Home
Patent Search
IMT Blog
REGISTER
|
SIGN IN
United States Patent Application
20030051026
Kind Code
A1
Carter, Ernst B. ; et al.
March 13, 2003
Network surveillance and security system
Abstract
A system that monitors and protects the security of computer networks uses artificial intelligence, including learning algorithms, neural networks and genetic programming, to learn from security events. The invention maintains a knowledge base of security events that updates autonomously in real time. The invention encrypts communications to exchange changes in its knowledge base with separate security systems protecting other computer networks. The invention autonomously alters its security policies in response to ongoing events. The invention tracks network communication traffic from inception at a well-known port throughout the duration of the communication including monitoring of any port the communication is switched to. The invention is able to track and utilize UNIX processes for monitoring, threat detection, and threat response functions. The invention is able to subdivide the network communications into identifying tags for tracking and control of the communications without incurring lags in response times.
Inventors:
Carter; Ernst B.
(San Francisco, CA)
, Zolotov; Vasily
(San Francisco, CA
)
Correspondence Name and Address:
ONE FIRSTAR PLAZA SUITE 3500
THOMPSON COBURN, LLP
ST LOUIS
MO
63101
US
Series Code:
766560
Filed:
January 19, 2001
U.S. Current Class:
709/224;
713/201; 706/909
U.S. Class at Publication:
709/224;
713/201; 706/909
Intern'l Class:
G06F 015/173;
G06F 011/30
Claims
What is claimed is:
1. A network security system for a network having a plurality of computers, said system comprising at least one security program, said security program monitoring activity of a set of computers in the network, said program including an artificial intelligence component and a plurality of security rules, said security rules being alterable by the artificial intelligence component of the program in response to the monitored activity.
2. The network security system as set forth in claim 1 wherein the set of computers whose activity is monitored constitutes less than all the computers in the network.
3. The network security system as set forth in claim 1 wherein the network is in communication with an external computer network through one or more ports, the set of computers being monitored including at least some computers not connected directly to the ports in communication with the external network.
4. A network security system for a first computer network in communication with external computer networks having said security system, said system comprising at least a security program, said security program monitoring activity of the computer network and operating in accordance with a plurality of security rules, said security rules in the program running in the first computer network being alterable in response to information from at least one of the external computer networks running said security system, said information reflecting the monitoring of activity in said external computer network by the security system running in that external computer network.
5. The network security system as set forth in claim 4 further including an encrypted communication channel between said first computer network and said external computer network over which the security rule alteration information is communicated.
6. A network security system for a computer network, said system comprising at least a security program, said program monitoring activity of a set of computers in the network running a plurality of processes, said program assigning to each of said processes a unique identifier, said program further using said unique identifier to track the characteristics of each of said processes in the set of computers which is monitored.
7. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network; modeling information relating to new events in the monitored activities by examining previously obtained information relating to known events and thereby simulating the new events using the information relating to the known events; applying security measures based upon the results of said modeling.
8. The method as set forth in claim 7 further including modeling information processes of said computers using artificial intelligence learning algorithms incorporating communication theory paradigms.
9. The method as set forth in claim 7 wherein the security measures include the execution of UNIX utilities, further including using artificial intelligence genetic evolution and co-evolution for modeling separate generations of said UNIX utilities, and applying those utilities of the separate generations that are the most successful at protecting security in the modeling.
10. The method as set forth in claim 9 wherein the most successful utilities are identified by their ability to accomplish pre-specified results, based upon prior observations of network events.
11. The method as set forth in claim 7 wherein the security measures are continuously updated using artificial intelligence programs in response to on-going events.
12. The method as set forth in claim 7 wherein the modeled information processes are UNIX processes, said process modeling step including the use of genetic programming and genetic machine learning programs.
13. The method as set forth in claim 7 wherein the process modeling step includes self-initiated and self-controlled genetic programming.
14. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network; modeling information processes of said computers using artificial intelligence learning algorithms incorporating communication theory paradigms; identifying security events and sequences in the monitored activities and analyzing said security events with an expert system; inferring motivations to the security events by modeling the events, taking into account preset system security policies and customer security policies; applying security measures based upon the results of said modeling; autonomously adapting the security measures in response to on-going security events; identifying previously unseen security events and sequences and adding information concerning such events and sequences to a store of known security events and sequences; testing previously unseen security events and sequences against a knowledge base to compare information concerning the previously unseen security events and sequences with information concerning known security events and sequences; refining the knowledge base as a result of the testing of the previous step, including logging the events and sequences to automatically enhance the security measures to protect against future attack.
15. The method as set forth in claim 14 further including scheduling processes in accordance with an adaptation of the Digital UNIX real-time process scheduling scheme.
16. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network; modeling Internet and local area networks by applying artificial intelligence neural network programming to construct a plurality of knowledge bases; simulating logical operations involved in securing computers against security threats using artificial intelligence neural networks; maintaining the information security of the network against dynamic threats using artificial intelligence genetic programs and neural network sub-systems, including simulating internetworking security and creating an internetworking knowledge base based upon said simulating; observing Internet and internetworking security policy violations in real time; applying security measures based upon the observations and results of the modeling and simulations.
17. The method as set forth in claim 16 wherein the modeling includes constructing symbolic representations of UNIX utilities designed to protect computer systems against security threats.
18. The method as set forth in claim 16 further including using neural networks comprised of simulated neurons to obtain, in real time, knowledge relating to dynamic security threats.
19. The method as set forth in claim 18 further including characterizing computer security threats by establishing states representing current system security, said neural network predicting future system security states based upon past system security states.
20. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network, including monitoring of multiple packets at TCP ports in real time; detecting anomalous events in the monitored activities both statistically and with pattern matching, using both firewall logs and system logs; identifying newly encountered attack sequences and storing information relating to said sequences in a knowledge base; updating firewall filters in response to newly encountered attack sequences; generating alerts and warnings to system administrators and site officials upon the detection of an attack sequence.
21. The method as set forth in claim 20 further including communicating information relating to newly encountered attack sequences to other computer networks.
22. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network, including monitoring all connections to TCP and UDP ports; analyzing packet contents in the monitored activities statefully using information from packet headers, including stateful analysis of Ethernet packet headers, IP packet headers, and TCP packet headers; further including statefully analyzing session identification and protocol layer information from packet headers; applying security measures based upon the stateful analysis of the packet header information.
23. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network, including monitoring of failed login attempts; detecting monitored activities that are contrary to preestablished administrative policies; monitoring network system traffic; administering internal and external resource authorizations for the network, including authorizations for the computers being monitored; applying security measures based upon the detection of monitored activities that are contrary to said preestablished administrative policies.
24. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network, including monitoring file systems and file security to protect file ownership and directory ownership; detecting and locking weak accounts; applying security measures based upon results of the monitoring that indicate a security threat.
25. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network; said network having at least some ports for connection to external computers outside the network; making a connection to an external computer over a first port; monitoring the connection over the first port; switching the port over which the connection to the external computer is made to a second port; continuing to monitor the connection over the second port throughout the existence of the connection.
26. The method as set forth in claim 25 wherein the first port is a user defined port (UDP).
27. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network in real time; modeling the plurality of computers and the operations performed thereby in a multidimensional, dynamically evolving network status space, each dimension of said network status space representing a quality relating to the network, network users, or the computer processes.
28. The method as set forth in claim 27 wherein the coordinates of a point in network status space represent the state of the network and its operations.
29. The method as set forth in claim 27 wherein the network status space is divided into areas of acceptable security, areas of unacceptable security, and areas of uncertain security.
30. The method as set forth in claim 29 further including the step of determining a path from an unacceptable security area in network status space to an acceptable security area, and effecting a move of the network from an unacceptable security area to an acceptable security area in network status space.
31. The method as set forth in claim 27 wherein the position of the network in network status space is tracked and monitored throughout the duration of external communications with the network.
32. The method as set forth in claim 27 wherein the modeling step includes forming a matrix-representation of the computers and the operations performed thereby.
33. A method of protecting network security in a computer network having a plurality of interconnected computers, said method comprising: monitoring the activities of at least a plurality of computers in the network; modeling Internet and local area networks by applying artificial intelligence neural network programming to construct a plurality of knowledge bases; simulating logical operations involved in securing computers against security threats using artificial intelligence neural networks; maintaining the information security of the network against dynamic threats using neural network sub-systems, including simulating internetworking security and creating an internetworking knowledge base based upon said simulating; observing Internet and internetworking security policy violations in real time; applying security measures based upon the observations and results of the modeling and simulations.
34. The method as set forth in claim 33 wherein the modeling includes constructing symbolic representations of UNIX utilities designed to protect computer systems against security threats.
35. The method as set forth in claim 33 further including using neural networks comprised of simulated neurons to obtain, in real time, knowledge relating to dynamic security threats.
36. The method as set forth in claim 35 further including characterizing computer security threats by establishing states representing current system security, said neural network predicting future system security states based upon past system security states.
37. The method as set forth in claim 14 wherein the security policies are autonomously altered during run-time based upon preset security goals.
38. An encryption method for communications between computers, said method comprising: storing in an initial vector a time at which data is encrypted, a sequence number, and a length of a data buffer; breaking the data to be encrypted into packets; padding the final packet with random numbers and encoded information relating to the length of the padding and the location of the last bit of data; encrypting the data in the packets and directing the encrypted data into a buffer having a length substantially longer than the length of the packets; performing a logical operation on the data in the buffer and a key to form encoded buffer contents, said key being unique to each transmission; generating a counter mask using the initial vector; performing a logical operation on the counter mask and the key to form an encoded counter mask; performing a logical operation on the encoded buffer contents and the encoded counter mask; transporting the result of the previous step over an electronic channel.
39. The method as set forth in claim 38 wherein the initial vector is padded to create a vector of a predetermined length.
40. The method as set forth in claim 38 wherein the key is randomly generated.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] Not applicable.
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
[0002] Not applicable.
