WO2001031420A3 - Features generation for use in computer network intrusion detection - Google Patents

Features generation for use in computer network intrusion detection Download PDF

Info

Publication number
WO2001031420A3
WO2001031420A3 PCT/US2000/029490 US0029490W WO0131420A3 WO 2001031420 A3 WO2001031420 A3 WO 2001031420A3 US 0029490 W US0029490 W US 0029490W WO 0131420 A3 WO0131420 A3 WO 0131420A3
Authority
WO
WIPO (PCT)
Prior art keywords
users
feature
user
computer network
computer system
Prior art date
Application number
PCT/US2000/029490
Other languages
French (fr)
Other versions
WO2001031420A2 (en
Inventor
Thanh A Diep
Sherif M Botros
Martin D Izenson
Original Assignee
Visa Int Service Ass
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visa Int Service Ass filed Critical Visa Int Service Ass
Priority to AU29039/01A priority Critical patent/AU2903901A/en
Publication of WO2001031420A2 publication Critical patent/WO2001031420A2/en
Publication of WO2001031420A3 publication Critical patent/WO2001031420A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Abstract

Detecting harmful or illegal intrusions into a computer network or into restricted portions of a computer network uses a features generator or builder to generate a feature reflecting changes in user and user group behavior over time. User and user group historical means and standard deviations are used to generate a feature that is not dependent on rigid or static rule sets. These statistical and historical values are calculated by accessing user activity data listing activities performed by users on the computer system. Historical information is then calculated based on the activities performed by users on the computer system. The feature is calculated using the historical information based on the user or group of users activities. The feature is then utilized by a model to obtain a value or score which indicates the likelihood of an intrusion into the computer network. The historical values are adjusted according to shifts in normal behavior of users of the computer system. This allows for calculation of the feature to reflect changing characteristics of the users on the computer system.
PCT/US2000/029490 1999-10-25 2000-10-25 Features generation for use in computer network intrusion detection WO2001031420A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU29039/01A AU2903901A (en) 1999-10-25 2000-10-25 Features generation for use in computer network intrusion detection

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/427,176 US6671811B1 (en) 1999-10-25 1999-10-25 Features generation for use in computer network intrusion detection
US09/427,176 1999-10-25

Publications (2)

Publication Number Publication Date
WO2001031420A2 WO2001031420A2 (en) 2001-05-03
WO2001031420A3 true WO2001031420A3 (en) 2001-12-13

Family

ID=23693793

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/029490 WO2001031420A2 (en) 1999-10-25 2000-10-25 Features generation for use in computer network intrusion detection

Country Status (3)

Country Link
US (1) US6671811B1 (en)
AU (1) AU2903901A (en)
WO (1) WO2001031420A2 (en)

