 is a schematic representation of a fusion component 400 utilized by the network security system, a practical embodiment, each security server includes a fusion component 400 configured to process event data received from the mobile sensor agents. Fusion component 400 can be implemented in software, hardware, firmware, or any combination thereof; in a prefeπed embodiment, fusion component 400 is implemented in software. Briefly, fusion component 400 processes the event data using one or more fusion agents 402, each specializing in a potential network security issue. As used herein, a "network security issue" can be a component of a known attack, a known attack signature, a network vulnerability, a monitored network function or feature, or the like, hi FIG. 4, each ellipse represents a fusion agent 402, and the area within the rectangle represents all network vulnerabilities and potential attack scenarios. Ideally, the fusion agents 402 in combination will provide adequate protection against all potential attack scenarios, both known and unknown.
[0029] In a practical implementation, each fusion agent 402 will receive and process a limited amount of event data. For example, referring to Table 1, a fusion agent 402 will typically receive and process only a subset of the listed events, hi addition, any number of different fusion agents 402 can receive and process the same event data, i.e., event data need not be exclusive to any particular fusion agent 402. In the prefeπed embodiment, any number of fusion agents 402 can process the event data using one or more intelligent decision-making techniques (e.g., artificial intelligence techniques, expert system techniques, neural network techniques, and the like). Furthermore, any number of the fusion agents 402 may be collaborative fusion agents capable of communicating with one another. The collaborative nature of the fusion agents makes the network security system more interactive and adaptable to accommodate different security threats and attack patterns. Although not normally mobile within a given network, fusion agents 402 may be configured for travel or distribution from one security server to another security server.
[0030] Fusion component 400 analyzes the event data and, considering a set of operating guidelines dictated by the operator of the network security system, assesses the situation/risk status of the computer network based upon the event data. The set of operating guidelines specify the security services available to network users, identify data accessible to certain users and the manner in which such data can be accessed, and the like. In this regard, fusion component 400 receives the relatively low level abstract event data and generates an output of relatively high level contextual information representing the cuπent security status of the network. In addition, fusion component 400 is further configured to determine the need for additional event data (to be obtained from additional mobile sensor agents) based upon the assessed situation/risk status, hi this regard, fusion component 400 is configured to generate requests for additional event data (i.e., fusion source data requirements).
[0031] In a practical embodiment, a fusion agent 402 will analyze the cuπent set of event data to which it has direct access, along with any event data (or other data) to which it has access via other fusion agents. Using its intelligent decision-making processes, the fusion agent 402 will determine whether a security threat is present and, if so, the severity of the security issue and/or the risk associated with the security issue. If the fusion agent 402 determines that little or no threat or risk is present, then it may generate fusion source data requirements coπesponding to no change in the status of the relevant mobile sensor agents. Alternatively, it may generate fusion source data requirements coπesponding to a request to reduce the amount of mobile sensor agents and/or other resources devoted to the detection of that particular threat. On the other hand, if fusion agent 402 detennines that a measurable threat or risk is present (or if it cannot make any intelligent risk assessment), then it may generate fusion source data requirements coπesponding to a request to increase the amount of mobile sensor agents and/or other resources devoted to the detection of that particular threat.
[0032] Fusion component 400 can also consider metadata related to the received event data, which is received and processed virtually in real-time. For example, metadata related to the event data may be: the username and password of the user of the client computer where the detected event occuπed; the purpose or function of the respective client computer, e.g., server, workstation, or secretarial; the cuπent security status of the respective client computer; the cuπent security status of the protected network; a history of events for the respective client computer; a statistical profile of events for the respective client computer; the identities of other client computers that frequently communicate with the respective client computer; and the like. Such metadata can be used, with or without event data, to evaluate the situation/risk status of the protected network over relatively long periods of time or to determine whether the protected network is being subjected to an organized distributed attack.
[0033] FIG. 5 is a schematic representation of a sensor distribution manager 500 utilized by the network security system. Distribution manager 500 can be implemented in software, hardware, firmware, or any combination thereof; in a prefeπed embodiment, distribution manager 500 is implemented in software. In a practical embodiment, a sensor distribution manager 500 is implemented in each security server employed by the network security system. Briefly, distribution manager 500 is configured to manage the distribution of mobile sensor agents in the computer network in response to a number of operating criteria and/or data inputs. For purposes of this description, "managing the distribution" of mobile sensor agents encompasses a variety of functions, including, but not limited to: initially deploying sensor agents throughout the network; dispatching new or additional sensor agents to points in the network while the network security system is monitoring the network; allocating sensor agent resources for use in the network; controlling the movement of wandering sensor agents in the network; activating and deactivating sensor agents deployed in the network; withdrawing, deleting, and terminating sensor agents deployed in the network; monitoring the location and/or status of deployed sensor agents; and the like.