BACKGROUND OF THE INVENTION
[0003] This Invention relates to monitoring and protecting networks of computers. Information processors, databases and other linked components are among the constituents of networks. Networks improve communication and coordination between individual computers and facilitate efficient use of resources. Communication links with parties outside of a network enable further gains. Communications internal to and external of a network also present risks, however. These risks can include unauthorized access to data or facilities, improper utilization of resources, or damage to network operations.
[0004] The risks from internal and external communications vary according to the type of communication. Controlling access to differing parts of the network is integral to network security. Additional security challenges arise from enabling access to the network by external, potentially unknown, parties such as by an Internet connection. The network must both correctly identify authorized external parties and provide the appropriate amount of authorized access. Outside access further requires the network be able to detect and rapidly respond to attempts to interfere with or damage the network's operations.
[0005] Preferably, a network security system will employ a knowledge base plus respond to and learn from new events. The intended network operations, combined with analysis of previously encountered attempts to disrupt those operations, comprises the knowledge base. Among the new events are incidents outside the scope of prior network experiences. Also among the new events will be formerly experienced occurrences in disguise. The quality of the protection provided to the network by the security system will depend in part on the breadth of the knowledge base. However, information technology is constantly evolving. No compendium of knowledge can be broad enough to encompass all threats, particularly newly emerging ones. Preferably, a security system is able to respond to unanticipated events. An ability to expand its knowledge base to incorporate information relating to unanticipated events is also desirable of a security system.
[0006] A security system will preferably have the capacity to analyze ongoing communications both to ensure that the network operates as intended for authorized users and to detect threats from others. The system monitors network operations to detect occurrences which threaten the network's security. The system would attempt to recognize these occurrences, by consulting its knowledge base, to determine the correct response. If the occurrence is not recognized, the system would preferably have the additional capability of drawing comparisons to prior occurrences to infer appropriate countermeasures. The ability to learn from both encounters with new threats and the results of attempted countermeasures to those threats would also be desirable of a network security system. Further advantages would be realized from a security system that could communicate with privacy over a publicly accessible network such as the Internet. A security system could thus communicate knowledge learned from a newly encountered security threat to other systems that have not yet encountered that threat. An encryption capability would facilitate private communication over public networks, and thus allow the avoidance of the additional expense of maintaining private communication channels. A still further improvement to the network security system would be a proprietary encryption capability, to provide an even greater degree of safety than available with publicly available encryption systems.
[0007] Information technology security products are available for a variety of purposes, such as protecting from computer viruses and detecting network intrusions. (See Table 1 follwing) Also available are a variety of encryption systems. A need exists, though, for a comprehensive network surveillance and security system capable of learning in response to newly emerging threat situations. An additional need exists for a network surveillance and security system capable of privately communicating, over a public communication system, new developments relating to network surveillance and security. Among the existing products commonly available in the industry for network surveillance and security are:
1TABLE 1
Intrusion Detection Company Product FOR NETWORKS: Advantor Corporation Advantage plus Advantor Corporation Advantage Suite for Networks Anzen Computing Auzen Flight Jacket AXENT Technologies Intruder Alert AXENT Technologies NetProwler AXENT Technologies Passgo SSO Cisco Systems NetRanger Computer Associates International, eTRUST Intrusion Detection Inc. Computer Associates International, eTrust Intrusion Detection Inc. Log View Digital Equipment Corporation POLYCENTER Security Intrusion Hewlett-Packard HP OpenView Node Sentry Hewlett-Packard Node Sentry Internet Security Systems RealSecure Internet Security Systems SAFEsuite Decisions Intrusion.com Kane Border Patrol Intrusion.com Kane Security Analyst Intrusion.com SecureNet PRO Lopht Heavy Industries AntiSniff Litton PRC PreCis Lucent Lucent Realsecure NetSecure Software NetSecure Log Network Associates CyberCop Monitor Network Flight Recorder Network Flight Recorder Network ICE Black ICE Sentry Network ICE ICEpac Security Suite Network Security Wizards Dragon IDS Patriot Technologies PATRIOT IDS SecureLogix TeleWall Touch Technologies INTOUCH INSA Zone Labs ZoneAlarm FOR HOSTS: 2Cactus Development SecureBSD 1.0
Adavi Silent Watch AXENT Technologies Audit AXENT Technologies Intruder Alert AXENT Technologies Intruder Alert for VMS Centrax Centrax Log Analyst Centrax eNTrax ClickNet Software entercept Computer Associates International, eTrust Intrusion Detection Central Inc. Centrax CyberSafe Centrax CyberSafe CyberSafe Log Analyst (CLA) DataLynxInc. auditGUARD DataLynxInc. Security CeNTer Digital Equipment Corporation POLYCENTER Security Intrusion Internet Security Systems SAFEsuite Decisions Intrusion.com Kane Security Monitor (KSM) Litton PRC PreCis NetSecure Software NetSecure Log NetSecure Software NetSecure Sign Network Associates CyberCop Monitor Network ICE Black ICE Pro Network Security Wizards Dragon IDS Network Security Wizards Dragon Squire Patriot Technologies PATRIOT IDS Pedestal Software Intact Pedestal Software Intact Directory Services Pedestal Software Intact Enterprise PentaSafe PSDetect-400
Sybergen Networks Inc. Sybergen Secure Desktop Symark Software Watcher Tripwire, Inc. Tripwire for UNIX 2.2.1
Tripwire, Inc. Tripwire for Windows NT 2.2.1
Trusted Systems Services Advanced Checker WebTrends AuditTrack for NetWare WetStone Technologies SMARTWatch For Management and Reporting: Advantor Corporation Advantage Suite for Networks AXENT Technologies Enterprise Security Manager AXENT Technologies Intruder Alert AXENT Technologies Passgo SSO Bionetrix BioNetrix Authentication Suite Check Point Software Check Point RealSecure Computer Associates International, eTRUST Intrusion Detection Inc. Computer Associates International, eTrust Intrusion Detection Inc. Central Computer Associates International, eTrust Intrusion Detection Log Inc. View eSoft Interceptor Freemont Avenue Software, Inc. T.REX Firewall Hewlett-Packard HP OpenView Node Sentry Intrusion.com Kane Border Patrol Intrusion.com Kane Secure Enterprise Intrusion.com Kane Security Analyst Intrusion.com SecureNet PRO Lopht Heavy Industries AntiSniff Litton PRC PreCis Lucent Lucent Realsecure NetSecure Software NetSecure Log Network ICE ICEcap Network ICE ICEpac Security Suite Network Security Wizards Dragon IDS Pedestal Software Intact Enterprise Penta Security Systems E-RAT Penta Security Systems Siren2000
PentaSafe VigilEnt Enterprise SRI International EMERALD eXpert-BSM Sybergen Networks Inc. Sybergen Management Server Tripwire, Inc. Tripwire for UNIX 2.2.1
Tripwire, Inc. Tripwire for Windows NT 2.2.1
WetStone Technologies SMARTWatch Security Products Available for Cryptography Company Product HARDWARE-SECURITY MODULES: Baltimore Technologies CG5000 Host Security Module RedCreek Communications Ravlin 3200
Hardware-Coprocessor: Company Product 3com 3CR990-TX-97 10/100 PCI NIC with 3XP Altiga VPN Concentrator ASIC International, Inc. Ai Montgomery Exponentiator Core ASIC International, Inc. Ai-DES-1 DES Core ASIC International, Inc. Ai-MD5-1
ASIC International, Inc. Ai-SHA-1
ASIC International, Inc. CryptoEngine Baltimore Technologies HSP4000
General Dynamics FASTLANE ATM Encryptor (KG-75) Hewlett-Packard Praesidium SpeedCard Hi/fn 7711
Encryption Processor Hi/fn 7751 Encryption Processor Toolkits and Frameworks: Company Product Spyrus TLSGold SSL Toolkit SSE TrustedCA SSE TrustedDoc SSH Communications Security SSH IPSEC Express SSH Communications Security SSH ISAKMP/Oakley SSH Communications Security SSH X.509 Certificate Tools StorageTek ATLAS ATM SynData Technologies SynCrypt Trintech S/PAY Utimaco SafeGaurd Sign&Crypt ValiCert ValiCert Validator Toolkit WetStone Technologies SMARTCrypt WinWare Mirage OCX Xcert International Xcert Development Kit
[0008] A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
[0009] The following explications of the information technology relating to computer networks, their operation and organization are selections from the publicly accessible information technology resource: whatis?com.TM., an online community of TechTarget.com accessible on the World Wide Web at the URL: http://www.whatis.com; Copyright 2000
whatis.com and TechTarget.com, Inc. Reprinted with permission of TechTarget.com, Needham, Mass.
[0010] Networks & Communication
[0011] "In information technology, a network is a series of points or nodes interconnected by communication paths. Networks can interconnect with other networks and contain subnetworks. A given network can also be characterized by the type of data transmission technology in use on it; by whether it carries voice, data, or both kinds of signals; by who can use the network (public or private); by the usual nature of its connections (dial-up or switched, dedicated or nonswitched, or virtual connections); and by the types of physical links (for example, optical fiber, coaxial cable, and Unshielded Twisted Pair). Large telephone networks and networks using their infrastructure (such as the Internet) have sharing and exchange arrangements with other companies so that larger networks are created." (TechTarget.com)
[0012] Communications within and between networks have various forms. One requirements for communication is compatible formats between the communicating end parties. Differences between formats are comparable to differing languages' variations in rules of grammar. For a communication to be understood, both parties must speak the same language. These differences may include differences in both syntax and semantics. As described on Whatis.com:
[0013] "Syntax is the grammar, structure, or order of the elements in a language statement. (Semantics is the meaning of these elements.) Syntax applies to computer languages as well as to natural languages. Usually, we think of syntax as `word orde`. In computer languages, syntax can be extremely rigid as in the case of most assembler languages or less rigid in languages that make use of "keyword" parameters that can be stated in any order.
