Casuality Analysis and Visualization Methods and Systems for Network Security
Studies estimate that nearly 25% of computers around the world are infected with malware, resulting in billions of dollars of damages. Stealthy malware residing on compromised machines can spy on the user, exfiltrating sensitive information and documents, abusing system and network resources, and disrupting user activities. Patching and scanning are the first line of defenses against the malware. However, these methods cannot detect new generations of malware (i.e., zero-day exploit) due to the lack of known signatures. Our technology can be used to analyze and monitor large amounts of computer network traffic and detect malware activities. Our detection is based on discovering sophisticated semantic and logical relations among network traffic. We detect malware while they are in action, regardless whether the malware is zero-day exploit (brand new) or not. Our technology can be used by individuals or organizations for protecting their computers. For example, it can be used by security analysts to monitor network traffic, examine traffic anomolies, and perform forensic analysis on the causes of anomolies.It provides automatic anomaly detection in the observed network activities through probabilistic reasoning of the causal relations in traffic. Our discovery algorithm constructs triggering relation graphs that uniquely pinpoint abnormal network events that lack valid triggers (i.e., legitimate causes for the event to occur). Our algorithm is accurate, scalable, and easy-to-use.Our visualization tool takes the above discovered results, and provides an interactive graphic interface for users. The graphic user interface has a unique design that is both user-friendly and convenient for examining traffic. It allows the optimal usage of the screen for displaying related network events, which is well suited for security analysts to perform further manual inspection and forensic tasks on network events based on causal relations.
美国