Families Citing this family (87)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7073198B1 (en) 1999-08-26 2006-07-04 Ncircle Network Security, Inc. Method and system for detecting a vulnerability in a network
US6769066B1 (en) * 1999-10-25 2004-07-27 Visa International Service Association Method and apparatus for training a neural network model for use in computer network intrusion detection
US6957348B1 (en) 2000-01-10 2005-10-18 Ncircle Network Security, Inc. Interoperability of vulnerability and intrusion detection systems
WO2003050799A1 (en) * 2001-12-12 2003-06-19 International Business Machines Corporation Method and system for non-intrusive speaker verification using behavior models
US9280667B1 (en) 2000-08-25 2016-03-08 Tripwire, Inc. Persistent host determination
US7181769B1 (en) 2000-08-25 2007-02-20 Ncircle Network Security, Inc. Network security system having a device profiler communicatively coupled to a traffic monitor
US6944673B2 (en) * 2000-09-08 2005-09-13 The Regents Of The University Of Michigan Method and system for profiling network flows at a measurement point within a computer network
WO2002045380A2 (en) * 2000-11-30 2002-06-06 Lancope, Inc. Flow-based detection of network intrusions
US7290283B2 (en) 2001-01-31 2007-10-30 Lancope, Inc. Network port profiling
CA2436710C (en) 2001-01-31 2011-06-14 Lancope, Inc. Network port profiling
US7458094B2 (en) * 2001-06-06 2008-11-25 Science Applications International Corporation Intrusion prevention system
US7290266B2 (en) 2001-06-14 2007-10-30 Cisco Technology, Inc. Access control by a real-time stateful reference monitor with a state collection training mode and a lockdown mode for detecting predetermined patterns of events indicative of requests for operating system resources resulting in a decision to allow or block activity identified in a sequence of events based on a rule set defining a processing policy
EP1400061B1 (en) 2001-06-14 2012-08-08 Cisco Technology, Inc. Stateful distributed event processing and adaptive security
US7657935B2 (en) 2001-08-16 2010-02-02 The Trustees Of Columbia University In The City Of New York System and methods for detecting malicious email transmission
AUPR863001A0 (en) * 2001-11-01 2001-11-29 Inovatech Limited Wavelet based fraud detection
US7895326B2 (en) 2002-03-25 2011-02-22 Lancope, Inc. Network service zone locking
US7475426B2 (en) 2001-11-30 2009-01-06 Lancope, Inc. Flow-based detection of network intrusions
US7512980B2 (en) 2001-11-30 2009-03-31 Lancope, Inc. Packet sampling flow-based detection of network intrusions
US9306966B2 (en) 2001-12-14 2016-04-05 The Trustees Of Columbia University In The City Of New York Methods of unsupervised anomaly detection using a geometric framework
US7225343B1 (en) 2002-01-25 2007-05-29 The Trustees Of Columbia University In The City Of New York System and methods for adaptive model generation for detecting intrusions in computer systems
GB2387681A (en) * 2002-04-18 2003-10-22 Isis Innovation Intrusion detection system with inductive logic means for suggesting new general rules
US20040116102A1 (en) * 2002-12-17 2004-06-17 International Business Machines Corporation Heuristics for behavior based life support services
US7702916B2 (en) 2003-03-31 2010-04-20 Visa U.S.A. Inc. Method and system for secure authentication
US8296847B2 (en) * 2003-07-25 2012-10-23 Hewlett-Packard Development Company, L.P. Method of managing utilization of network intrusion detection systems in a dynamic data center
US7237267B2 (en) * 2003-10-16 2007-06-26 Cisco Technology, Inc. Policy-based network security management
US20050086529A1 (en) * 2003-10-21 2005-04-21 Yair Buchsbaum Detection of misuse or abuse of data by authorized access to database
WO2005059720A1 (en) * 2003-12-17 2005-06-30 Telecom Italia S.P.A. Method and apparatus for monitoring operation of processing systems, related network and computer program product therefor
US7584382B2 (en) * 2004-02-19 2009-09-01 Microsoft Corporation Method and system for troubleshooting a misconfiguration of a computer system based on configurations of other computer systems
US7392295B2 (en) 2004-02-19 2008-06-24 Microsoft Corporation Method and system for collecting information from computer systems based on a trusted relationship
US20050206513A1 (en) * 2004-03-17 2005-09-22 Fallon Kenneth T Voice remote command and control of a mapping security system
US7796596B2 (en) * 2004-08-03 2010-09-14 At&T Intellectual Property I, L.P. Methods, systems, and computer program products for producing, transporting, and capturing network traffic data
US7158022B2 (en) * 2004-10-29 2007-01-02 Fallon Kenneth T Automated diagnoses and prediction in a physical security surveillance system
US7874000B1 (en) * 2004-11-22 2011-01-18 Symantec Corporation Reducing false positives generated by a database intrusion detection system
WO2006056223A1 (en) * 2004-11-26 2006-06-01 Telecom Italia S.P.A. Instrusion detection method and system, related network and computer program product therefor
US8103624B2 (en) 2005-01-13 2012-01-24 International Business Machines Corporation Apparatus and method for automating the logging of table changes in a database
WO2006090354A1 (en) * 2005-02-27 2006-08-31 Insight Solutions Ltd. Detection of misuse of a database
US20060277294A1 (en) * 2005-06-07 2006-12-07 Dimitri Kanevsky Computer management system
US7814548B2 (en) 2005-09-13 2010-10-12 Honeywell International Inc. Instance based learning framework for effective behavior profiling and anomaly intrusion detection
US9467462B2 (en) * 2005-09-15 2016-10-11 Hewlett Packard Enterprise Development Lp Traffic anomaly analysis for the detection of aberrant network code
US9055093B2 (en) * 2005-10-21 2015-06-09 Kevin R. Borders Method, system and computer program product for detecting at least one of security threats and undesirable computer files
US8079080B2 (en) * 2005-10-21 2011-12-13 Mathew R. Syrowik Method, system and computer program product for detecting security threats in a computer network
US7856100B2 (en) * 2005-12-19 2010-12-21 Microsoft Corporation Privacy-preserving data aggregation using homomorphic encryption
US8601065B2 (en) * 2006-05-31 2013-12-03 Cisco Technology, Inc. Method and apparatus for preventing outgoing spam e-mails by monitoring client interactions