[0014] "Semantics is the branch of semiotics, the philosophy or study of signs, that deals with meaning. In discussing natural and computer languages, the distinction is sometimes made between syntax (for example, the word order in a sentence or the exact computer command notation) and semantics (what the words really say or what functions are requested in the command)." (TechTarget.com)
[0015] Communication Protocols
[0016] Protocols are the rules governing these formats. Internal and external network communications utilize a variety of protocols, depending on the parties involved and the channel used. As described on Whatis.com:
[0017] "In information technology, a protocol is the special set of rules for communicating that the end points in a telecommunication connection use when they send signals back and forth. Protocols exist at several layers in a telecommunication connection. There are hardware telephone protocols. There are protocols between the end points in communicating programs within the same computer or at different locations. Both end points must recognize and observe the protocol. Protocols are often described in an industry or international standard.
[0018] On the Internet, there are the TCP/IP protocols, consisting of:
[0019] Transmission Control Protocol, which uses a set of rules to exchange messages with other Internet points at the information packet layer.
[0020] Internet Protocol, which uses a set of rules to send and receive messages at the Internet address layer.
[0021] Hypertext Transfer Protocol, File Transfer Protocol, and other protocols, each with defined sets of rules to use with other Internet points relative to a defined set of capabilities." (TechTarget.com)
[0022] The transmission of information through network communication processes commonly involves a procedure of decomposing a communication into fragments and then reassembling the fragments into the original communication. These fragments are often termed packets, which are described on whatis.com as:
[0023] "A packet is the unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network. When any file (e-mail message, HTML file, Graphics Interchange Format file, Uniform Resource Locator request, and so forth) is sent from one place to another on the Internet, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into `chunks` termed packets of an efficient size for routing. Each of these packets are separately numbered and include the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file (by the TCP layer at the receiving end).
[0024] "A packet-switching scheme is an efficient way to handle transmissions on a connectionless network such as the Internet. An alternative scheme, circuit-switched, is used for networks allocated for voice connections. In circuit-switching, lines in the network are shared among many users as with packet-switching, but each connection requires the dedication of a particular path for the duration of the connection.
[0025] "`Packet` and `datagram` are similar in meaning. A protocol similar to TCP, the User Datagram Protocol (UDP) uses the term datagram." (TechTarget.com)
[0026] Utilization of the Internet provides significant cost reductions and greater flexibility for network communications. Accordingly, monitoring and protecting network communication over the Internet is a major purpose of network surveillance and security systems. As described on Whatis.com, the various relevant protocols to Internet communications include:
[0027] "Transmission Control Protocol/Internet Protocol (TCP/IP) is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an intranet or an extranet)
[0028] "TCP/IP is a two-layer program. The higher layer, Transmission Control Protocol, manages the assembling of a message or file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. The lower layer, Internet Protocol, handles the address part of each packet so that it gets to the right destination.
[0029] "TCP/IP uses the client/server model of communication in which a computer user (a client) requests and is provided a service (such as sending a Web page) by another computer (a server) in the network. TCP/IP communication is primarily point-to-point, meaning each communication is from one point (or host computer) in the network to another point or host computer. TCP/IP and the higher-layer applications that use it are collectively said to be "stateless" because each client request is considered a new request unrelated to any previous one.
[0030] "Many higher layer application protocols use TCP/IP to get to the Internet. These include the World Wide Web's Hypertext Transfer Protocol (HTTP), the File Transfer Protocol (FTP), Telnet (Telnet) which lets you logon to remote computers, and the Simple Mail Transfer Protocol (SMTP). These and other protocols are often packaged together with TCP/IP as a `suite`.
[0031] "Personal computer users usually get to the Internet through the Serial Line Internet Protocol (SLIP) or the Point-to-Point Protocol (PPP). These protocols encapsulate the IP packets so that they can be sent over a dial-up phone connection to an access provider's modem.
[0032] "Protocols related to TCP/IP include the User Datagram Protocol (UDP), which is used instead of TCP for special purposes. Other protocols are used by network host computers for exchanging router information. These include the Internet Control Message Protocol (ICMP), the Interior Gateway Protocol (IGP), the Exterior Gateway Protocol (EGP), and the Border Gateway Protocol (BGP)." (TechTarget.com)
[0033] A diverse array of differing protocols are employed by computer network products. In order to develop a consistent system for managing networks which may incorporate these products, the Simple Network Management Protocol (SNMP) has been formulated. As described on Whatis.com:
[0034] "SNMP is the protocol governing network management, and the monitoring of network devices and their functions. It is not limited to TCP/IP networks. The details of SNMP are in these Internet Engineering Task Force (IETF) Request For Comments incorporated herein by reference:
[0035] RFC 1089--SNMP over Ethernet
[0036] RFC 1140--IAB Official Protocol Standards
[0037] RFC 1147--Tools for Monitoring and Debugging TCP/IP Internets and Interconnected Devices [superceded by RFC 1470]
[0038] RFC 1155--Structure and Identification of Management Information for TCP/IP based internets.
[0039] RFC 1156 (H)--Management Information Base Network Management of TCP/IP based internets
[0040] RFC 1157--A Simple Network Managment Protocol
[0041] RFC 1158--Management Information Base Network Management of TCP/IP based internets: MIB-II
[0042] RFC 1161 (H)--SNMP over OSI
[0043] RFC 1187--Bulk Table Retrieval with the SNMP
[0044] RFC 1212--Concise MIB Definitions
[0045] RFC 1213--Management Information Base for Network Management of TCP/IP-based internets: MIB-II
[0046] RFC 1215 (I)--A Convention for Defining Traps for use with the SNMP
[0047] RFC 1224--Techniques for Managing Asynchronously-Generated Alerts
[0048] RFC 1270 (I)--SNMP Communication Services
[0049] RFC 1303 (I)--A Convention for Describing SNMP-based Agents
[0050] RFC 1470 (I)--A Network Management Tool Catalog
[0051] RFC 1298--SNMP over IPX
[0052] RFC 1418--SNMP over OSI
[0053] RFC 1419--SNMP over IPX
[0054] Copies of the RFCs and a Frequently-Asked Questions discussion on SNMP is available at:
[0055] http://www.cis.ohio-state.edu/hypertext/faq/usenet/snmp-faq/partl/f- aq.htm." (TechTarget.com)
[0056] As described in whatis.com:
[0057] "an agent (also called an intelligent agent) is a program that gathers information or performs some other service on a regular schedule without the user's immediate attention." (TechTarget.com)
[0058] Network Communication Architectures
[0059] The Open Systems Interconnection (OSI) Reference Model has been put together to facilitate comprehension of network architectures and functional relationships. OSI was officially adopted as an international standard by the International Organization of Standards (ISO). Currently, it is Recommendation X.200 of the ITU-TS. As described on Whatis.com:
[0060] "Open Systems Interconnection (OSI) is a standard reference model for communication between two end users in a network. It is used in developing products and understanding networks. This figure shows where commonly-used Internet products and services fit within the model:
2
1
[0061] The OSI Reference Model describes seven layers of related functions that are needed at each end when a message is sent from one party to another party in a network. An existing network product or program can be described in part by where it fits into this layered structure. For example, TCP/IP is usually packaged with other Internet programs as a suite of products that support communication over the Internet. This suite includes the File Transfer Protocol (File Transfer Protocol), Telnet, the Hypertext Transfer Protocol (Hypertext Transfer Protocol), e-mail protocols, and sometimes others. Although TCP fits well into the Transport layer of OSI and IP into the Network layer, the other programs fit rather loosely (but not neatly within a layer) into the Session, Presentation, and Application layers.
[0062] "In the OSI Reference Model figure, only Internet-related programs are included in the Network and higher layers. OSI can also be applied to other network environments. A number of boxes under the Application and the Presentation layers do not fit as neatly into these layers as they are shown. A set of communication products that conformed fully to the OSI reference model would fit neatly into each layer." (TechTarget.com)
[0063] Each of the seven layers in the OSI model have specific, though not necessarily exclusive, functions, interconnections and relevant protocols. Starting with layer one, and progressing successively through to layer seven, the following explications of network functions provide specifics of network communications.
[0064] Physical Layer (layer one)
[0065] The physical layer is concerned with transmitting raw data bits over a communication channel. The design issues include ensuring that when one side sends a bit of "1", it is received as a bit of "1", not as a bit of "0". Typical issues are:
[0066] how many volts should be used to represent "1" and how many for "0"
[0067] how many microseconds a bit lasts;
[0068] whether transmission may proceed simultaneously in both directions;
[0069] how the initial connection is established, and how it is torn down when both sides are finished; and
[0070] how many pins the network connector has and what each pin is used for.
[0071] These design issues largely deal with mechanical, electrical, and procedural interfaces, and the physical transmission medium, which lies below the physical layer. Physical layer design can be properly considered to be within the domain of the electrical engineer.
[0072] And, as described on Whatis.com:
[0073] "Data-Link Layer (layer two)
[0074] "The Data Link Layer is the protocol layer responsible for providing reliable data transfer across a physical link (or telecommunications path) within a network. Data Link Control (DLC) is the service provided by the Data Link Layer.
[0075] "Many point-to-point protocols exist at the Data Link Layer including High-OSI layer Data Link Control, Synchronous Data Link Control, Link Access Procedure Balanced, and Advanced Data Communications Control Procedure. All of these protocols are very similar in nature and are found in older networks (such as X.25 networks). On the Internet, one of two point-to-point protocols are used at this layer: Ser. Line Internet Protocol or Point-to-Point Protocol (PPP) with PPP being the newer, approved standard. All of these protocols may be used in point-to-point connections such as those on a Metropolitan Area Network, a Wide Area Network backbone, or when dialing an Internet service provider from a home.
[0076] "In local area networks where connections are multipoint rather than point-to-point and require more line-sharing management, the Data Link Layer is divided into two sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC protocol performs many of the same functions as the point-to-point data link control protocols described above. The MAC protocols support methods of sharing the line among a number of computers. Among the most widely used MAC protocols are Ethernet (IEEE 802.3), Token Bus (IEEE 802.4), and token ring (IEEE 802.5) and their derivatives.
