| 摘要 |
A distributed multi-agent system and method is implemented and employed across at least one intranet for purposes of real time collection, monitoring, aggregation, analysis and modeling of system and network operations, communications, internal and external accesses, code execution functions, network and network resource conditions as well as other assessable criteria within the implemented environment. Analytical models are constructed and dynamically updated from the data sources so as to be able to rapidly identify and characterize conditions within the environment (such as behaviors, events, and functions) that are typically characteristic with that of a normal state and those that are of an abnormal or potentially suspicious state. The model is further able to implement statistical flagging functions, provide analytical interfaces to system administrators and estimate likely conditions that characterize the state of the system and the potential threat. The model may further recommend (or alternatively implement autonomously or semi-autonomously) optimal remedial repair and recovery strategies as well as the most appropriate countermeasures to isolate or neutralize the threat and its effects. |
| 主权项 |
1. A distributed network security system that detects the state of a computer network having a plurality of nodes including identifying potential threats to the computer network, said system comprising:
at least two agents disposed in said computer network that collect data representative of operations of said computer network including respective nodes in said computer network, said data relating to communication, internal and external accesses, code execution functions, code analysis and/or network resource conditions of respective nodes in said computer network; and a server programmed to: compare data collected by said at least two agents to determine code analysis and/or activity models characterizing conditions within said computer network including behaviors, events and/or function of respective nodes of said computer network, said behaviors representative of normal states and one or more abnormal states representative of suspicious activity indicative of an attack or threat to said computer network, perform a pattern analysis in the collected data to identify patterns in the collected data representative of suspicious activities indicative of an attack or threat to said computer network and to develop code analysis and/or activity models from the collected data representative of activities of said computer networks in a normal state and activities of said computer networks in an abnormal state based on said identified patterns, wherein said pattern analysis involves comparing data collected by each said agent to the data collected by another agent to identify similar patterns of suspicious activities indicative of an attack or threat to different portions of the computer network, and determine during said pattern analysis if a probability threshold for detecting and classifying a threat is breached by said similar patterns of suspicious activities and, if so, send out an alert to other agents, a central server and/or human operator. |