WO2007143011A2 (en) * 2006-05-31 2007-12-13 The Trustees Of Columbia University In The City Ofnew York Systems, methods, and media for generating bait information for trap-based defenses
US20070300300A1 (en) * 2006-06-27 2007-12-27 Matsushita Electric Industrial Co., Ltd. Statistical instrusion detection using log files
US8443443B2 (en) 2006-10-04 2013-05-14 Behaviometrics Ab Security system and method for detecting intrusion in a computerized system
US7949745B2 (en) * 2006-10-31 2011-05-24 Microsoft Corporation Dynamic activity model of network services
US20120084866A1 (en) * 2007-06-12 2012-04-05 Stolfo Salvatore J Methods, systems, and media for measuring computer security
US9009829B2 (en) * 2007-06-12 2015-04-14 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for baiting inside attackers
US20090119170A1 (en) 2007-10-25 2009-05-07 Ayman Hammad Portable consumer device including data bearing medium including risk based benefits
US8423557B2 (en) * 2007-11-06 2013-04-16 International Business Machines Corporation Computer method and system for determining individual priorities of shared activities
US20090249433A1 (en) * 2008-03-28 2009-10-01 Janardan Misra System and method for collaborative monitoring of policy violations
US8707319B2 (en) * 2008-06-26 2014-04-22 Visa International Service Association Resource location verification by comparing and updating resource location with a location of a consumer device after a threshold of location mismatches is exceeded
US20100010776A1 (en) * 2008-07-10 2010-01-14 Indranil Saha Probabilistic modeling of collaborative monitoring of policy violations
US8326987B2 (en) * 2008-11-12 2012-12-04 Lin Yeejang James Method for adaptively building a baseline behavior model
US8572736B2 (en) * 2008-11-12 2013-10-29 YeeJang James Lin System and method for detecting behavior anomaly in information access
US8769684B2 (en) * 2008-12-02 2014-07-01 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for masquerade attack detection by monitoring computer user behavior
EP2425365A4 (en) * 2009-04-30 2016-08-24 Ericsson Telefon Ab L M Deviating behaviour of a user terminal
US8528091B2 (en) * 2009-12-31 2013-09-03 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for detecting covert malware
US9560206B2 (en) * 2010-04-30 2017-01-31 American Teleconferencing Services, Ltd. Real-time speech-to-text conversion in an audio conference session
US8881289B2 (en) 2011-10-18 2014-11-04 Mcafee, Inc. User behavioral risk assessment
US8776228B2 (en) * 2011-11-22 2014-07-08 Ca, Inc. Transaction-based intrusion detection
US9038180B2 (en) 2012-03-22 2015-05-19 Los Alamos National Security, Llc Using new edges for anomaly detection in computer networks
US8938796B2 (en) 2012-09-20 2015-01-20 Paul Case, SR. Case secure computer architecture
US9961096B1 (en) 2013-09-17 2018-05-01 Cisco Technology, Inc. Distributed behavior based anomaly detection
GB2529150B (en) 2014-08-04 2022-03-30 Darktrace Ltd Cyber security
US9754106B2 (en) * 2014-10-14 2017-09-05 Symantec Corporation Systems and methods for classifying security events as targeted attacks
SG11201703164RA (en) 2014-10-21 2017-05-30 Ironnet Cybersecurity Inc Cybersecurity system
US9774613B2 (en) 2014-12-15 2017-09-26 Sophos Limited Server drift monitoring
GB2554159B8 (en) * 2014-12-15 2021-11-03 Sophos Ltd Monitoring variations in observable events for threat detection
WO2016138400A1 (en) 2015-02-27 2016-09-01 Cisco Technology, Inc. System and methods for computer network security involving user confirmation of network connections
GB2547202B (en) 2016-02-09 2022-04-20 Darktrace Ltd An anomaly alert system for cyber threat detection
GB2547201B (en) 2016-02-09 2022-08-31 Darktrace Holdings Ltd Cyber security
US9910993B2 (en) 2016-07-14 2018-03-06 IronNet Cybersecurity, Inc. Simulation and virtual reality based cyber behavioral systems
US11194915B2 (en) 2017-04-14 2021-12-07 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for testing insider threat detection systems
CN107426217B (en) * 2017-07-27 2019-10-18 郑州云海信息技术有限公司 A kind of method and device of detection system invasion
SG11202002802TA (en) * 2017-09-26 2020-04-29 Jpmorgan Chase Bank Na Cyber security enhanced monitoring
US11477222B2 (en) 2018-02-20 2022-10-18 Darktrace Holdings Limited Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications
US11924238B2 (en) 2018-02-20 2024-03-05 Darktrace Holdings Limited Cyber threat defense system, components, and a method for using artificial intelligence models trained on a normal pattern of life for systems with unusual data sources
US11463457B2 (en) 2018-02-20 2022-10-04 Darktrace Holdings Limited Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance
AU2019201137B2 (en) 2018-02-20 2023-11-16 Darktrace Holdings Limited A cyber security appliance for a cloud infrastructure
US10986121B2 (en) 2019-01-24 2021-04-20 Darktrace Limited Multivariate network structure anomaly detector
US11392469B2 (en) * 2019-06-20 2022-07-19 Microsoft Technology Licensing, Llc Framework for testing machine learning workflows
IL276972A (en) 2019-08-29 2021-03-01 Darktrace Ltd An intelligent adversary simulator
US20210273957A1 (en) 2020-02-28 2021-09-02 Darktrace Limited Cyber security for software-as-a-service factoring risk
US11636391B2 (en) 2020-03-26 2023-04-25 International Business Machines Corporation Automatic combinatoric feature generation for enhanced machine learning
CN111865941B (en) * 2020-07-03 2022-12-27 北京天空卫士网络安全技术有限公司 Abnormal behavior identification method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5375244A (en) * 1992-05-29 1994-12-20 At&T Corp. System and method for granting access to a resource
US5557686A (en) * 1993-01-13 1996-09-17 University Of Alabama Method and apparatus for verification of a computer user's identification, based on keystroke characteristics
US5621889A (en) * 1993-06-09 1997-04-15 Alcatel Alsthom Compagnie Generale D'electricite Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility
US5825750A (en) * 1996-03-29 1998-10-20 Motorola Method and apparatus for maintaining security in a packetized data communications network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6336138B1 (en) * 1998-08-25 2002-01-01 Hewlett-Packard Company Template-driven approach for generating models on network services