[0034] Conceptually, sensor distribution manager 500 includes an intelligent distribution controller 502 that cooperates with a sensor server 504. These functional components are shown as distinct elements in FIG. 5 to facilitate the description of distribution manager 500 - in reality, distribution manager 500 need not be partitioned into such functional elements. Distribution controller 502 receives data that influences the distribution of mobile sensor agents in the protected computer network, and generates commands or instructions for controlling the distribution of the mobile sensor agents. The instructions are processed by sensor server 504, which responds by distributing, activating, withdrawing, deactivating, and/or moving one or more mobile sensor agents in the protected network.
[0035] As shown in FIG. 5, distribution controller 502 may consider one or more of the following: fusion source data requirements (i.e., requests for additional event data, which may coπespond to the deployment of additional mobile sensor agents); operator recommendations; risk/protection guidelines; and host resource status data, hi addition to the above criteria, distribution controller 502 may process any number of additional criteria or data types. As described above in connection with fusion component 400, sensor distribution manager 500 considers the results generated by fusion component 400. In other words, requests related to the collection of additional event data and or other fusion source data requirements are fed to distribution controller 502 for evaluation. Operator recommendations are explicit instructions provided by a user of the network security system. For example, a user stationed at a security server may request the deployment of one or more specific mobile sensor agents to a particular client computer in response to a perceived risk. Indeed, the security system may allow a user to recommend any number of changes or adjustments to the cuπent security settings or mobile sensor agent deployment. Depending upon the specific application, a user may be authorized to completely override the decisions made by distribution manager 500 or a user may only be permitted to enter suggestions or recommendations. Risk/protection guidelines refer to general rules that govern the distribution of mobile sensor agents in a particular computer network, hi this regard, risk/protection guidelines can vary from application to application. The risk/protection guidelines may define any number of operational rules, such as: the maximum amount of host processor resources that can be devoted to the network security system (which may vary depending upon the cuπent risk assessment); a list of activities or events that must be continuously or periodically monitored; the number of mobile sensor agents that can be distributed to a single client computer (which may vary depending upon the cuπent risk assessment); and the like. Distribution controller 502 may also process data representing the cuπent host resource status of one or more of the protected client computers in the network. In one practical embodiment, the network security system may only consume approximately three percent of the processing power of any client computer. However, in response to a heightened security risk, the security system may be authorized to consume more than three percent of the host processing power. Distribution controller 502 can process the cuπent status of the host resources to determine how best to manage the distribution of mobile sensor agents in the network.
[0036] In the prefeπed embodiment, the network security system evaluates the host processor performance, the amount of resources devoted to the security system, and the cuπent risk assessment, and performs a trade-off between host processor performance and network protection, response to the fusion source data requirements, any operator recommendations, risk/protection guidelines for the protected network, the cuπent host resource status, and possibly other criteria, distribution controller 502 generates one or more sensor distribution instructions to be carried out by sensor server 504. Consequently, distribution manager 500 can manage the distribution of mobile sensor agents in the protected network in response to user recommendations, established risk/protection guidelines, requests for additional event data (which may be generated by fusion component 400), and/or the resource status of at least one protected client computer in the network.
[0037] FIG. 6 is a flow diagram of a network security process 600 performed by a network security system configured in accordance with the present invention. Although process 600 illustrates a number of common functions performed by a practical network security system, in actual use a security system may perform a number of additional or alternative functions. Process 600 assumes that the respective client computers are suitably configured for compatibility with the network security system, and that a suitably configured security server (or servers) is installed on the protected computer network.
[0038] Network security process 600 begins by providing a number of mobile sensor agents for deployment in the protected network (task 602). In this context, any number of mobile sensor agents can be provided to the security server at the initial installation of the security system or at any subsequent time, any number of broker agents can be directly provided to respective applications or information sources throughout the network, and/or any number of mobile sensor agents can be directly provided to one or more client computers. In a typical installation, a number of dormant sensor agents (and possibly a number of active sensor agents) will be provided to the security server during task 602, with little or no direct installation of sensor agents at the client level.