[0077] "The two Data-Link Layer sublayers are described in the IEEE-802
LAN standards and can be characterized as:
[0078] Media Access Control (MAC)
[0079] The MAC address on a network is a computer's unique hardware number. On an Ethernet LAN, it's the same as an Ethernet address. When connected to the Internet from a computer (or host, according to Internet protocol), a correspondence table relates your IP address to your computer's physical (MAC) address on the LAN. The MAC address is used by the Media Access Control sublayer of the DLC layer of telecommunication protocol. There is a different MAC sublayer for each physical device type.
[0080] Logical Link Control (LLC)
[0081] The LLC protocol performs many of the same functions as the point-to-point data link control protocols described above. The MAC protocols support methods of sharing the line among a number of computers. Among the most widely used MAC protocols are Ethernet (IEEE 802.3), Token Bus (IEEE 802.4), and token ring (IEEE 802.5) and their derivatives.
[0082] "The Data-Link Layer assures that an initial connection has been set up, divides output data into data frames, and handles the acknowledgements from a receiver that the data arrived successfully. It also ensures that incoming data has been received successfully." (TechTarget.com)
[0083] Data frames are described on Whatis.com as:
[0084] "In telecommunications, a frame is data that is transmitted between network points as a unit complete with addressing and necessary protocol control information. A frame is usually transmitted serial binary digit (bit) by bit and contains a header field and a trailer field that "frame" the data. (Some control frames contain no data.)
[0085] "Here is a simple representation of a frame, based on the frame used in the frame relay access standard:
3
2
[0086] "In the figure above, the flag and address fields constitute the header. The frame check sequence and second flag fields constitute the trailer. The information or data in the frame may contain another encapsulated frame that is used in a higher-OSI layer or different protocol. In fact, a frame relay frame typically carries data that has been framed by an earlier protocol program." (TechTarget.com)
[0087] Returning to the OSI Reference model of network functional layers:
[0088] "Network Layer (layer three)
[0089] "The Network layer knows the address of the neighboring nodes in the network, packages output with the correct network address information, selects routes, and recognizes and forwards to the Transport layer incoming messages for local host domains. Among existing protocols that generally map to the network layer are the Internet Protocol (IP) part of TCP/IP and NetWare IPX/SPX. Both IP Version 4 and IP Version 6
(IPv6) map to the network layer." (TechTarget.com)
[0090] "Transport Layer (layer four)
[0091] "The Transport layer ensures reliable message arrivals and provides error checking mechanisms and data flow controls. The Transport layer provides services for both "connection-mode" transmissions and for "connectionless-mode" transmissions. For connection-mode transmissions, a transmission may be sent or arrive in the form of packet that need to be reconstructed into a complete message at the other end. The Transmission Control Protocol portion of TCP/IP is an example of a program that can be mapped to the Transport layer." (TechTarget.com)
[0092] "Session Layer (layer five)
[0093] "The Session layer (sometimes called the "port layer") manages the setting up and taking down of the connection between two communicating end points. A connection is maintained while the two end points are communicating in a session of some duration. Some sessions last only long enough to send a message in one direction, while other sessions may last longer, usually with one or both of the communicating parties able to terminate it.
[0094] "For Internet applications, each session is related to a particular port, a number that is associated with a particular upper layer application. For example, the HTTP program or daemon always has port number 80. The port numbers associated with the main Internet applications are referred to as well-known port numbers. Most port numbers, however, are available for dynamic assignment to other applications." (TechTarget.com)
[0095] A description of the meaning of a daemon from whatis.com relates that:
[0096] "A daemon is a program that runs continuously and exists for the purpose of handling periodic service requests that a computer system expects to receive. The daemon program forwards the requests to other programs (or processes) as appropriate." (TechTarget.com)
[0097] A description of the meaning of a port and a port number from whatis.com relates that:
[0098] "In programming, a port (noun) is a `logical connection place`. In the Internet's protocol, TCP/IP, a port is the way a client program specifies a particular server program on a computer in a network. Higher-OSI layer applications that use TCP/IP such as the Web protocol-Hypertext Transfer Protocol (HTTP)--have ports with preassigned numbers. These are known as `well-known ports` that have been assigned by the Internet Assigned Numbers Authority. Other application processes are given port numbers dynamically for each connection. When a service (server program) initially is started, it is said to bind to its designated port number. When any client program wants to use that server, it also must request to bind to the designated port number." (TechTarget.com)
[0099] Returning to the OSI Reference model of network functional layers:
[0100] "Presentation Layer (layer six)
[0101] "The presentation layer ensures that the communications passing through it are in the appropriate form for the recipient. For example, a presentation layer program may format a file transfer request in binary code to ensure a successful file transfer. Programs in the presentation layer address three aspects of presentation:
[0102] Data formats--for example, Postscript, ASCII, or binary formats
[0103] Compatibility with the host operating system
[0104] Encapsulation of data into message "envelopes" for transmission through the network
[0105] "An example of a program that generally adheres to the presentation layer of OSI is the program that manages the Web's Hypertext Transfer Protocol (Hypertext Transfer Protocol). This program, sometimes called the HTTP daemon, usually comes included as part of an operating system. It forwards user requests passed to the Web browser on to a Web server elsewhere in the network. It receives a message back from the Web server that includes a Multi-Purpose Internet Mail Extensions (MIME) header. The MIME header indicates the kind of file (text, video, audio, and so forth) that has been received so that an appropriate player utility can be used to present the file to the user." (TechTarget.com)
[0106] "Application Layer (layer seven)
[0107] "The application layer provides services for applications that ensure that communication is possible. The application layer is not the application itself that is doing the communication. It is a service layer that provides these services:
[0108] Makes sure that the other party is identified and can be reached
[0109] If appropriate, authenticates either the message sender or receiver or both
[0110] Makes sure that necessary communication resources exist (for example, is there a modem in the sender's computer?)
[0111] Ensures agreement at both ends about error recovery procedures, data integrity, and privacy
[0112] Determines protocol and data syntax rules at the application OSI layer It may be convenient to think of the Application layer as the high-OSI layer set-up services for the application program or an interactive user." (TechTarget.com)
[0113] Network Operating Systems
[0114] Computer networks utilize operating systems to execute their processes. A commonly used network operating system is the UNIX operating system, described on Whatis.com as:
[0115] "UNIX is an operating system that originated at Bell Labs in 1969
as an interactive time-sharing system. In 1974, UNIX became the first operating system written in the C language. UNIX has evolved as a kind of large freeware product, with many extensions and new ideas provided in a variety of versions of UNIX by different companies, universities, and individuals. UNIX became the first open or standard operating system that could be improved or enhanced by anyone. A composite of the C language and shell (user command) interfaces from different versions of UNIX was standardized under the auspices of the Institute of Electrical and Electronics Engineers as the Portable Operating System Interface (Portable Operating System Interface). In turn, the POSIX interfaces were specified in the X/Open Programming Guide 4.2 (also known as the "Single UNIX Specification" and "UNIX 95"). Version 2 of the Single UNIX Specification is also known as UNIX 98. The "official" trademarked UNIX is now owned by the The Open Group, an industry standards organization, which certifies and brands UNIX implementations.
[0116] "UNIX operating systems are used in widely-sold workstation products from Sun Microsystems, Silicon Graphics, IBM, and a number of other companies. The UNIX environment and the client/server program model were important elements in the development of the Internet and the reshaping of computing as centered in networks rather than in individual computers." (TechTarget.com)
[0117] There are primarily two types of UNIX operating systems in use on computer networks. The two versions of UNIX descend from the original two versions:
[0118] System X.sub.R Release X.sub.S by AT&T Bell Laboratories (X.sub.R and X.sub.S being variables which refer to the edition of the system or release, respectively).
[0119] Berkeley Software Distribution UNIX by the University of California.
[0120] They originated from an original source at Berkeley and have since given rise to multiple brands including combined version with libraries that provide compatibility for both UNIX types. Various hardware platform manufacturers and other vendors provide support for both versions.
[0121] Unix Architectures
[0122] The first integrated network communications capability in UNIX was developed for Berkeley UNIX 4.2bsd, and is commonly known as the sockets implementation. A socket is the equivalent of a network address for a process. A user process (client) makes a system call to the OS to use the socket utility to connect to a server and provides the socket utility with a parameter stream which has all the necessary communication parameters (a typical example of the parameters are protocol, address of server, and port number), and the server process must concurrently be running a utility that is listening to the port--polling--to check the well known ports for system calls. A connection between sockets is made to start a session. As described on Whatis.com:
[0123] "Sockets is a method for communication between a client program and a server program in a network. A socket is defined as "the endpoint in a connection." Sockets are created and used with a set of programming requests or "function calls" sometimes called the sockets application programming interface (API). The most common sockets API is the Berkeley UNIX C interface for sockets. Sockets can also be used for communication between processes within the same computer.
[0124] "The typical sequence of sockets requests from a server application in a `connectionless` context, such as on the Internet, in which a server handles many client requests and does not maintain a connection longer than the serving of the immediate request is:
[0125] socket( )
[0126] .vertline.
[0127] bind( )
[0128] .vertline.
[0129] recvfrom( )
[0130] .vertline.
[0131] (wait for a sendto request from some client)
[0132] .vertline.
[0133] (process the sendto request)
[0134] .vertline.
[0135] sendto (in reply to the request from the client . . . for example, send an HTML file)
[0136] A corresponding client sequence of sockets requests would be:
[0137] socket( )
[0138] .vertline.
[0139] bind( )
[0140] .vertline.
[0141] sendto( )
[0142] .vertline.
[0143] recvfrom( )
[0144] Sockets can also be used for `connection-oriented` transactions with a somewhat different sequence of C language system calls or functions." (TechTarget.com)
[0145] The sockets implementation provides a programming interface for networking across different system architectures. The 4.2bsd kernel implements the equivalent of a connection of the data link through to the session layer (i.e., layer 2 through to layer 5) of the OSI Reference model. A kernel is described on the aforementioned resource Whatis.com as:
[0146] "The kernel is the essential center of a computer operating system, the core that provides basic services for all other parts of the operating system. A synonym is nucleus. A kernel can be contrasted with a shell, the outermost part of an operating system that interacts with user commands. Kernel and shell are terms used more frequently in UNIX and some other operating systems than in IBM mainframe systems.