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5375244A (en) * 1992-05-29 1994-12-20 At&T Corp. System and method for granting access to a resource
US5557686A (en) * 1993-01-13 1996-09-17 University Of Alabama Method and apparatus for verification of a computer user's identification, based on keystroke characteristics
US5621889A (en) * 1993-06-09 1997-04-15 Alcatel Alsthom Compagnie Generale D'electricite Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility
US5825750A (en) * 1996-03-29 1998-10-20 Motorola Method and apparatus for maintaining security in a packetized data communications network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LUNT T F ET AL: "KNOWLEDGE-BASED INTRUSION DETECTION", PROCEEDINGS OF THE ANNUAL ARTIFICIAL INTELLIGENCE SYSTEMS IN GOVERNMENT CONFERENCE,US,WASHINGTON, IEEE COMP. SOC. PRESS, VOL. CONF. 4, PAGE(S) 102-107, XP000040018 *

Also Published As

Publication number Publication date
WO2001031420A2 (en) 2001-05-03
AU2903901A (en) 2001-05-08
US6671811B1 (en) 2003-12-30

Similar Documents

Publication Publication Date Title
WO2001031420A3 (en) Features generation for use in computer network intrusion detection
CN101395843B (en) Digital rights management using trusted time
CN103077356A (en) Protecting and tracking method for primary information of mobile terminal based on user behavior pattern
WO2001001627A3 (en) Server-assisted regeneration of a strong secret from a weak secret
WO1998011478A3 (en) A biometric based method for software distribution
WO2003090046A3 (en) Intrusion detection system
WO2002022223A3 (en) Transaction signature
WO2001027759A3 (en) Rules-based notification system
WO2004040410A3 (en) Password encryption key
WO2001046787A3 (en) Method of authenticating users of software
CN103294939A (en) Virtual avatar authentication method and system
CN109616114A (en) System, configuration method and the encryption method of intelligent terminal voice encryption
CN110234044A (en) A kind of voice awakening method, voice Rouser and earphone
CN101552780A (en) Verification method and verification device
CN106529235A (en) Unlocking method and terminal
Zhang et al. Using AI to attack VA: a stealthy spyware against voice assistances in smart phones
CN104363087A (en) Encryption and decryption method and device
CN106203092A (en) Method and device for intercepting shutdown of malicious program and electronic equipment
WO2009023683A2 (en) Methods and systems for transmitting a data attribute from an authenticated system
CN101908091A (en) Network server, system and method for reconnecting disconnected network game
CN105022965B (en) A kind of data ciphering method and device
CA2402934A1 (en) Method and system for generating a sequence number to be used for authentication
US20220407710A1 (en) Systems and methods for protecting identity metrics
CN107958143A (en) A kind of pushed information methods of exhibiting, device, computer installation and storage medium
CN106407098B (en) Application program state monitoring method and device

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP