United States Patent [19J
`Hill et al.
`
`[54] ADAPTIVE SYSTEM AND METHOD FOR
`RESPONDING TO COMPUTER NETWORK
`SECURITY ATTACKS
`
`[75]
`
`Inventors: Douglas W. Hill, Scottsdale; James T.
`Lynn, Mesa, both of Ariz.
`
`[73] Assignee: Motorola, Inc., Schaumburg, Ill.
`
`[21] Appl. No.: 09/006,056
`
`[22] Filed:
`
`Jan. 12, 1998
`
`Int. Cl.7 ............................... G06F 11/30; H04L 9/00
`[51]
`[52] U.S. Cl. ........................... 713/201; 713/200; 713/201
`[58] Field of Search ..................................... 713/201, 200;
`714/38, 47, 48, 57; 380/4
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,062,147 10/1991 Pickett et al. ............................. 714/57
`5,237,677
`8/1993 Hirosawa et al.
`........................ 714/57
`5,414,833
`5/1995 Heshey et al. .......................... 713/201
`5,440,723
`8/1995 Arnold et al.
`.............................. 714/2
`5,452,442
`9/1995 Kephart ....................................... 380/4
`5,491,791
`2/1996 Glowny et al. ........................... 714/47
`5,511,163
`4/1996 Lerche et al. ............................. 714/39
`
`FOREIGN PATENT DOCUMENTS
`
`I 1111111111111111 11111 1111111111 lllll 111111111111111 lllll 111111111111111111
`US006088804A
`[11] Patent Number:
`[45] Date of Patent:
`
`6,088,804
`Jul. 11, 2000
`
`OTHER PUBLICATIONS
`
`Doumas et al. Design of a Neural Network for Recognition
`and Classification of Computer Virsul. pp. 435-448, 1995.
`Tesauro et al. Neural networks for computer virusl recog(cid:173)
`nition. pp. 5-6, Aug. 1996.
`
`Primary Examiner~y V. Hua
`Attorney, Agent, or Firm-Gregory J. Gorrie
`
`[57]
`
`ABSTRACT
`
`A dynamic network security system (20) responds to a
`security attack (92) on a computer network (22) having a
`multiplicity of computer nodes (24). The security system
`(20) includes a plurality of security agents (36) that concur(cid:173)
`rently detect occurrences of security events (50) on associ(cid:173)
`ated computer nodes (24). A processor ( 40) processes the
`security events ( 50) that are received from the security
`agents (36) to form an attack signature (94) of the attack
`(92). A network status display ( 42) displays multi(cid:173)
`dimensional attack status information representing the
`attack (92) in a two dimensional image to indicate the
`overall nature and severity of the attack (92). The network
`status display ( 42) also includes a list of recommended
`actions (112) for mitigating the attack. The security system
`(20) is adapted to respond to a subsequent attack that has a
`subsequent signature most closely resembling the attack
`signature (94).
`
`WO 93/22723
`
`3/1993 WIPO .
`
`19 Claims, 6 Drawing Sheets
`
`I
`
`r20
`r ______ ..L __ 7
`42
`NETWORK
`STATUS
`DISPLAY
`
`40
`SOM
`PROCESSOR
`
`34
`
`MAIN
`SERVER
`
`32
`
`JO
`
`36
`~ - - . . i SECURITY
`AGENT
`
`36
`SECURITY -----(cid:173)
`AGENT
`
`____ _j
`
`28
`
`L
`
`-
`
`-
`
`-
`
`-
`
`, - - - - -
`1 r----,
`I I
`36
`I I
`
`JO
`
`7
`
`_J
`
`L
`24 7
`
`NODE
`-
`
`-
`
`_J
`
`I
`I
`L
`T
`24
`
`NODE
`-
`
`-
`
`I
`I
`_J L
`T
`24
`
`NODE
`-
`
`-
`
`I
`I
`_J L
`T
`24
`
`NODE
`-
`
`-
`
`I
`I
`_J L
`T
`24
`
`NODE
`-
`
`-
`
`_J
`
`22
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 1 of 14
`
`

`

`O'I
`
`'"""' 0 ....,
`~ ....
`'JJ. =(cid:173)~
`
`~
`
`0
`0
`0
`N
`'"""' ~
`'"""'
`~
`
`~ = ......
`~ ......
`~
`•
`r:JJ.
`d •
`
`_J
`
`7
`
`00 = "'-'
`.... = 00
`
`....
`00
`
`0--,
`
`F JG. 1
`
`22
`
`_J
`
`_J
`
`24
`L TNODE _
`I I
`DEVICE
`I I COMPUTER
`
`261
`I
`I ____ I
`
`36
`
`I I
`AGENT
`I I SECURITY
`
`-
`
`-,--
`
`-
`
`L
`
`JO
`
`,..1
`
`-
`
`36
`
`I I
`AGENT
`I I SECURITY
`
`AGENT
`SECURITY t11
`36
`
`-
`
`36
`
`36
`
`I I
`AGENT
`I I SECURITY
`
`I I
`
`AGENT
`
`36
`
`AGENT
`,..1 SECURITY
`36
`
`-
`
`~ 28
`
`-_,_ -
`
`-
`
`-
`
`-
`
`-
`
`1..
`
`SERVER
`AREA
`
`J0-1
`
`32
`
`SERVER
`34-1 MAIN
`
`I
`I
`I
`I
`7
`
`32
`DISPLA y
`ST A TUS
`---~ NETWORK
`
`42
`
`1 38
`1 \ -PROCESSOR
`
`SOM
`40
`
`-
`
`r ______ _[20
`
`-
`
`I
`I
`261
`261
`I
`LI ____ I
`I ____ I
`I
`I I
`AGENT
`I I ..--S-EC._L..URI_,_TY__, I I SECURITY
`I
`Ir----:, r----:, r----:, r----:, r----:,
`r -
`
`24
`L TNODE _
`I I
`DEVICE
`I I COMPUTER
`
`261
`I
`I ____ I
`
`24
`L TNODE _
`I I
`DEVICE
`I I COMPUTER
`
`261
`I
`I ____ I
`
`24
`L TNODE _
`I I
`DEVICE
`I I COMPUTER
`
`_J
`
`24
`L TNODE _
`I
`DEVICE
`I COMPUTER
`I
`
`_J
`
`_J
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 2 of 14
`
`

`

`U.S. Patent
`
`Jul. 11, 2000
`
`Sheet 2 of 6
`
`6,088,804
`
`SYSTEM
`TRAINING PROCESS
`
`44
`
`ACCESS DATABASE FOR A SIMULATED
`ATTACK HAVING A TRAINING SIGNATURE
`
`46
`
`PERFORM SIMULATED ATTACK
`
`MAP TRAINING SIGNATURE INTO
`DISPLAY CELL OF DISPLAY MAP
`
`62
`
`6 4
`
`YES
`
`EXIT
`
`F JG. 2
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 3 of 14
`
`

`

`U.S. Patent
`
`Jul. 11, 2000
`
`Sheet 3 of 6
`
`6,088,804
`
`56
`\
`I SECURITY
`EVENT TYPE
`
`58
`J
`SECURITY'EVENTS
`PER TYPE %
`
`60
`)
`LOCATION IDENTIFIERS
`
`/
`
`r
`61
`I ATTACK
`SEVERITY
`MEDIUM
`
`52,55 - SIMULATED ATTACK 1
`
`,
`
`DESTRUCTIVE
`VIRUS
`SNOOPING VIRUS
`WORM
`TROJAN HORSE
`FTP REQUEST
`' OVERLOAD
`52 --~SIMULATED ATTACK 2
`DESTRUCTIVE
`VIRUS
`SNOOPING VIRUS
`WORM
`TROJAN HORSE
`FTP REQUEST
`OVERLOAD
`'
`52 -~SIMULATED ATTACK 3
`
`53,54
`
`/
`
`53
`
`•
`•
`•
`
`-,SIMULATED ATTACK n
`,,
`DESTRUCTIVE
`VIRUS
`SNOOPING VIRUS
`WORM
`TROJAN HORSE
`FTP REQUEST
`' OVERLOAD
`
`53
`
`LOW
`
`•
`•
`•
`
`HIGH
`
`•
`•
`•
`
`/ -so
`
`.2
`15
`0
`.1
`5
`.05
`
`.5
`1. 7
`.01
`.2
`.05
`1.2
`
`•
`•
`•
`
`25
`12
`.2
`.4
`1.2
`.05
`
`48
`
`F JG. 3
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 4 of 14
`
`

`

`U.S. Patent
`
`Jul. 11, 2000
`
`Sheet 4 of 6
`
`6,088,804
`
`76
`
`~+- 68", 76"
`68"', 76"'
`
`76
`
`66
`
`96
`J
`SECURITY' EVENTS
`PER TYPE %
`
`92
`
`60
`)
`
`/
`
`7
`
`LOCATION IDENTIFIERS
`
`/ ~so
`
`.25
`15
`0
`.1
`5
`.05
`
`90
`
`70
`
`76
`
`72
`
`F JG. 4
`
`56
`\
`
`I SECURITY
`EVENT TYPE
`DESTRUCTIVE
`VIRUS
`SNOOPING VIRUS
`WORM
`TROJAN HORSE
`FTP REQUEST
`OVERLOAD
`
`94
`
`F JG. 6
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 5 of 14
`
`

`

`U.S. Patent
`
`Jul. 11, 2000
`
`Sheet 5 of 6
`
`6,088,804
`
`ATTACK
`RESPONSE PROCESS
`
`80
`
`DETECT AND REPULSE SECURITY EVENTS
`
`RECEIVE NOTIFICATION FROM NODES
`
`RECEIVE ATTACK SIGNATURE
`
`COMPILE ATTACK STATUS INFORMATION
`
`COMPARE ATTACK SIGNATURE TO
`TRAINING SIGNATURE
`
`SELECT A MOST CLOSELY RESEMBLING
`TRAINING SIGNATURE
`
`GENERATE A MITIGATION LIST
`
`DISPLAY ATTACK STATUS INFORMATION
`AND MITIGATION LIST
`
`MIT I GA TE ATTACK
`
`PREDICT A PATTERN AND ADAPT SYSTEM
`TO RESPOND TO A SUBSEQUENT ATTACK
`
`82
`
`86
`
`88
`
`98
`
`100
`
`102
`
`104
`
`106
`
`114
`
`116
`
`F JG. 5
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 6 of 14
`
`

`

`00 = "'-'
`.... = 00
`
`....
`00
`
`0--,
`
`O'I
`
`0 ....,
`~ ....
`'JJ. =(cid:173)~
`
`O'I
`
`~
`
`0
`0
`0
`N
`'"""' ~
`'"""'
`~
`
`~ = ......
`~ ......
`~
`•
`r:JJ.
`d •
`
`60
`NODE/ TYPE A TT ACK ADDITIONAL INFORMATION J
`SECURITY EVENT,TYPE AND LOCATION
`
`zzzzzzzzzz
`zzzzzzzzzz
`zzzzzzzzzz
`zzzzzzzzzz
`zzzzzzzzzz
`zzzzzzzzzz
`zzzzzzzzzz
`
`I xxxx YYYY
`I xxxx YYYY
`# xxxx yyyy
`# xxxx yyyy
`I xxxx YYYY
`I xxxx YYYY
`xxxx yyyy
`
`92
`
`108
`
`24
`
`76
`
`F
`
`DISPLAY MAP
`
`E
`
`76
`
`F JG. 7
`
`42
`
`68
`
`xx XX X XX X XX X XX X XX X XX X XX X XX X XX X
`-------------------
`xx XX X XX X XX X XX X XX X XX X XX X XX X XX X
`-------------------
`xx XX X XX X XX X XX X XX X XX X XX X XX X XX X
`-------------------
`xx XX X XX X XX X XX X XX X XX X XX X XX X XX X
`-------------------
`xx XX X XX X XX X XX X XX X XX X XX X XX X XX X
`-------------------
`xx XX X XX X XX X XX X XX X XX X XX X XX X XX X
`-------------------
`xx XX X XX X XX X XX X XX X XX X XX X XX X XX X
`-------------------
`xx XX X XX X XX X XX X XX X XX X XX X XX X XX X
`-------------------
`XX XX X XX X XX X XX X XX X XX X XX X XX X XX X
`XX XX X XX X XX X XX X XX X XX X XX X XX X XX X
`XX XX X XX X XX X XX X XX X XX X XX X XX X XX X
`
`V
`
`l::,.
`
`xxx XX XX X XX XX XX XX XX XXX X XXX X XXXX
`XXX XX XX X XX XX XX XX XX XXX X XXX X XXXX
`XXX XX XX X XX XX XX XX XX XXX X XXX X XXXX
`XXX XX XX X XX XX XX XX XX XXX X XXX X XXXX
`XXX XX XX X XX XX XX XX XX XXX X XXX X XXXX
`XXX XX XX X XX XX XX XX XX XXX X XXX X XXXX
`xxx XX XX X XX XX XX XX XX XXX X XXX X XXXX
`XXX XX XX X XX XX XX XX XX XXX X XXX X XXXX
`XXX XX XX X XX XX XX XX XX XXX X XXX X XXXX
`ATTACK SIGNATURES
`
`--
`
`-----
`-----
`
`--
`
`-----
`
`.,,.110
`
`76
`
`ATTACK MITIGATION LIST
`
`76
`
`B
`
`C
`
`D
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 7 of 14
`
`

`

`6,088,804
`
`1
`ADAPTIVE SYSTEM AND METHOD FOR
`RESPONDING TO COMPUTER NETWORK
`SECURITY ATTACKS
`
`FIELD OF THE INVENTION
`
`The present invention relates generally to computer
`networks, and more particularly to systems and methods for
`adaptively responding to computer network security attacks.
`
`BACKGROUND OF THE INVENTION
`
`2
`node or set of nodes and one or more of the communication
`paths network modeling tools can simulate the effects of a
`successful attack. Also, additional load can be generated to
`simulate the messaging that might result from an attack,
`5 successful or not. Through these methods, the network
`administrator can gain some knowledge of the robustness of
`his or her design and validate some mitigation approaches.
`Unfortunately, a shortcoming of network modeling tools is
`that they cannot be used in a dynamic manner to display the
`10 current status of a network. Rather, they only display the
`entries from some network description data base.
`Static analyzers are tools that may be used by a network
`manager to simulate an attack against his own network.
`Static analyzers can probe for network weaknesses by
`15 simulating certain types of security events that make up an
`attack. Other tools can test user passwords for suitability and
`security. There are also tools that can search for known types
`of security events in the form of malicious programs such as
`viruses, worms, and Trojan horses. Unfortunately, these
`20 tools either test the integrity of the network, or identify a
`security event after it has occurred. They do not provide an
`immediate response in the case of an attack made up of
`several security events of differing types.
`Dynamic analyzers are tools that are used to monitor
`25 networks and respond at the time of the attack. Dynamic
`analyzers typically look for specific actions that signify an
`attack or compare user actions to previously stored statistics
`to identify significant changes. They also provide messages
`to the network manager when they sense a possible security
`30 event. However, this latter mechanism leads to a significant
`problem for network capacity if the number of security
`events were so large that the trouble message for an attack
`consumes all or a significant portion of the available band(cid:173)
`width. Another problem with dynamic analyzers is that they
`35 work primarily on a nodal basis. Thus, they are unable to
`amalgamate the security events occurring at a multiplicity of
`nodes in a computer network to obtain a network view of an
`attack. So dynamic analyzers may miss the significance of a
`coordinated series of low level security events at multiple
`40 nodes. Also, because of their nodal orientation, their reports
`tend to be presented as lists of data that can be difficult to
`evaluate quickly in the event of a large scale attack, or an
`attack that involves many security events at many nodes.
`Thus, what is needed is a system and a method that has the
`capability of providing a network view of an attack as the
`attack is occurring. Furthermore, what is needed is a system
`and method for displaying attack information in a usable and
`quickly interpretable form to a network manager while
`minimizing the loading on the computer network. If an
`attack occurs at a time of stress, a network manager may be
`overwhelmed with both responding to an attack and provid(cid:173)
`ing operational control and messages through the network.
`Thus, what is needed is a system and a method that provides
`55 a network manager with knowledge of the severity and
`overall nature of the attack, what its expected impact could
`be, and a set of recommended actions. In addition, what is
`needed is a system and method that has the ability to evolve
`with evolving threats to effectively mitigate new approaches
`to network attacks.
`
`Network security management is becoming a more diffi(cid:173)
`cult problem as networks grow in size and become a more
`integral part of organizational operations. Attacks on net(cid:173)
`works are growing both due to the intellectual challenge
`such attacks represent for hackers and due to the increasing
`payoff for the serious attacker. Furthermore, the attacks are
`growing beyond the current capability of security manage(cid:173)
`ment tools to identify and quickly respond to those attacks.
`As various attack methods are tried and ultimately repulsed,
`the attackers will attempt new approaches with more subtle
`attack features. Thus, maintaining network security is
`on-going, ever changing, and an increasingly complex prob(cid:173)
`lem.
`Computer network attacks can take many forms and any
`one attack may include many security events of different
`types. Security events are anomalous network conditions
`each of which may cause an anti-security effect to a com(cid:173)
`puter network. Security events include stealing confidential
`or private information; producing network damage through
`mechanisms such as viruses, worms, or Trojan horses;
`overwhelming the network's capability in order to cause
`denial of service, and so forth.
`The first line of defense against all of these types of
`security events is typically the denial of access through good
`passwords and strong firewalls at the nodal level of a
`computer network. However, one of the unintended conse(cid:173)
`quences of security systems that defeat attempts to steal
`information or produce network damage and report the
`status is that repelling a large scale attack may lead to such
`a large number of trouble messages as to overwhelm the
`network and lead to denial of service simply by the volume
`of messages.
`A large network is likely to concurrently experience 45
`security events at some or multiple nodes on a frequent
`basis. Many of these security events are likely to be of low
`sophistication and easily repulsed by the protection software
`and systems at the affected nodes. Thus, real-time reporting
`of these security events can be counter productive when the 50
`reporting uses large amounts of bandwidth. However, a
`coordinated series of even low sophistication security events
`may indicate a real problem that must be addressed to
`maintain the network's capability and effectiveness.
`Some conventional security management tools available
`to a network manager for determining the effects of attacks
`fall into three categories, network modelers, static analyzers
`and testers, and dynamic analyzers.
`Network modeling tools are popular for the original
`design and updating of networks. They typically are con(cid:173)
`figured with various communication protocols and node
`types and can depict the hierarchy of the network along with
`symbols for the various types of nodes in the network. They
`also have load generation modules to help the designer
`arrive at the needed capacity on the nodes and transmission 65
`paths. Network modeling tools are used to answer "what if"
`types of analysis questions. For example, by eliminating a
`
`60
`
`SUMMARY OF THE INVENTION
`
`The present invention provides, among other things, a
`method of operating a dynamic network security system to
`respond to a plurality of attacks on a computer network. In
`one embodiment, the method comprises the steps of training
`the security system to respond to a plurality of training
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 8 of 14
`
`

`

`6,088,804
`
`4
`FIG. 7 shows the network status display in accordance
`with a preferred embodiment of the present invention.
`
`3
`signatures, each of the training signatures representing one
`of a plurality of simulated attacks, receiving a first attack
`signature, the first attack signature being configured to
`characterize a first one of the plurality of attacks, comparing
`the first attack signature to each of the training signatures to 5
`determine which of the training signatures most closely
`matches the first attack signature, displaying attack status
`information in a network status display in response to the
`first attack signature and a most closely matching training
`signature and adapting the security system to respond to a
`second one of the plurality of attacks, the second attack
`being characterized by a second attack signature that
`resembles the first attack signature. The adapting step, in one
`embodiment, comprises the steps of introducing the first
`attack signature to the security system as a new training
`signature, and mapping the new training signature into the 15
`network status display.
`The present invention, in another embodiment, provides a
`dynamic network security system for responding to a secu(cid:173)
`rity attack on a computer network. The computer network
`has a multiplicity of computer nodes. The system comprises 20
`a plurality of security agents configured to concurrently
`detect occurrences of security events on associated ones of
`the computer nodes, the security events characterizing the
`attack, a processor in data communication with the security
`agents and configured to process the security events to form 25
`an attack signature, and a network status display in com(cid:173)
`munication with the processor and configured to display
`attack status information in response to the attack signature,
`the attack status information being representative of the
`attack. In one embodiment, the processor is trained to 30
`respond to a plurality of training signatures, each of the
`training signatures representing one of a plurality of simu(cid:173)
`lated attacks, and the processor is further configured to
`compare the attack signature to each of the training signa(cid:173)
`tures to determine which of the simulated attacks most 35
`closely matches the attack. The network status display
`presents a display map divided into a plurality of display
`cells and each of the training signatures is mapped into the
`display cells prior to the attack. The display cells are divided
`into a plurality of regions, the regions being configured to 40
`indicate an attack type and severity of the attack.
`
`10
`
`DETAILED DESCRIPTION OF THE DRAWINGS
`FIG. 1 shows a block diagram of a dynamic network
`security system 20 in a computer network 22 in accordance
`with a preferred embodiment of the present invention.
`Security system 20 is represented by a dashed line to
`illustrate that system 20 may be incorporated into an already
`existing network.
`Computer network 22 includes a plurality of nodes 24. A
`computer device 26 is located at each of nodes 24. Computer
`device 26 may be a personal computer workstation or any
`other peripheral microprocessor based system. Nodes 24 are
`connected via conventional digital links 28 through area
`servers 30. In turn, area servers 30 are linked via conven(cid:173)
`tional high speed digital links 32 to a main server 34.
`For clarity of illustration, network 22 is shown with a
`small number of nodes 24, area servers 30, and digital links
`28. However, those skilled in the art will recognize that
`many computer networks have a multiplicity of nodes that
`are arranged in a far more complicated hierarchical order.
`Furthermore, computer network 22 need not be located in
`one geographical location, for example in a single building
`or town. Rather computer network 22 may include nodes 24
`that are located remotely from one another, for example in
`two or more different states or countries. In such a case,
`remotely located nodes 24 may still be related closely to one
`another in the hierarchical order of network 22.
`Dynamic network security system 20 includes a plurality
`of security agents 36 each of which is associated with one or
`more nodes 24. Security agents 36 are configured to con(cid:173)
`currently detect occurrences of security events ( discussed
`below) on associated computer nodes 24. Security agents 36
`are software programs located at nodes 24 and area servers
`30 that identify security events as they appear at the nodal
`level. Security events may include port scans, malicious
`software, penetration attempts, and others that are identified
`through either a specific code signature or through actions or
`attempts at actions.
`Security system 20 functions in conjunction with existing
`technologies for intrusion detection and other network attack
`recognition techniques. Most security events are defeated at
`45 the node level by the existing technologies such as by
`protection software and systems like firewalls and filters.
`However, of a greater concern are those security events that
`through cleverness or brute force pass beyond the first lines
`of defense into the interior of the network. Security system
`50 20 is configured to recognize and mitigate the effects of the
`security events that pass beyond the first lines of defense
`provided by the existing technologies.
`Data about security events is collected by security agents
`36 and transmitted via links 28, links 32, and a communi-
`55 cation link 38 to a processor 40. In a preferred embodiment,
`processor 40 is a self-organizing map (SOM) processor
`which applies a category of artificial neural network (ANN)
`technology. In another preferred embodiment, processor 40
`is a linear vector quantization (LVQ) processor which
`60 applies a category of artificial neural network (ANN) tech(cid:173)
`nology.
`ANNs attempt to process data in a manner reminiscent of
`the brain, in that they are given examples of desired behavior
`rather than algorithms. Thus, the most successful applica(cid:173)
`tions of ANNs have been in areas where the specific steps to
`reach a desired result are not known. By sufficient training,
`the ANN begins to identify the important pieces of data and
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`A more complete understanding of the present invention
`may be derived by referring to the detailed description and
`claims when considered in connection with the Figures,
`wherein like reference numbers refer to similar items
`throughout the Figures, and:
`FIG. 1 shows a block diagram of a dynamic network
`security system in a computer network in accordance with a
`preferred embodiment of the present invention;
`FIG. 2 shows a flowchart of a system training subprocess
`in accordance with a preferred embodiment of the present
`invention;
`FIG. 3 shows an exemplary database of simulated attack
`information for a plurality of simulated attacks in accor(cid:173)
`dance with a preferred embodiment of the present invention.
`FIG. 4 shows a display map which forms a portion of a
`network status display in accordance with a preferred
`embodiment of the present invention;
`FIG. 5 shows a flowchart of an attack response process
`performed by the dynamic network security system in
`accordance with a preferred embodiment of the present
`invention;
`FIG. 6 shows a table 90 of informational elements of a 65
`first attack having a first attack signature in accordance with
`a preferred embodiment of the present invention; and
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 9 of 14
`
`

`

`6,088,804
`
`25
`
`5
`the correlations that allow it to reach the correct conclusion.
`Thus, SOM processor 40 has the ability to be trained to
`respond to various types of input data, the training can be
`ongoing, and network 22 can change responses to the attack
`as the type of attack changes. SOM processors are known to
`those skilled in the art.
`SOM processor 40 is configured to process security
`events to form an attack signature (discussed below). A
`network status display 42 is in communication with SOM
`processor 40. Network status display 42 is configured to 10
`display attack status information representative of an attack
`in response to the attack signature. Furthermore, network
`status display 42 in cooperation with SOM processor 40 is
`configured to display multi-dimensional data in a two
`dimensional image (discussed below).
`SOM processor 40 and status display 42 may be incor(cid:173)
`porated into the processing and display capabilities of main
`server 34. Alternatively, SOM processor 40 and network
`status display 42 may form a separate microprocessor-based
`workstation for use by a network manager.
`FIG. 2 shows a flowchart of a system training process 44
`in accordance with a preferred embodiment of the present
`invention. As is conventional for systems that apply ANNs,
`dynamic network security system 20 (FIG. 1) is trained
`before system 20 is used to respond to attacks.
`Process 44 begins with a task 46 which accesses a
`database of simulated attacks. For clarity of illustration,
`FIG. 3 shows an exemplary database 48 of simulated attack
`information for a plurality of simulated attacks 52 in accor(cid:173)
`dance with a preferred embodiment of the present invention.
`For purposes of this description, an attack is defined as a
`plurality of security events 50 occurring substantially con(cid:173)
`currently in a given sampling period at a plurality of nodes
`24 (FIG. 1). The sampling period is an arbitrary amount of
`time that is of a sufficient length to receive enough security
`events to form an attack signature (discussed below) for an
`attack.
`Each of simulated attacks 52 is a prediction of an attack
`type (discussed below) that may occur on network 22.
`Simulated attacks 52 are generated by an operator and stored
`in database 48. These predictions may be developed using
`network modeling tools or static analyzers and are based on
`historical data, attack trends, perceived threats, network
`hierarchy, and so forth.
`Training signatures 53 for simulated attacks 52 are
`defined by a plurality of security events 50 of at least one
`security event type 56 in this example. Security events 50
`are presented in database 48 in a column 58 as a percentage
`of security events per event type. In other words, column 58
`represents the numbers ofnodes 24 (FIG. 1) affected by each
`of security event types 56. A simulated attack includes at
`least one of security event types 56, but more realistically a
`simulated attack constitutes several security event types 56
`as illustrated in first simulated attack 55. Each of security
`event types 56 are capable of causing an anti-security effect
`on computer network 22. In other words, the attacker is
`performing an unauthorized action on network 22. In this
`example, security event types 56 include destructive virus,
`snooping virus, worm, Trojan horse, FTP requests, and
`network overload. However, those skilled in the art will
`recognize that security event types may include these and/or
`additional evolving types of security events relative to the
`computer network for which dynamic network security
`system 20 (FIG. 1) is used.
`In addition to security event types 56 and percentage of
`security events 50 per event type in column 58, training
`
`6
`signatures 53 include location identifiers 60. Location iden(cid:173)
`tifiers 60 identify the nodes 24 in network 22 where security
`events may take place. Location identifiers 60 are important
`for ascertaining an attack severity 61 for each of simulated
`5 attacks 52. Attack severity 61 is a level of security breach
`that one of simulated attacks 52 could cause computer
`network 22. The greater attack severity 61, the more dam(cid:173)
`aging the security breach would be.
`Due to the complexity of the hierarchical order of a
`computer network having thousands of nodes, certain
`related nodes that are affected by simulated attacks 52 may
`result in greater overall negative impact or security breach to
`computer network 22 (FIG. 1) thus increasing the severity of
`simulated attacks 52. In database 48, attack severity 61 for
`15 each of simulated attacks 52 is shown as low, medium, or
`high. However, those skilled in the art will recognize that
`attack severity 61 may be categorized in many different
`forms. Generally, attacks which impact a greater number of
`nodes and nodes located higher in the network hierarchy,
`20 such as servers, will be considered to be more severe than
`attacks that impact only isolated workstations, but that is not
`a requirement.
`With reference back to FIG. 2, following accessing task
`46, a task 62 performs first simulated attack 55 (FIG. 3)
`having a first training signature 54 on computer network 22
`(FIG. 1). Those skilled in the art will recognize that first
`simulated attack 55 is not launched against nodes 24 (FIG.
`1) of computer network 22, but rather first simulated attack
`55 is input into dynamic network security system 20 (FIG.
`30 1) so that SOM processor 40 (FIG. 1) can receive and
`process the attack information.
`In response to performing first simulated attack 55 in task
`62, a task 64 causes SOM processor 40 to map first training
`signature 54 into network status display 42 (FIG. 1). FIG. 4
`shows a display map 66 which forms a portion of network
`status display 42 in accordance with a preferred embodiment
`of the present invention. Display map 66 is divided into a
`plurality of display cells 68, and each of display cells 68 is
`mathematically represented by a code vector.
`A conventional self-organizating map algorithm, such as
`a learning vector quantization algorithm, employed by SOM
`processor 40 (FIG. 1) is a variant of a known self-organizing
`map algorithm of a type of artificial neural network tech-
`45 nology. The self-organizing map algorithm plots a vector
`representative of first training signature 55 onto the two
`dimensional array of display cells 68 in such a way that
`vectors projected onto adjacent display cells 68 are more
`similar than vectors projected onto distant display cells 68.
`50 In other words, simulated attacks that most closely resemble
`one another are mapped into display cells 68 that are
`physically close to one another in display map 66.
`Display map 66 includes a center region 70, a middle
`region 72, and an outer region 74. In the preferred
`55 embodiment, display cells 68 within center region 70 rep(cid:173)
`resent a computer network under an attack of low severity,
`display cells in middle region 72 represent a computer
`network under an attack of medium severity, and display
`cells in outer region 74 represent a computer network under
`60 an attack of high severity.
`Regions 70, 72, and 74 of display map 66 are further
`subdivided into subregions 76. Subregions 76 are configured
`to indicate an attack type. In the exemplary embodiment,
`display map is divided into subregions 76, labeled A-F. By
`65 way of example, first simulated attack 55 exhibits a high
`occurrence of security event type 56 that is a "snooping
`virus" (FIG. 3). Snooping virus may be labeled as having an
`
`35
`
`40
`
`Ex.1006
`CISCO SYSTEMS, INC. / Page 10 of 14
`
`

`

`6,088,804
`
`7
`attack type of "A". So, SOM processor 40 (FIG. 1) maps a
`vector representative of first training signature 54 into
`display cell 68' which is located in middle region 72. Thus,
`the division of display map 66 into regions 70, 72, and 74
`and subregions 76 indicates attack type and attack severity. 5
`When actual attack information from network 22 is then
`compared to display map 66, a network manager is provided
`with attack type and severity in a quickly interpretable form.
`While, display map 66 provides a useful, quickly inter(cid:173)
`pretable representation of attacks on computer network 22
`(FIG. 1), those skilled in the art will recognize that there are
`any number of ways to visually represent attack information.
`However, the key behind the usefulness of display map 66
`is the appropriate mapping of multi-dimensional vectors for
`training signatures 53 (FIG. 3) that are representative of 15
`simulated attacks 52 into the two dimensional image of
`display cells 68.
`With reference back to task 64 (FIG. 2), following map(cid:173)
`ping of first training signature 54 into display map 66,
`process 44 proceeds with a query task 78. Query task 78 20
`determines if there is another simulated attack to be input
`into dynamic network security system 20 (FIG. 1). Although
`only first training signature 54 has been discussed in detail,
`in order for display map 66 to be accurately mapped, many
`more simulated attacks 52 are processed by SOM processor 25
`40 (FIG. 1).
`The mapping of display map 66 (FIG. 4) is performed
`iteratively in a sequence of steps. Each step requires the
`presentation of one of training signatures 53, in the form of
`an input vector, to the array of display cells 68 ( each of
`display cells 68 being represented by a code vector). The
`input vector for one of training signatures 53 is used as an
`argument to an activation function that estimates the simi(cid:173)
`larity between the input vector and each of