[0147] "Typically, a kernel (or any comparable center of an operating system) includes an interrupt handler that handles all requests or completed I/O operations that compete for the kernel's services, a scheduler that determines which programs share the kernel's processing time in what order, and a supervisor that actually gives use of the computer to each process when it is scheduled. A kernel may also include a manager of the operating system's address spaces in memory or storage, sharing these among all components and other users of the kernel's services. A kernel's services are requested by other parts of the operating system or by applications through a specified set of program interfaces sometimes known as system calls." (TechTarget.com)
[0148] Berkeley UNIX 4.2bsd Networking
[0149] Berkeley adopted an architecture based on sockets. They developed additional system calls and kernel service routines to provide comprehensive socket management. Berkeley also provided the File Transfer Protocol (FTP), User Datagram Protocol (UDP) for datagram service in the Internet domain, and the TELNET protocol for terminal emulation.
[0150] Protcol Utilizations
[0151] The Transmission Control Protocol (TCP) is an integral part of Berkeley UNIX 4.2bsd and 4.3bsd kernel implementations. Berkeley also implemented an Address Resolution Protocol (ARP) that maps TCP/IP addresses to Ethernet 802.3 addresses, providing a convenient local area network interface. The TCP corresponds to OSI layer four, controls data transfer for end-to-end service, and establishes a connection when two processes need to communicate. Additionally, binding establishes a link between a process and a socket, and through TCP maintains information about each connection, including sockets at both ends, data segment sequence numbers, and window sizes. TCP connections are full duplex, and achieve substantial transmission reliability through the use of sequence numbers for data segments. In particular, transmission reliability is ensured since, if a particular segment is not received, the segment is re-transmitted.
[0152] The Internet Protocol (IP) roughly corresponds to OSI Layer 3 and has responsibility for datagram service across a network with Berkely UNIX. The IP header is used to provide the address of the sender and the receiver as well as other options. is used to provide addressing and data fragmentation, inter alia, breaking up data into smaller chunks called datagrams and adding the Internet address of the destination for the datagram to the Internet header. The use of the IP provides type of service, time to live (time limit for delivery), options (time stamps, security, routing), and header checksum.
[0153] System Calls and Utilities
[0154] As described in whatis.com:
[0155] "A utility is a small program that provides an addition to the capabilities provided by the operating system. In some usages, a utility is a special and nonessential part of the operating system. In other usages, a utility is an application that is very specialized and relatively limited in capability." (TechTarget.com)
[0156] The Berkeley 4.2/4.3bsd UNIX OS implements 17 system calls for use with the socket interface. It brought over the FTP for reliable file transfer and the TELNET protocol for remote terminal emulation from the ARPA network which preceded the Internet. Berkeley also implements the system calls rpc (remote procedure call) and rlogin (remote login) as replacements for trusted hosts, and further provided rsh (remote shell) for the UNIX system.
[0157] AT&T UNIX System V Streams and RFS
[0158] The AT&T Streams architecture is a layered architecture. The streams are interfaces between the protocol layers and the UNIX kernel. The layered architecture provides the capability to implement different protocols with the same Streams interface. The interfaces are implemented as a set of new system calls at the sessions layer of the OSI model, and as a set of Streams interface modules, such as a streams header or streams driver, that comprise the presentation layer between the user's application and the system calls. The Remote File System (RFS) is a utility provided with AT&T UNIX System V.3 that uses the Streams interface. This allows the use of any network protocol and makes RFS independent of the type of network hardware or software. The RFS implementation also supports a Transport Layer Interface (TLI) for low-level access to networking for system applications. The Streams Interface is called in the same manner as any other communications interface--with a set of system calls that are serviced by kernel service modules.
[0159] A stream has three parts: a Stream head, optional processing modules, and a driver (also called a Stream end). The Stream head provides the interface between the Stream and user processes at the application layer. One or more modules (optional) process data that travels between the Stream head and the driver. An example of a processing module and its action is canonical conversions in a TTY driver. The driver may be a device driver, providing communications or other I/O services from an external device, or an internal software driver, commonly called a pseudo-device driver.
[0160] By using a combination of system calls, kernel routines, and kernel utilities, the streams interface passes data between the driver and the Stream head in the form of messages. Messages that pass from the Stream head toward the driver travel downstream, and messages in the opposite direction travel upstream. These messages contain data passed between the user space and the Streams data space in the driver.
System Calls and Utilities
[0161] Streams provide a simple interface through system calls. The system calls include:
4
1. open Create a Stream to the specified driver; 2. close Dismantle a specified Stream; 3. read Receive data from a Stream; 4. write Send data to a Stream; 5. ioctl Provides a push protocol control module for a particular device in Streams stack; 6. getmsg Receive Data and Control message to Stream; 7. putmsg Send Data and Control message to Stream; 8. poll Notify application program when selected event occurs on a Stream.
[0162] The RFS provides transparency between remote and local file systems. The user process uses the RFS to access a file on another system without having to know the details of accessing the file and maintains security and integrity of the system for concurrent file access. The RFS provides this capability while retaining the normal UNIX file system semantics. The UNIX adv command sends a message to the name service node that it is making files available as a server. The mount command allows administrators on the client system to make a remote file system available for use locally in a transparent manner. A network connection is set up between the client and the server consequent to a mount command. The server keeps track of how many remote users have a file open at a given time and it maintains security by distinguishing between local opens and remote opens. Remote access can be restricted to the privileges of selected local accounts.
[0163] Network File Systems (NFS)
[0164] The SUN Micro-systems Network File System (NFS) is supported on a number of UNIX implementations. NFS supports transparent network-wide read and write access to files and directories. Workstations or disk file servers export selected file systems to the network to make them sharable resources. Workstations import file systems to access files.
[0165] The base protocol for the Sun Microsystems UNIX implementation is TCP/IP. The divergence from the Berkeley implementation of TCP/IP occurs at the Session layer where Sun has implemented Remote Procedure Calls (RPC). Sun layers the RPC on top of the TCP/IP socket interface. RPC allows communications with remote services in a manner similar to procedure calling mechanisms of procedural programming languages. At the Presentation layer, the Sun implementation has defined the External Data Representation (XDR). The XDR definition allows different machines to communicate, despite variations in their data representations, by standardizing network data representation. XDR translates data to the standard representation before sending to the network.
[0166] The NFS implementation also includes the implementation of a virtual file system (VFS) that uses vnodes to separate file system operations from the semantics of the implementation. An extension of the standard mount command of UNIX 4.2bsd allows network users to mount files for shared access. The exportfs command exports file systems to the network. NFS, called a client/server architecture, designates the exporting file system as the server and the importing file system as the client.
[0167] Additionally, the ISO selected the IEEE Ethernet 802.3 standard for the physical link and data link layers. Table 2 below describes the OSI Reference model mapping of network software for three UNIX operating systems.
5TABLE 2
Mapping of Network Software Categories to OSI Reference Model Layers AT&T UNIX Sun OSI Model System Berkeley UNIX Microsystems Layer V.3 4.3bsd 4.3bsd Application RFS Application Using NFS, Application Application Using Sockets Using Sockets, Streams FTP, TELNET, FTP, TELNET rlogin rlogin Presentation Stream Modules Library Routines XDR (Extended (Transport Library) Data Representation) Session New System Calls New System Remote Proce- for Streams Calls to Im- dure Calls plement Sockets And Sockets Transport & Protocol Modules TCP TCP or Network Network for TCP/IP, XNS, IP Disk Protocol SNA, OSI IP Data Link & Ethernet Ethernet Ethernet Physical (IEEE 802.3) (IEEe 802.3) (IEEE 802.3) Token Ring, SNA Address Address Resolution Resolution Protocol Protocol
SUMMARY OF THE INVENTION
[0168] The present invention is a Network Surveillance and Security System for monitoring and protecting a computer network. The Network Surveillance and Security System combines an artificial intelligence capability with communication resources. In this context, artificial intelligence is described in whatis.com as:
[0169] "Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially computer systems. These processes include learning (the acquisition of information and rules for using the information), reasoning (using the rules to reach approximate or definite conclusions), and self-correction. One application of AI is referred to by the term `expert system`." (TechTarget.com)
[0170] In this context, an expert system is described, also in whatis.com, as:
[0171] "An expert system is a computer program that simulates the judgement and behavior of a human or an organization that has expert knowledge and experience in a particular field. Typically, such a system contains a knowledge base containing accumulated experience and a set of rules for applying the knowledge base to each particular situation that is described to the program. Sophisticated expert systems can be enhanced with additions to the knowledge base or to the set of rules." (TechTarget.com)
[0172] The Network Surveillance and Security System includes a knowledge base which encompasses what is presently known about the network's operations. The knowledge base includes the network's intended operations and what is known of past attempts to either damage the network's operations or have it operate other than as intended. The Network Surveillance and Security System also possesses a learning capacity for expanding its knowledge base. The present invention is further capable of communicating over publicly accessible networks with other Network Surveillance and Security Systems. These communications with other Network Surveillance and Security Systems can include aspects of the present operational security status of the network as well as additions to its knowledge base. Among these additions may be recent changes in operations, details of newly encountered events, effects of newly encountered events on operations, plus responses by the Network Surveillance and Security System and the results of these responses. Encryption preserves the privacy of these communications. Further ensuring the communicated knowledge's confidentiality is a proprietary encryption system, exclusive to the Network Surveillance and Security System.
[0173] The Network Surveillance and Security System monitors local area network (LAN) traffic in real-time. Wide area network (WAN) traffic seeking access to the protected network is monitored both in real-time and in intervals. The invention protects both network based systems and internal system storage devices.