[0039] The security server may distribute one or more initial mobile sensor agents
(e.g., active or inactive field agents, wandering agents, and broker agents) to various points in the protected network (task 604). The set of initially distributed mobile sensor agents, and the destinations of those sensor agents, are dictated by the specifications and requirements of the protected network. For example, one network may require a relatively low number of initial sensor agents, while another network may require a relatively complex initial installation of sensor agents. Once deployed and activated, these mobile sensor agents perform their designated functions and they begin monitoring for the occuπence of specific activities on the protected network.
[0040] Eventually, the security server receives event data from one or more mobile sensor agents (e.g., wandering sensor agents, broker agents, and/or field agents), where the event data coπesponds to detected event occuπences (task 606). In a prefeπed practical embodiment, data transmitted between client computers and security servers is encrypted using a suitable encryption algorithm. The encryption of the event data adds a layer of security to the system and protects against the unauthorized interception of the security system communications. As described in more detail above, the event occuπences detected by the mobile sensor agents need not be components of a known or suspected attack. Rather, the events can relate to host processor activities that may be legitimate and normal under many circumstances. Thus, the received event data may be abstract host-level event data related to protected client computer activity.
[0041] As described above, the security server analyzes and processes the received event data to assess the cuπent situation/risk status (task 608). The security server also generates source data requirements (e.g., requests for additional event data) in response to the received event data (task 610). hi the example embodiment, task 608 and task 610 are performed by fusion component 400. The security server may receive the cuπent host resource status from the protected client computers (task 612), along with any operator recommendations entered by an operator of the security server (task 614). In a practical embodiment, the security server receives the host resource status data via the network and via its data communication port, and it receives the operator recommendation data directly from a keyboard, a mouse, or any suitable user interface device.
[0042] In response to the received event data, the security server manages the distribution of one or more mobile sensor agents in the protected computer network (task 616). As mentioned above, the management of the mobile sensor agents by the security server is also responsive to the host resource status, the designated risk/protection guidelines, and operator recommendations. During task 616, the security server can manage, without limitation: the deployment of additional mobile sensor agents from the security server to protected client computers or elsewhere in the network; the activation of at least one dormant or deactivated mobile sensor agent installed in a client computer; the deactivation of at least one active mobile sensor agent installed in a client computer; and/or the withdrawal or deletion of at least one mobile sensor agent from a client computer. Generally, the security server can be configured to manage any number of actions related to the distribution, allocation, movement, operation, control, and/or regulation of mobile sensor agents within the protected network. In this respect, the security system may utilize server and client packages to manage a number of issues such as: the deployment of sensor agents to a specific client computer; communication between the security server and sensor agents for purposes of sensor withdrawal, sensor reallocation, sensor deactivation, sensor activation, or designation of sensor functionality; and the like. In a practical embodiment, the security system can utilize a local security zone manager or security client that runs on the protected hosts and manages such issues. The local security clients ensure that the host identification is available in the registry of the security server, ensure that the appropriate security provisions are in place for secure interaction (including encryption key management), and manages the three-way trade-off between local sensor configuration, data collection requests, and local host processing resources.
[0043] The network security system can display or otherwise convey the cuπent situation/risk status of the protected network in virtually real-time to an operator of the system (task 618). hi the prefeπed embodiment, the security server includes a display monitor and the security server is capable of rendering a graphical representation of the network status for display on the monitor. For example, the situation/risk status of the network can be displayed in any convenient manner that enables an operator to quickly determine whether any given client computer is vulnerable or under attack. In turn, the operator can make security decisions based on the displayed information.
[0044] The network security system is capable of providing dynamically adaptable protection for a computer network, and such protection is provided in a continuous manner. Accordingly, many of the tasks described in connection with network security process 600 are repeated and performed in a continuous manner.
[0045] The present invention has been described above with reference to a prefeπed embodiment. However, those skilled in the art having read this disclosure will recognize that changes and modifications may be made to the prefeπed embodiment without departing from the scope of the present invention. These and other changes or modifications are intended to be included within the scope of the present invention, as expressed in the following claims.

