| US 7,603,709 B2 | ||
| Method and apparatus for predicting and preventing attacks in communications networks | ||
| Lundy M. Lewis, Mason, N.H. (US); Joao B. D. Cabrera, Woburn, Mass. (US); and Raman K. Mehra, Lexington, Mass. (US) | ||
| Assigned to Computer Associates Think, Inc., Islandia, N.Y. (US) | ||
| Filed on May 03, 2002, as Appl. No. 10/138,836. | ||
| Application 10/138836 is a substitute for application No. 60/288530, filed on May 03, 2001. | ||
| Prior Publication US 2003/0110396 A1, Jun. 12, 2003 | ||
| Int. Cl. G06F 12/00 (2006.01); H04L 29/06 (2006.01) | ||
| U.S. Cl. 726—23 | 14 Claims |
| 1. A system for security management in a data, voice, or video network, comprising:
a data collector coupled to the network and configured to collect one or more datasets from the network, wherein the collected
datasets include at least one dataset collected from the network during a real or simulated attack on the network, and wherein
the collected datasets further include at least one dataset collected from the network during an attack-free time period;
a temporal correlation engine communicatively coupled to the data collector, wherein temporal correlation engine is configured
to:
identify one or more variables at a target of the real or simulated attack on the network, wherein the variables identified
at the target characterize the real or simulated attack on the network;
identify one or more key variables among the variables that characterize the real or simulated attack on the network, wherein
the key variables are identified as containing precursors of the real or simulated attack on the network;
use the dataset collected during the attack-free time period to construct one or more normal profiles for the network;
extract a time series of precursor events that occurred prior to the real or simulated attack on the network from the dataset
collected during the real or simulated attack on the network, wherein extracting the time series of precursor events includes
comparing a time series evolution for the key variables during the real or simulated attack with the normal profiles constructed
from the dataset collected during the attack-free time period;
extract at least one temporal rule for a scenario associated with the real or simulated attack on the network, wherein the
temporal rule includes the extracted time series of precursor events; and
verify that the extracted time series of precursor events consistently occurred in the network prior to the real or simulated
attack on the network; and
a network management system executing on at least one device coupled to the network, wherein the network management system
is configured to:
monitor subsequent activity in the network to detect an occurrence of one or more of the precursor events in the monitored
network activity; and
take protective action to prevent an imminent attack on the network in response to detecting one or more of the precursor
events in the monitored network activity, wherein the temporal rule defines the protective action to be taken.
|