[0174] The Network Surveillance and Security System monitors all communication traffic within at least one section of a network where any type of communication protocol is functioning within a communication domain. According to whatis.com:
[0175] "In computing and telecommunication in general, a domain is a sphere of knowledge identified by a name. Typically, the knowledge is a collection of facts about some program entities or a number of network points or addresses. On the Internet, a domain consists of a set of network addresses." (TechTarget.com)
[0176] Ethernet protocols are, by design, broadcast protocols in which every host on a selected section of a network receives the broadcast. As described in whatis.com for Internet environments, though also applicable for network environments in general:
[0177] "On the Internet, the term `host` means any computer that has full two-way access to other computers on the Internet. A host has a specific `local or host number` that, together with the network number, forms its unique IP address. If you use Point-to-Point Protocol to get access to your access provider, you have a unique IP address for the duration of any connection you make to the Internet and your computer is a host for that period. In this context, a `host` is a node in a network. " (TechTarget.com)
[0178] In a surveillance mode, the Network Surveillance and Security System samples and analyzes data packets destined for host computers. The analysis of data packets determines if the packet originates from an authorized user of the host or group of host computers under surveillance.
[0179] Functioning as a security guard for business-to-business (B2B) Internet portals is one feature of the Network Surveillance and Security System. The Network Surveillance and Security System variously guards by surveying host port connections, detecting and disconnecting unauthorized intrusions, alerting the network administrators, and identifying the source of the intrusion. The monitoring involves checking the source address of a signal source seeking access to the network against a database of authorized users. If the source address is not in the database, the Network Surveillance and Security System denies connection to the network to preempt possible threats.
[0180] The Network Surveillance and Security System uses artificial intelligence to detect and analyze attacks on servers in the protected network. The artificial intelligence determines attack patterns and the event sequences preceding an attack. Among the components of the Network Surveillance and Security System's artificial intelligence are knowledge-based tools comprising inference engines, genetic learning algorithms, and a neural network. As described in wbatis.com:
[0181] "Genetic programming is a model of programming in which programs compete to survive or cross-breed with other programs to continually select the most effective programs that approach closer to the desired result. Genetic programming is appropriate for problems with a large number of fluctuating variables such as those related to artificial intelligence." (TechTarget.com)
[0182] With artificial intelligence, the Network Surveillance and Security System is able to actively expand its recognition of different types of attack. Artificial intelligence also improves the ability of the Network Surveillance and Security System to make predictions about the nature of a new encounter and project the outcomes of differing countermeasures.
[0183] Among the general benefits of the Network Surveillance and Security System is an unimpeded network traffic flow. The present invention does not delay network operations or activities. In addition, technicians can install the Network Surveillance and Security System without alterations to existing software or configuration files. The invention is generally hosted on a machine that is added to the protected network. Another beneficial aspect of the present invention is that the continually expanding knowledge base enables a human network administrator who is not a security expert to effectively supervise a network's protection.
[0184] Architecture of the Network Surveillance And Security System
[0185] The organization of the Network Surveillance and Security System is described herein as a structure of layers. These are abstract layers of UNIX processes which relate functionally, but are not limited to interacting exclusively with the other layers they border in the organizational description. On a physical level, all of the processes are essentially the same--an organized group of electrical impulses traveling across circuits and switches. The processes are best understood in terms of their functionality and contents. It is the interrelations of these functions and contents which are reflected in the following desciption of the organization of the Network Surveillance and Security System.
[0186] Understanding of the interrelations of the processes of the Network Surveillance and Security System can be aided by drawing an anology to a person playing chess. In describing an individual's understanding of the game of chess, a natural approach would be to also describe their understanding at different abstract levels. A first level may be a perceptual recognition of what constitutes a game board and the pieces used. A second level could be the rules of the game of chess. A third level could be specific tactical approaches to particular combinations of moves and a fourth level could be overall strategies for various attacks or defenses. Certain thought processes would be relevant to particular levels but would not be restricted to application at just those levels or even excusively in the realm of chess. An approach to solving a problem of chess strategy could also be applicable to planning a political campaign. Still, at the physical level, all thought processes are essentially identical--an organized group of electrochemical impulses traveling across neurons and synapses.
[0187] The various processes which comprise the Network Surveillance and Security System are interrelated by function and content according to an organizational plan. However, an algorithm which is developed in one context may be utilized by any process in any context, when found useful. Hence, the following structural descriptions should be seen as not a structure in the sense of bricks stacked upon each other, but rather as a structure which provides comprehension, efficiency of operation, and functional organization.
[0188] Following is the Architecture of the sub-layers which compise the four layers of the Network Surveillance and Security System.
6
I. EXPERT SYSTEM SECURITY INTELLIGENCE LAYER- Executive Program Inference Engine Sub-Routine 1. Knowledge Base Executive 2. Intrusion Detection Knowledge Layer 3. Intelligence Search Engines 4. Intelligence Sorting Engines 5. Attack sequence Knowledge Base 6. Communication Utilities Knowledge Base I.A. Neural Network Sublayer Executive Program & Algorithms I.A.1 EVENT LEARNING Knowledge Representation Observations Rules I.A.2 NEURAL ARTIFICIAL INTELLIGENCE Knowledge Representations I.A.2.a Representations Theorems Facts I.A.2.b Reasoning Observations Rules I.A.2.c Learning Theorems Facts Observations I.A.3 NEURAL NETWORK SECURITY ALGORITHMS I.A.3.a Neuron Models Rules I.A.3.b Symbolic Representations Networks Constellations Systems I.B. Genetic Programming Sublayer Executive Program & Algorithms I.B.1 RESEARCH FUNCTIONS Features (inputs) Classes (outputs) I.B.1.a Training Domains Features (inputs) Classes (outputs) I.B.1.b Learning Domains Features (inputs) Classes (outputs) I.B.2 ACCEPTANCE & VALIDATION Features (inputs) Classes (outputs) I.B.2.a Learning Domains Features (inputs) Classes (outputs) I.B.2.b Testing Domains Features (inputs) Classes (outputs) I.B.3 MACHINE LEARNING ALGORITHMS Features (inputs) Classes (outputs) I.B.3.a Training Domains Features (inputs) Classes (outputs) I.B.3.b Acceptance & Validation Features (inputs) Classes (outputs)
[0189]
7
II. COMMUNICATION SYSTEM LAYER (CSL) CSL EXECUTIVE PROGRAM II.A Neural Network information Routing II.B Genetic Programming Information Routing II.C.1.a ROUTING II.C.2.a BASIC SECURITY II.C.3.a COMMAND CONVERSIONS PROCESSES PROCESSES i. Expert Translators & Translators & Personalities Converters Converters Information ii. Translators & Converters II.C.1.b NEURAL II.C.2.b CONSTELLATION II.C.3.b GENETIC NETWORK SERVERS PROGRAMMING Process Control Process Control Process Control Communication Communication Communication II.C.1.c NEURAL II.C.2.c CONSTELLATION II.C.3.c GENETIC NETWORK PROCESS PROCESS PROCESS MANAGEMENT MANAGEMENT MANAGEMENT i. UNIX i. UNIX i. UNIX ii. Expert System ii. Constellation ii. Expert System
[0190]
8
III. COMMUNICATION INFRASTRUCTURE AND INTERFACE LAYER (CIIL) CIIL EXECUTIVE PROGRAM III.A Storage System Executive Program III.B Network Interface Executive Program III.C.1 III.C.2 III.C.3
EXPERT PERSONALITIES BASIC SECURITY COMMAND PROCESSES PROCESSES III.C.1.a III.C.2.a III.C.3.a UNIX File System Utilities Communication utilities UNIX Control Utilities- Version UNIX Commands Encryption Executive BSDU Commands BSD4.4 Commands Program FreeBSD SVR4
Commands IBM-AIX SVR4 Commands HP-ULTRIX Linux Solaris Digital Unix III.C.1.b III.C.2.b III.C.3.b Databases Process Control Hardware Interfaces Control Management Program i. Security Reference i. Interprocess Message Channels Database (SRD) Communication (IPC) Ethernet Intrusion Reference Pipes Token Ring Data Named Pipes FrameRelay Attack Sequences STREAMS ATM Data Sockets (internal) BroadCast (M-Bone) Socket (external) RS-232
V35
ii. Security Reference ii. Domain Control Model(SRMD) Program Local Internet iii. Security Reference Monitor (SRMN) iv. Security Authorization Database (SAD) v. Authorization Access Model (AAM) Authorization Profile (AP) Unauthorized Profiles III.C.1.c III.C.2.c III.C.3.c Rule Based Personalities Security Access Portmon (PM) Executive System Controller Executive Program i. God Process i. Constellation Routers/Firewalls Access Record Access Record Logger 10 Logger (CARL) (RECarl) Address Mapper Address Mapper (CAM) (RFCam) Port Monitor & Port Monitor & Controller Controller System Logger System Logger (SYSLgr) (RFSYSLgr) ii. Demon Process ii. File System Watch Dogs root file system guard user-bin guard slash-etcetera guard slash-bin guard File Permission Guards File Access Guards iii. Support Team iii. Directory Watch Dogs Group Permission Guards Directory Access Guards iv. Surveillance Intelligence Forces (SIF) Servants Knights and Spies Agents Archangels Angels v. Military Intelligence Army Captain Lieutenants Sergeants Corporal Constellation Guards Infantry Server Guards
[0191]
9
IV. PLATFORM SYSTEM LAYER (PSL) Executive Program IV.A BSD 4.4 Operating System IV.B AT&T SVR4 Operating System Interface Commands Interface Commands IV.C. UNIX PRODUCTS IV.C.1 BSD UNIX IV.C.2 BSD and AT&T IV.C.3 AT&T UNIX UNIX IV.C.1.a IV.C.2.a IV.C.3.a FREEBSD SOLARIS AT&T SYSTEM V R 3
IV.C.1.b IV.C.2.b IV.C.3.b BSDI HP-ULTRIX, AT&T SYSTEM IBM-AIX V R 4
IV.C.1.c LV.C.2.c IV.C.3.c LINUX, IRIX 5.X, IRIX 6.X DEC-UNIX SUN OS 4.X IV.C.1.d IV.C.2.d IV.C.3.d SUN OS 3.X DIGITAL UNIX VM/MVS-UNIX
[0192] Network Surveillance and Security System Functions
[0193] The previously described general operations of the Network Surveillance and Security System are accomplished by the following functions.
[0194] (A) Security Audits
[0195] The Network Surveillance and Security System continuously audits a protected constellation of servers which comprise the section of the network under guard. Access log information of each server's internal and external communication traffic is audited. Among the information in the log are user activities, access requests, and attempted security breaches. The Security System performs auditing on a non-stop, around the clock basis. The auditing process of all network traffic enables analysis of traffic patterns. The traffic pattern analysis identifies customary, acceptable patterns and weighs newly encountered patterns to determine if they deviate from the standards. Detection of unusual traffic patterns is one source the Network Surveillance and Security System learning function can use to expand its knowledge base.
[0196] Monitoring of Internet servers within a protected constellation by the Network Surveillance and Security System detects attacks which advance beyond a firewall. As described in whatis.com:
[0197] "A firewall is a set of related programs, located at a network gateway server, that protect the resources of a private network from other users. (The term also implies the security policy that is used with the programs.)
[0198] "A firewall works closely with a router program to filter all network packets to determine whether to forward them toward their destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users." (TechTarget.com)
[0199] All traffic within the internal (LAN) network infrastructure is audited for unauthorized entries. Subsets of the Ethernet datapackets that indicate identifying information such as the source IP address are monitored by the Network Surveillance and Security System. These subsets are termed Sniplets and are used to identify and track packets in the LAN traffic.
[0200] Process Surveillance and Analysis
[0201] Previously, surveillance systems have only observed traffic crossing over ports. Surveillance of traffic native to the network itself has not generally been done. The Network Surveillance and Security System conducts surveillance and analysis of all native and non-native network processes.
[0202] (B) Knowledge Base Analysis
[0203] The Network Surveillance and Security System utilizes the knowledge base to complete the security audits in the following manner:
[0204] Each Ethernet frame is decomposed into component sniplets and analyzed in a stateful manner to determine if services are being requested from authorized source addresses.
[0205] Each Internet Protocol (IP) packet is decomposed into components termed IP-sniplets and analyzed in a stateful manner to determine if the IP address of the sender is an authorized client of the requested server.
[0206] As described in whatis.com:
[0207] "`Stateful` and `stateless` describe whether a computer program is designed to note and remember one or more preceding events in a given sequence of interactions with a user, another computer or program, a device, or other outside element. Stateful means the computer or program keeps track of the state of interaction, usually by setting values in a storage field designated for that purpose. Stateless means there is no record of previous interactions and each interaction request has to be handled based entirely on information that comes with it. (Computers are inherently stateful in operation, so these terms are used in the context of a particular set of interactions, not of how computers work in general.)
[0208] "The Internet's basic protocol, the Internet Protocol (IP), is an example of a stateless interaction. Each packet travels entirely on its own without reference to any other packet. (The upper layer Transmission Control Protocol--TCP--does relate packets to each other, but uses the information within the packet rather than some external information to do this.) The World Wide Web's Hypertext Transfer Protocol (HTTP), an application layer above TCP/IP, is also stateless.
[0209] "In order to have stateful communication, a site developer must furnish a special program that the server can call that can record and retrieve state information.
[0210] "In formal protocol specifications, a finite state machine is an abstract desciption of how a stateful system works that describes the action that follows each possible state. " (TechTarget.com)
[0211] The security audit results are used by the Network Surveillance and Security System to determine if a particular connection is permitted. The Network Surveillance and Security System uses four parameters to authenticate the user's authorization:
[0212] 1. Time of connection;
[0213] 2. Destination and login server including the USERID;
[0214] 3. Originating signal source address and portal information including:
[0215] IP address, Ethernet (or MAC) address, authorization, source network address, and source machine address (from the MAC address);
[0216] 4. Content monitoring of original connection request including login patterns.
[0217] (C) Learning and Updates to Expand Knowledge Base
[0218] The Network Surveillance and Security System uses artificial intelligence to expand its knowledge base by learning from new events. The Expert System Security Intelligence Layer of the present invention performs the learning with subcomponents that employ various algorithms. In protecting the network against attacks, these subcomponents produce a dynamic response to changes in attack sequences during an attack. A specialized database algorithm, designed to provide a linked list data structure of "attack sequences," records gathered information from prior attacks. The database algorithm is based upon an inference engine's references to past events and correlations with neural network algorithms' learning patterns. This algorithm then stores the gathered information after having performed a series of analytical transactions on each new attack sequence.
[0219] Within the Expert System Security Intelligence Layer, there is an Event Learning subcomponent that gains knowledge from observation of the network. Event Learning observes the network's current state of security and incorporates information of a new outcome state that results from an initial known state of security encountering an event which has the potential to change that initial known state.
[0220] Network Surveillance and Security Systems can also cooperate with each other to share new additions to the knowledge base, such as previously unencountered attack sequence data. Separate Network Surveillance and Security Systems can thus inform and update each other--see function (F) following. A novel encryption component of the present invention--detailed in (E) following--enables confidential communication of characteristics of new encounters over public communication channels. Conventional, unencrypted information communication means can also be utilized for expanding knowledge bases through shared information, with the new information then also contributing to subsequent auditing, analysis, and learning.
[0221] (D) Responses & Countermeasures
[0222] If an unauthorized access attempt or attack on a protected network occurs, the present invention is also able to conduct countermeasures such as deactivating the port from which a prohibited signal is entering. In addition, the Network Surveillance and Security System can notify the network administrator that a prohibited event is occurring. Among the various types of responses by the Network Surveillance and Security System are:
[0223] (E) Secured Remote Access
[0224] With the Network Surveillance and Security System, a network can communicate over an encrypted remote access channel. Hence, a network with the NS&SS which communicates over the Internet or any public WAN can achieve an equivalent degree of security as is available over a completely private communication channel, without the infrastructure expense and network management overhead. The NS&SS enables secure communication over the Internet without a need to regulate the connections or overtly authenticate the user. A secure intranet can thus be constructed using non-private communication channels. Additionally, the present invention can be used for secure communications with others outside of the intranet, to ensure authentication and confidentiality. The Network Surveillance and Security System further provides, when the network is connected to an outside party: background monitoring of transactions directed towards company resources through applications at OSI layer 7, monitoring of connection times to those resources, and monitoring of connection ports.
[0225] Privisea.TM. is a novel encryption machine that provides enhanced confidentiality for communication over publicly accessible channels is a further optional feature of the Network Surveillance and Security System. Privisea.TM. is a proprietary encryption machine exclusively available to owners of the Network Surveillance and Security System. Since only these owners have access to its encryption functions, the certainty of communication confidentiality is enhanced. A key exchange mechanism of the Privisea.TM. encryption machine enables separate Network Surveillance and Security Systems protecting different networks to communicate and function cooperatively.
[0226] Privisea.TM. is a sub-function of the Network Protocol Center. The Network Surveillance and Security System is compatible with all historic and current protocols that use the IEEE 802.3 standards. The Network Surveillance and Security System is further compatible with Fast Ethernet (100 BASE-T) and Gigabit Ethernet protocols; and in general is compatible with all protocols that route TCP/IP and SNA by IBM. Privisea.TM. encrypts communications with keys up to 1024 bits and conducts key management across any public or private communication channels. Privisea.TM. has the capacity to encrypt and decrypt information prior to decomposing it into data packets and transporting it across the Internet, any public network, or a network sector outside the protected area.
[0227] (F) Communication of Expanded Knowledge Base
[0228] As described in C above, Network Surveillance and Security Systems can immediately exchange updates to each other's Intruder Databases. The shared information enables a protected constellation to even prevent never previously encountered intrusions and attacks. The intrusion prevention can protect one portion of a network from a previous attack on a different portion. The sharing of intrusion prevention information can also enable a Network Surveillance and Security System to profit from the detection and analysis of attacks on a different network. Intrusion prevention information encompasses both the diversity of attack patterns as well as event sequences leading up to an attack. Comprehensive database updates containing intrusion information compiled from all active Network Surveillance and Security Systems will also be available.
[0229] Objectives
[0230] The components of the Network Surveillance and Security System, both individually and in combination, provide novel network security protection functions. The present invention provides innovative capabilities that are executed in response to a range of concerns that can effect network security. A first group of novel functions is generally applicable across the extent of network security concerns. These generally applicable benefits include:
[0231] The protection functions of the Network Surveillance and Security System operate autonomously of attention from a system administrator or operator, as well as autonomously of any actions by a user of the network under protection.
[0232] The Network Surveillance and Security Systems are able to update their protective capabilities.
[0233] These updates enable the present invention's functions to improve in response to ongoing events. The updates can occur through use of an encrypted communication channel between separate Network Surveillance and Security Systems. The updates can also be self-generated through an artificial intelligence capacity. Additionally, these updates, both self-enacted by individual Network Surveillance and Security Systems and between communicating Network Surveillance and Security Systems, can occur autonomously.
[0234] The Network Surveillance and Security System deploys a novel Process Fingerprinting procedure. The Fingerprinting of processes uses information garnered from monitoring of process Ethernet addresses cross-referenced with process IP addresses. The garnered information is used by the Network Surveillance and Security System to assign every process that is operational in the Protected Server Constellation a unique identifier termed a Process Fingerprint. The Process Fingerprints enable a comprehensive accounting and tracking of the characteristics of every operational process.
[0235] A second group of novel functions is in the area of applications of artificial intelligence for the protection of a network's security. The applications of artificial intelligence variously provide functions which are either individually novel or provide novelty through unanticipated combinations of artificial intelligence functions.
[0236] A first novel combination of artificial intelligence (AI) functions for protecting network security includes:
[0237] Using artificial intelligence to manage the way learning algorithms model information processes with communication theory paradigms.
[0238] Using artificial intelligence learning algorithms to model information processing by UNIX processes. The AI learning algorithms conduct the modeling of UNIX processes with genetic programming and genetic machine learning programs.
[0239] Applying AI Genetic Programming that is capable of both self-initiated and self-controlled reprogramming.
[0240] Applying Al Genetic Reasoning that is capable of modeling information relating to new events by an examination of information relating to known events. The modeling develops an understanding of new events based on simulations of the known events.
[0241] Using Al Genetic Evolution and Co-Evolution for modeling different generations of UNIX utilities used for security protection. The different generations compete for success at protecting security. The survival of the most fit models enables continuous expansion and optimization of the present invention's capabilities to protect the security of the network.
[0242] Developing separate populations of problem solving processes by application of co-evolution. Determining the fitness of the constituents of the separate populations. Basing the determination of the constituents fitness on their ability to accomplish specified results. Executing the fitness determinations based on prior observations of network events.
[0243] Using self-correcting AI Algorithms to enable the Network Surveillance and Security System to continuously expand and improve its security protection in response to ongoing events.
[0244] A second novel combination of AI functions for protecting network security includes:
[0245] Using artificial intelligence to model information processes with communication theory paradigms.
[0246] Expert System analyzing of dynamic security events in real-time.
[0247] Scheduling of processes according to the Digital UNIX real-time process scheduling scheme.
[0248] Applying inference approaches to model intruder motivations against systems security policies and customer security policies.
[0249] Adapting security AI dynamically in response to ongoing events. The AI adaptations occurring autonomously and being self-directed by the Network Surveillance and Security System.
[0250] Learning, when needed, of new attack sequences and adding the learning to a verified compendium of attack sequences.
[0251] Testing of new attack sequences against a knowledge base to compare the newly learned knowledge to prior theorems and known facts.
[0252] Refining of knowledge base definitions of attack sequences and intrusion detections with the newly learned knowledge.
[0253] Updating the knowledge base continuing log of events with facts relating to attacks to enhance automatically protecting against future attacks.
[0254] A third novel combination of Al functions for protecting network security includes:
[0255] Applying AI neural network theorems to model representations of internet and local area network security knowledge to construct various knowledge bases.
[0256] Developing self-generating, knowledge-incorporating AI neural networks to model simulations of logical operations involved in securing computers against security threats.
[0257] Applying Al Genetic Programming and Neural Network sub-systems to the maintaining of information security against dynamic threats.
[0258] Applying genetic programming and neural network algorithms to simulate internetworking security intelligence ("Internetworking" referring to LAN's connecting to other LAN's across WAN's, as well as to subnets--a portion of a LAN or a WAN--connecting to a subnet or a LAN across a WAN). Creating an internetworking knowledge base and observing internet and internetworking security policies violations in real-time.
[0259] Modeling AI Neural Networks to construct symbolic representations of UNIX utilities designed to protect computer systems against information security threats.
[0260] Designing self-generating, knowledge-incorporating Neural Networks comprised of simulated neurons to learn, in real time, knowledge relating to dynamic security threats against computer security policies.
[0261] Characterizing computer security threats by establishing states representing current system security. The current states are based upon past system security states and enable the Neural Network to predict future system security states.
[0262] A fourth novel combination of AI and other functions for protecting network security includes:
[0263] Monitoring of multiple packets at TCP Ports in real-time.
[0264] Broad platform coverage of a wide range of machines compising a protected network, as well as of a wide range of UNIX varieties running in the network.
[0265] Network and host based security protection.
[0266] Generating of alerts and reports to system administrators and site officials.
[0267] Enables administration by a non-expert system administator
[0268] Both stand-alone and interactive operations are self reliant.
[0269] Real-time monitoring of appropriate events.
[0270] Interval Based monitoring of appropriate events.
[0271] Statistical Anomaly Detection of long-term patterns of intrusive behavior.
[0272] Pattern Matching Detection.
[0273] Collecting of newly encountered attack sequence information.
[0274] Learning of newly encountered attack sequence information.
[0275] Analyzing of firewall logs for intrusion detection.
[0276] Analyzing of system logs for intrusion detection.
[0277] Updating and replacing as warranted of firewall filters.
[0278] Coordinating and communicating of information relating to attack encounters between Network Surveillance and Security Systems.
[0279] A fifth novel combination of AI and network based security protection functions includes:
[0280] Eliminating the need for interactive network and security administration.
[0281] Supporting network based security policies.
[0282] Analyzing packet contents statefully using information from packet headers.
[0283] Analyzing statefully the contents of Ethernet packet headers.
[0284] Analyzing statefully the contents of IP packet headers.
[0285] Analyzing statefully the contents of TCP packet headers.
[0286] Analyzing statefully the Session ID and protocol layer information from Packet Header contents.
[0287] Monitoring of all connections to TCP and UDP ports for unauthorized activities.
[0288] A sixth novel combination of AI and system based security protection functions includes:
[0289] Monitoring of failed login attempts.
[0290] Detecting of system(s) use contrary to administrative policies.
[0291] System network traffic monitoring
[0292] System internal resource authorizations administration
[0293] System external resource authorizations administration
[0294] Constellation internal resource authorizations administration
[0295] A seventh novel combination of security protection functions which concern Protected Constellations internal resource authorizations includes:
[0296] Detecting and locking of weak accounts.
[0297] Monitoring of file systems.
[0298] Monitoring to protect file ownership.
[0299] Monitoring of file security.
[0300] Monitoring to protect directory ownership.
[0301] An eighth novel combination of security protection functions monitors a Protected Constellation's TCP ports and connections made at those ports. Connections are initially made at the well-known ports. After the connection is made, the ongoing communication is then routed to other, less well-known ports. The Network Surveillance and Security System continues to monitor the connections both over the well-known ports and subsequently, over the less well-known ports. The monitoring of the processes which comprise the connections throughout their existence is an unprecedented security protection capability. Following is a roster of the well-known TCP ports which are monitored:
10
TCP Port Service Name 7 echo 9 discard 13 daytime 19 Character generator 21 File Transfer Protocol 23 Telnet 25 SMTP 37
time 42 nameserver 43 who is 53 domain Name Service 79 finger userinformation 80 http for WWW 109 POP2
110 POP3
111 Sun RPC remote procedure Calls 113 Authentication service 119 Network News 178 NeXTSTEP Window Server 512 exec Execute Commands on remote UNIX host 513 login login on remote UNIX host 514 shell Retrieves shell from Remote UNIX host 515 printer Remote Printing 2049 NFS NFS over TCP
[0302] An ninth novel combination of security protection functions monitors a Protected Constellation's user defined ports (UDP) and connections made at those ports. Connections are initially made at the well-known ports. After the connection is made, the ongoing communication is then routed to other, less well-known ports. The Network Surveillance and Security System continues to monitor the connections both over the well-known ports and subsequently, over the less well-known ports. The monitoring of the processes which comprise the connections throughout their existence is an unprecedented security protection capability. Following is a roster of the well-known UDP ports which are monitored:
11
TCP Port Service Name 37 time 53 domain 69 tftp trivial FTP 111 Sun Remote Procedure Calls port mapper 123 Network time protocol 161
Simple Network Management Protocol 512 biff incoming mail alert 513 who--Returns who is logged on system 514 syslog--System Log Facility 517 talk--Internet talk port--chat 518 new talk requests 520 route--RIP route info protocol 533
Netwall write to every user's terminal
[0303] Previously, surveillance systems have only observed traffic crossing over ports. Surveillance of traffic native to the network itself has not generally been done. The Network Surveillance and Security System conducts surveillance and analysis of all native and non-native network processes.
[0304] An additional novel feature of the Network Surveillance and Security System is the use of matrix algebra to provide substantial new means of tracking and analyzing network operations. The networks under protection typically involve large numbers of simultaneous operations and users, involved in dynamic interactions. Substantial amounts of protected resources at multiple, interwoven layers are being continuously requested and accessed. Comprehensively monitoring all of these myriad events and components as they operate, and maintaining this monitoring in real time throughout their existence has not been previously accomplished. The present invention accomplishes these tasks by modeling the Protected Constellation and its operations with matrices. The use of matrices provides previously unattainable functionality gains for network security monitoring and protection.
[0305] Since the operations of a multi-user, multi-processor, multi-threaded UNIX based network simultaneously involves numerous interwoven processes which continuously change relationships and status, it is not possible to follow the network's operations with a simple serial set of data audits. The Network Surveillance and Security System uses a novel application of matrix algebra to accomplish a comprehensive, dynamic accounting of the network in real time. A network's state of operations can be characterized as inhabiting a multidimensional, dynamically evolving Network Status Space. Each dimension of the Network Status Space represents a quality relating to the network, its users, or the processes in operation. One such dimension is an individual user's access permissions to a specific file group. Distances along this dimension would correspond to whether or not the user has read, write, or execution permissions for that file group. These distance examples would be a series of discrete values. The dimensions could also have continuously valued distances, such as a dimension which reflects the elapsed time of a user's login session. The entire status of the network and its operations can then be considered to correspond to a point in the Network Status Space. The coordinates of the point would be the relevant distances along particular dimensions, for all the dimensions required to represent every facet of the network and its operations.
[0306] The Network Surveillance and Security System uses matrices to perform transformations between points in the Network Status Space. While the utilization of matrix algebra is not fundamentally distinct, in a mathematical sense, from the use of systems of linear equations or equivalent methods, the gains realized when applied to network security monitoring and protection are fundamentally novel. The network's operations are dynamic, time-critical, and continuously occurring. For a security system to accomplish all of the relevant goals, it must be able to keep pace in real time. If the security system is able to process and make all of the relevant judgments, but at a lag of just 1% behind the time for occurrence of what is being judged, the security protection won't be accomplished. The security system cannot "catch-up", since there are new events constantly occurring to monitor. Hence, any inefficiency does not just produce a lessened caliber of performance, but likely results instead in an inability to perform at all. In order to avoid this inadequacy, most security systems only consider a limited measure of a network's operations to determine its security. The present invention's use of matrices not only provides a more efficient means to conduct network security analysis and protection, it also enables more comprehensive forms of security protection that were unachievable previously.
[0307] One form of novel network security protection uses the Network Status Space. The Network Surveillance and Security System values every point in the Space for its security quality. Some points in the space will be indicative of network status with degrees of acceptable security, some indicative of degrees of unacceptable security, and some indicative of degrees of uncertain security. These points will often be aggregated in regions of similar security value. The Network Surveillance and Security System can determine the network's security status merely by determining what region of the Network Status Space the network's current status resides in. The Ne