Claims

CLAIMS What is claimed is:
1. A computer network security method comprising: providing a number of mobile sensor agents for deployment in a computer network, each of said mobile sensor agents being configured to detect event occuπences; receiving event data from one or more of said mobile sensor agents, said event data coπesponding to detected event occuπences; and managing, in response to said event data, the distribution of one or more of said mobile sensor agents in said computer network.
2. A method according to claim 1, wherein said managing step manages the deployment of at least one mobile sensor agent from a security server connected to said computer network to a protected client computer in said computer network.
3. A method according to claim 1, wherein said managing step manages the activation of at least one dormant mobile sensor agent installed in a protected client computer in said computer network.
4. A method according to claim 1, wherein said managing step manages the deactivation of at least one active mobile sensor agent installed in a protected client computer in said computer network.
5. A method according to claim 1, wherein said managing step manages the withdrawal of at least one mobile sensor agent from a protected client computer in said computer network.
6. A method according to claim 1, wherein said mobile sensor agents are configured to detect host-level event occuπences related to protected client computer activity.
7. A method according to claim 6, wherein receiving event data comprises receiving abstract host-level event data related to protected client computer activity.
8. A method according to claim 1, wherein said providing step comprises providing a number of mobile sensor agents to at least one security server connected to said computer network.
9. A method according to claim 1, wherein said providing step comprises providing a number of mobile sensor agents to at least one protected client computer in said computer network.
10. A method according to claim 1, wherein said managing step manages the distribution of one or more of said mobile sensor agents in response to user recommendations .
11. A method according to claim 1, wherein said managing step manages the distribution of one or more of said mobile sensor agents in response to established risk/protection guidelines.
12. A method according to claim 1, wherein said managing step manages the distribution of one or more of said mobile sensor agents in response to requests for additional event data.
13. A method according to claim 1, wherein said managing step manages the distribution of one or more of said mobile sensor agents in response to resource status of at least one protected client computer in said computer network.
14. A method according to claim 1, wherein said receiving step receives event data from at least one wandering sensor agent that travels among a plurality of protected client computers in said computer network.
15. A method according to claim 1, wherein said receiving step receives forwarded event data from at least one broker agent that obtains raw event data from an application installed in said computer network.
16. A method according to claim 1, wherein said receiving step receives event data from at least one field agent that is specific to one protected client computer in said computer network.
17. A network security computer program, said computer program being embodied on a computer-readable medium, said computer program having computer- executable instructions for caπying out a method comprising: providing a number of mobile sensor agents for deployment in a computer network, each of said mobile sensor agents being configured to detect event occuπences; receiving event data from one or more of said mobile sensor agents, said event data coπesponding to detected event occuπences; and managing, in response to said event data, the distribution of one or more of said mobile sensor agents in said computer network.
18. A computer network security server comprising: a distribution manager configured to manage the distribution of mobile sensor agents in a computer network, each of said mobile sensor agents being configured to detect event occuπences; at least one data communication port configured to receive event data from one or more mobile sensor agents deployed in said computer network; and a fusion component configured to process said event data and generate requests for additional event data; wherein said distribution manager manages the distribution of mobile sensor agents in response to said requests.
19. A security server according to claim 18, wherein said fusion component is further configured to assess the situation/risk status of said computer network based upon said event data.
20. A security server according to claim 19, wherein said fusion component is further configured to determine the need for said additional event data based upon said situation/risk status.
21. A security server according to claim 18, wherein said at least one data communication port is configured to receive said event data via said computer network.
22. A security server according to claim 18, wherein said fusion component comprises one or more fusion agents, each specializing in a potential network security issue.
23. A security server according to claim 22, wherein at least one of said fusion agents is configured to process said event data using an intelligent decision-making technique.
24. A security server according to claim 22, wherein a number of said fusion agents are collaborative fusion agents capable of communicating with one another.
PCT/US2003/027583 2002-09-06 2003-09-03 Computer network security system utilizing dynamic mobile sensor agents WO2004023714A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU2003276862A AU2003276862A1 (en) 2002-09-06 2003-09-03 Computer network security system utilizing dynamic mobile sensor agents
GB0506583A GB2409784B (en) 2002-09-06 2003-09-03 Computer network security system utilizing dynamic mobile sensor agents

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/236,357 US20040049698A1 (en) 2002-09-06 2002-09-06 Computer network security system utilizing dynamic mobile sensor agents
US10/236,357 2002-09-06

Publications (2)

Publication Number Publication Date
WO2004023714A2 true WO2004023714A2 (en) 2004-03-18
WO2004023714A3 WO2004023714A3 (en) 2004-05-27

Family

ID=31977636

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/027583 WO2004023714A2 (en) 2002-09-06 2003-09-03 Computer network security system utilizing dynamic mobile sensor agents

Country Status (4)

Country Link
US (1) US20040049698A1 (en)
AU (1) AU2003276862A1 (en)
GB (1) GB2409784B (en)
WO (1) WO2004023714A2 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006071486A1 (en) * 2004-12-27 2006-07-06 Raytheon Company Network intrusion prevention
EP1725946A2 (en) * 2004-03-10 2006-11-29 Enterasys Networks, Inc. Dynamic network detection system and method
CN103959704A (en) * 2011-09-30 2014-07-30 中央科学研究中心 Method and device for synchronizing entanglement sources for a quantum communication network
EP3035636A1 (en) * 2014-12-17 2016-06-22 The Boeing Company Computer defenses and counterattacks
WO2019115173A1 (en) * 2017-12-14 2019-06-20 Commissariat A L'energie Atomique Et Aux Energies Alternatives Device and process for checking sensors that permit the detection of intrusions into a network

Families Citing this family (86)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10025626A1 (en) * 2000-05-24 2001-11-29 Deutsche Telekom Ag Encrypt data to be stored in an IV system
US6993448B2 (en) * 2000-08-09 2006-01-31 Telos Corporation System, method and medium for certifying and accrediting requirements compliance
US7380270B2 (en) * 2000-08-09 2008-05-27 Telos Corporation Enhanced system, method and medium for certifying and accrediting requirements compliance
DE10242917A1 (en) * 2002-09-16 2004-03-25 Siemens Ag System for recording and displaying a secure status of devices
US7437760B2 (en) * 2002-10-10 2008-10-14 International Business Machines Corporation Antiviral network system
US6980927B2 (en) * 2002-11-27 2005-12-27 Telos Corporation Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing continuous risk assessment
US6983221B2 (en) * 2002-11-27 2006-01-03 Telos Corporation Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing robust risk assessment model
US7483972B2 (en) * 2003-01-08 2009-01-27 Cisco Technology, Inc. Network security monitoring system
US7895649B1 (en) 2003-04-04 2011-02-22 Raytheon Company Dynamic rule generation for an enterprise intrusion detection system
US7277546B2 (en) * 2003-04-09 2007-10-02 New Jersey Institute Of Technology Methods and apparatus for multi-level dynamic security system
ATE441159T1 (en) * 2003-04-22 2009-09-15 Nxp Bv ELECTRONIC CIRCUIT FOR CRYPTOGRAPHIC APPLICATIONS
US7437763B2 (en) * 2003-06-05 2008-10-14 Microsoft Corporation In-context security advisor in a computing environment
US6985920B2 (en) * 2003-06-23 2006-01-10 Protego Networks Inc. Method and system for determining intra-session event correlation across network address translation devices
US8225407B1 (en) * 2003-08-21 2012-07-17 Symantec Corporation Incident prioritization and adaptive response recommendations
US7644365B2 (en) * 2003-09-12 2010-01-05 Cisco Technology, Inc. Method and system for displaying network security incidents
US7788109B2 (en) * 2004-04-03 2010-08-31 Altusys Corp. Method and apparatus for context-sensitive event correlation with external control in situation-based management
US20050222810A1 (en) * 2004-04-03 2005-10-06 Altusys Corp Method and Apparatus for Coordination of a Situation Manager and Event Correlation in Situation-Based Management
US8694475B2 (en) * 2004-04-03 2014-04-08 Altusys Corp. Method and apparatus for situation-based management
US20050222895A1 (en) * 2004-04-03 2005-10-06 Altusys Corp Method and Apparatus for Creating and Using Situation Transition Graphs in Situation-Based Management
EP1751957A1 (en) * 2004-05-10 2007-02-14 France Télécom Suppression of false alarms in alarms arising from intrusion detection probes in a monitored information system
US7765594B1 (en) * 2004-08-18 2010-07-27 Symantec Corporation Dynamic security deputization
US8887287B2 (en) 2004-10-27 2014-11-11 Alcatel Lucent Method and apparatus for software integrity protection using timed executable agents
US7478424B2 (en) * 2004-11-30 2009-01-13 Cymtec Systems, Inc. Propagation protection within a network
US20060117385A1 (en) * 2004-11-30 2006-06-01 Mester Michael L Monitoring propagation protection within a network
US7395195B2 (en) * 2004-12-27 2008-07-01 Sap Aktiengesellschaft Sensor network modeling and deployment
US20060206941A1 (en) * 2005-03-08 2006-09-14 Praesidium Technologies, Ltd. Communications system with distributed risk management
US7668097B2 (en) * 2005-04-12 2010-02-23 Motorola, Inc. Method of dormant data session reactivation
US8572733B1 (en) * 2005-07-06 2013-10-29 Raytheon Company System and method for active data collection in a network security system
US9418040B2 (en) * 2005-07-07 2016-08-16 Sciencelogic, Inc. Dynamically deployable self configuring distributed network management system
US7882262B2 (en) * 2005-08-18 2011-02-01 Cisco Technology, Inc. Method and system for inline top N query computation
US8224761B1 (en) 2005-09-01 2012-07-17 Raytheon Company System and method for interactive correlation rule design in a network security system
US7950058B1 (en) 2005-09-01 2011-05-24 Raytheon Company System and method for collaborative information security correlation in low bandwidth environments
US7849185B1 (en) 2006-01-10 2010-12-07 Raytheon Company System and method for attacker attribution in a network security system
US20070195776A1 (en) * 2006-02-23 2007-08-23 Zheng Danyang R System and method for channeling network traffic
US7984501B2 (en) * 2006-04-03 2011-07-19 ZMT Comunicacoes E Technologia Ltda. Component-oriented system and method for web application security analysis
US8233388B2 (en) 2006-05-30 2012-07-31 Cisco Technology, Inc. System and method for controlling and tracking network content flow
US20080052508A1 (en) * 2006-08-25 2008-02-28 Huotari Allen J Network security status indicators
US8607336B2 (en) * 2006-09-19 2013-12-10 The Invention Science Fund I, Llc Evaluation systems and methods for coordinating software agents
US8601530B2 (en) * 2006-09-19 2013-12-03 The Invention Science Fund I, Llc Evaluation systems and methods for coordinating software agents
US8984579B2 (en) * 2006-09-19 2015-03-17 The Innovation Science Fund I, LLC Evaluation systems and methods for coordinating software agents
US8627402B2 (en) 2006-09-19 2014-01-07 The Invention Science Fund I, Llc Evaluation systems and methods for coordinating software agents
US8811156B1 (en) 2006-11-14 2014-08-19 Raytheon Company Compressing n-dimensional data
US8302196B2 (en) * 2007-03-20 2012-10-30 Microsoft Corporation Combining assessment models and client targeting to identify network security vulnerabilities
US8990947B2 (en) * 2008-02-04 2015-03-24 Microsoft Technology Licensing, Llc Analytics engine
US8903889B2 (en) * 2008-07-25 2014-12-02 International Business Machines Corporation Method, system and article for mobile metadata software agent in a data-centric computing environment
FR2937763B1 (en) * 2008-10-24 2010-11-12 Thales Sa CENTRALIZED SUPERVISION AND / OR HYPERVISION TOOL OF A SET OF SYSTEMS OF DIFFERENT SECURITY LEVELS
KR101003104B1 (en) * 2008-12-22 2010-12-21 한국전자통신연구원 Apparatus for monitoring the security status in wireless network and method thereof
US8752142B2 (en) * 2009-07-17 2014-06-10 American Express Travel Related Services Company, Inc. Systems, methods, and computer program products for adapting the security measures of a communication network based on feedback
US8495745B1 (en) 2009-11-30 2013-07-23 Mcafee, Inc. Asset risk analysis
US9756076B2 (en) * 2009-12-17 2017-09-05 American Express Travel Related Services Company, Inc. Dynamically reacting policies and protections for securing mobile financial transactions
US8621636B2 (en) 2009-12-17 2013-12-31 American Express Travel Related Services Company, Inc. Systems, methods, and computer program products for collecting and reporting sensor data in a communication network
US8650129B2 (en) 2010-01-20 2014-02-11 American Express Travel Related Services Company, Inc. Dynamically reacting policies and protections for securing mobile financial transaction data in transit
WO2011103385A1 (en) * 2010-02-22 2011-08-25 Avaya Inc. Secure, policy-based communications security and file sharing across mixed media, mixed-communications modalities and extensible to cloud computing such as soa
US8495747B1 (en) 2010-03-31 2013-07-23 Mcafee, Inc. Prioritizing asset remediations
US8850539B2 (en) 2010-06-22 2014-09-30 American Express Travel Related Services Company, Inc. Adaptive policies and protections for securing financial transaction data at rest
US10360625B2 (en) 2010-06-22 2019-07-23 American Express Travel Related Services Company, Inc. Dynamically adaptive policy management for securing mobile financial transactions
US8924296B2 (en) 2010-06-22 2014-12-30 American Express Travel Related Services Company, Inc. Dynamic pairing system for securing a trusted communication channel
US9100425B2 (en) 2010-12-01 2015-08-04 Cisco Technology, Inc. Method and apparatus for detecting malicious software using generic signatures
US9218461B2 (en) * 2010-12-01 2015-12-22 Cisco Technology, Inc. Method and apparatus for detecting malicious software through contextual convictions
US8656492B2 (en) 2011-05-16 2014-02-18 General Electric Company Systems, methods, and apparatus for network intrusion detection
US20120297481A1 (en) * 2011-05-16 2012-11-22 General Electric Company Systems, methods, and apparatus for network intrusion detection
US10409980B2 (en) 2012-12-27 2019-09-10 Crowdstrike, Inc. Real-time representation of security-relevant system state
US20150350303A1 (en) * 2014-05-29 2015-12-03 Chia-I Lin Manufacturing optimization platform and method
US9798882B2 (en) * 2014-06-06 2017-10-24 Crowdstrike, Inc. Real-time model of states of monitored devices
EP3155758A4 (en) * 2014-06-10 2018-04-11 Sightline Innovation Inc. System and method for network based application development and implementation
FR3027178B1 (en) 2014-10-10 2018-01-12 Cassidian Cybersecurity Sas METHOD FOR DYNAMICALLY ADJUSTING A VERBOSITY LEVEL OF A COMPONENT OF A COMMUNICATIONS NETWORK
WO2017078986A1 (en) 2014-12-29 2017-05-11 Cyence Inc. Diversity analysis with actionable feedback methodologies
US10050990B2 (en) 2014-12-29 2018-08-14 Guidewire Software, Inc. Disaster scenario based inferential analysis using feedback for extracting and combining cyber risk information
US10341376B2 (en) 2014-12-29 2019-07-02 Guidewire Software, Inc. Diversity analysis with actionable feedback methodologies
US11855768B2 (en) 2014-12-29 2023-12-26 Guidewire Software, Inc. Disaster scenario based inferential analysis using feedback for extracting and combining cyber risk information
US9699209B2 (en) 2014-12-29 2017-07-04 Cyence Inc. Cyber vulnerability scan analyses with actionable feedback
US10050989B2 (en) 2014-12-29 2018-08-14 Guidewire Software, Inc. Inferential analysis using feedback for extracting and combining cyber risk information including proxy connection analyses
US11863590B2 (en) 2014-12-29 2024-01-02 Guidewire Software, Inc. Inferential analysis using feedback for extracting and combining cyber risk information
WO2016138400A1 (en) * 2015-02-27 2016-09-01 Cisco Technology, Inc. System and methods for computer network security involving user confirmation of network connections
US10404748B2 (en) 2015-03-31 2019-09-03 Guidewire Software, Inc. Cyber risk analysis and remediation using network monitored sensors and methods of use
US10142353B2 (en) 2015-06-05 2018-11-27 Cisco Technology, Inc. System for monitoring and managing datacenters
US10536357B2 (en) 2015-06-05 2020-01-14 Cisco Technology, Inc. Late data detection in data center
US10148694B1 (en) * 2015-10-01 2018-12-04 Symantec Corporation Preventing data loss over network channels by dynamically monitoring file system operations of a process
JP6518795B2 (en) * 2016-01-15 2019-05-22 株式会社日立製作所 Computer system and control method thereof
US10079898B2 (en) * 2016-06-20 2018-09-18 General Electric Company Software-defined sensors
US10320818B2 (en) * 2017-02-14 2019-06-11 Symantec Corporation Systems and methods for detecting malicious computing events
US10630315B2 (en) 2017-09-29 2020-04-21 Intel Corporation Technologies for applying a redundancy encoding scheme to segmented network packets
US10916121B2 (en) * 2018-05-21 2021-02-09 Johnson Controls Technology Company Virtual maintenance manager
US10896261B2 (en) 2018-11-29 2021-01-19 Battelle Energy Alliance, Llc Systems and methods for control system security
US11489853B2 (en) 2020-05-01 2022-11-01 Amazon Technologies, Inc. Distributed threat sensor data aggregation and data export
US20210344726A1 (en) * 2020-05-01 2021-11-04 Amazon Technologies, Inc. Threat sensor deployment and management

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999057625A1 (en) * 1998-05-06 1999-11-11 Prc Inc. Dynamic system defence for information warfare

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5787177A (en) * 1996-08-01 1998-07-28 Harris Corporation Integrated network security access control system
US5991881A (en) * 1996-11-08 1999-11-23 Harris Corporation Network surveillance system
US6263444B1 (en) * 1997-03-11 2001-07-17 National Aerospace Laboratory Of Science & Technology Agency Network unauthorized access analysis method, network unauthorized access analysis apparatus utilizing the method, and computer-readable recording medium having network unauthorized access analysis program recorded thereon
US5958010A (en) * 1997-03-20 1999-09-28 Firstsense Software, Inc. Systems and methods for monitoring distributed applications including an interface running in an operating system kernel
US5983348A (en) * 1997-09-10 1999-11-09 Trend Micro Incorporated Computer network malicious code scanner
US6035423A (en) * 1997-12-31 2000-03-07 Network Associates, Inc. Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6088804A (en) * 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
US6249868B1 (en) * 1998-03-25 2001-06-19 Softvault Systems, Inc. Method and system for embedded, automated, component-level control of computer systems and other complex systems
JP3606355B2 (en) * 1998-04-13 2005-01-05 オムロン株式会社 Agent system and communication method
US6219788B1 (en) * 1998-05-14 2001-04-17 International Business Machines Corporation Watchdog for trusted electronic content distributions
US6212633B1 (en) * 1998-06-26 2001-04-03 Vlsi Technology, Inc. Secure data communication over a memory-mapped serial communications interface utilizing a distributed firewall
US6253337B1 (en) * 1998-07-21 2001-06-26 Raytheon Company Information security analysis system
US6269447B1 (en) * 1998-07-21 2001-07-31 Raytheon Company Information security analysis system
US6550012B1 (en) * 1998-12-11 2003-04-15 Network Associates, Inc. Active firewall system and methodology
GB2353372B (en) * 1999-12-24 2001-08-22 F Secure Oyj Remote computer virus scanning
US6535227B1 (en) * 2000-02-08 2003-03-18 Harris Corporation System and method for assessing the security posture of a network and having a graphical user interface
AU2001257400A1 (en) * 2000-04-28 2001-11-12 Internet Security Systems, Inc. System and method for managing security events on a network
IL152502A0 (en) * 2000-04-28 2003-05-29 Internet Security Systems Inc Method and system for managing computer security information
US7146644B2 (en) * 2000-11-13 2006-12-05 Digital Doors, Inc. Data security system and method responsive to electronic attacks

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999057625A1 (en) * 1998-05-06 1999-11-11 Prc Inc. Dynamic system defence for information warfare

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BERNARDES M C ET AL: "Implementation of an intrusion detection system based on mobile agents" SOFTWARE ENGINEERING FOR PARALLEL AND DISTRIBUTED SYSTEMS, 2000. PROCEEDINGS. INTERNATIONAL SYMPOSIUM ON LIMERICK, IRELAND 10-11 JUNE 2000, LOS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US, 10 June 2000 (2000-06-10), pages 158-164, XP010500921 ISBN: 0-7695-0634-8 *
DUARTE DE QUEIROZ J ET AL: "MICAEL: An Autonomous Mobile Agent System to Protect New Generation Network Applications" SECOND INTERNATIONAL WORKSHOP ON RECENT ADVANCES IN INTRUSION DETECTION, 1999, 7-9 SEPTEMBER, WEST LAFAYETTE, INDIANA, USA. PROCEEDINGS, [Online] XP002275559 Retrieved from the Internet: <URL:http://www.raid-symposium.org/raid99/ PAPERS/Mell.pdf> [retrieved on 2004-03-29] *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1725946A2 (en) * 2004-03-10 2006-11-29 Enterasys Networks, Inc. Dynamic network detection system and method
EP1725946A4 (en) * 2004-03-10 2012-07-11 Enterasys Networks Inc Dynamic network detection system and method
WO2006071486A1 (en) * 2004-12-27 2006-07-06 Raytheon Company Network intrusion prevention
CN103959704A (en) * 2011-09-30 2014-07-30 中央科学研究中心 Method and device for synchronizing entanglement sources for a quantum communication network
CN103959704B (en) * 2011-09-30 2016-12-14 中央科学研究中心 For the method and apparatus synchronizing the source of tangling of quantum communication network
EP3035636A1 (en) * 2014-12-17 2016-06-22 The Boeing Company Computer defenses and counterattacks
US9591022B2 (en) 2014-12-17 2017-03-07 The Boeing Company Computer defenses and counterattacks
WO2019115173A1 (en) * 2017-12-14 2019-06-20 Commissariat A L'energie Atomique Et Aux Energies Alternatives Device and process for checking sensors that permit the detection of intrusions into a network
FR3075421A1 (en) * 2017-12-14 2019-06-21 Commissariat A L'energie Atomique Et Aux Energies Alternatives DEVICE AND METHOD FOR CONTROLLING PROBES FOR DETECTION OF INTRUSIONS ON A NETWORK

Also Published As

Publication number Publication date
AU2003276862A1 (en) 2004-03-29
AU2003276862A8 (en) 2004-03-29
GB2409784B (en) 2006-07-19
US20040049698A1 (en) 2004-03-11
WO2004023714A3 (en) 2004-05-27
GB2409784A (en) 2005-07-06
GB0506583D0 (en) 2005-05-04

Similar Documents

Publication Publication Date Title
US20040049698A1 (en) Computer network security system utilizing dynamic mobile sensor agents
US10360062B2 (en) System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
US11157300B2 (en) Managing virtual machine security resources
US11562076B2 (en) Reconfigured virtual machine to mitigate attack
US9467470B2 (en) System and method for local protection against malicious software
US20170279826A1 (en) Protecting dynamic and short-lived virtual machine instances in cloud environments
US20070266433A1 (en) System and Method for Securing Information in a Virtual Computing Environment
EP3500970B1 (en) Mitigating security attacks in virtualised computing environments
US6892241B2 (en) Anti-virus policy enforcement system and method
EP1677484B1 (en) Method and system for distributing security policies
US7533413B2 (en) Method and system for processing events
US11853425B2 (en) Dynamic sandbox scarecrow for malware management
US11880453B2 (en) Malware mitigation based on runtime memory allocation
US20210234901A1 (en) Systems and methods for network security
US20210329459A1 (en) System and method for rogue device detection
GB2621237A (en) Traffic scanning with context-aware threat signatures
US7523503B2 (en) Method for protecting security of network intrusion detection sensors
KR100860607B1 (en) Network protection total switch and method thereof
EP4272411A1 (en) Systems and methods for providing enhanced security in edge computing environments
Chatterjee An Efficient Intrusion Detection System on Various Datasets Using Machine Learning Techniques
EP3243313B1 (en) System and method for monitoring a computer system using machine interpretable code
US20230319116A1 (en) Signature quality evaluation
US20230319093A1 (en) Containerized network activity filtering
US20220191224A1 (en) Method of threat detection in a threat detection network and threat detection network
TOUMI et al. COOPERATIVE TRUST FRAMEWORK BASED ON HY-IDS, FIREWALLS, AND MOBILE AGENTS TO ENHANCE SECURITY IN A CLOUD ENVIRONMENT

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
ENP Entry into the national phase

Ref document number: 0506583

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20030903

WWE Wipo information: entry into national phase

Ref document number: 0506583.4

Country of ref document: GB

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP