Device for and Method of Computer Intrusion Anticipation, Detection, and Remediation

National Security Agency, Ft. George G. Meade, Maryland

Initially, relatively powerful computers were constructed as unique mainframes operated by larger corporations on isolated networks. Then, computers with modest amounts of computing power were made available to individuals as standalone personal computers. The computing power of personal computers and the applications for which they could be used were increased by networking them with other computers throughout the world using ancillary devices (e.g., servers, routers, links, switches, hubs, etc.). An arrangement into which computer and ancillary devices are configured is called a topology. There are many different types of topologies (e.g., bus, ring, star, tree, mesh, etc.).

Networking over a public network is less secure than an isolated network due to the accessibility of a network by a hacker. Typically, a hacker inserts software (malicious code or mal-ware) into a computer network to not only provide incorrect data, but to influence, or take control of, the command and control structure of the network.

Prior art intrusion detection systems monitor computer networks or systems for attempts to load malware onto a computer, or violations of network security policies. Examples of mal-ware include computer viruses, ransomware, worms, Trojan horses, spyware, and rogue security software. Three types of malware detection methods are currently being used: signature-based methods, anomaly-based methods, and protocol analysis methods.

These systems have a very narrow view into intrusion attempts, and are either backward-looking or use a fiction about average computer network traffic or benign computer activity. Therefore, there is a need for a computer security device and method that not only takes a wider view of intrusion detection, but also addresses the issue of malware that has successfully avoided detection and is operating on a computer.

This invention enhances electronic network security in the same way that radar improved weather forecasting — by providing advanced information to experts who can then determine what, if any, protective action must be taken.

This technology anticipates network intrusion attempts, detects actual attempts, and detects both existing and new malware. Improving on existing technology, the system remedies intrusions by changing network topology, countering computer traffic associated with the various phases of intrusion, and countering the source of the computer traffic. Intrusion attempts are considered broadly, in the context of a wide range of information over a longer period of time, and over many dimensions (space, intrusion-attempt choreography, type of actor, and number of actors).

The method provides electronic network security by establishing a network topology, including multiple devices, where the network includes a command and control layer and a transport layer. The command and control layer is changeable by the transport layer, and vice versa. All phases of an intrusion attempt are monitored to anticipate an intrusion, prevent an intrusion, and remedy a successful intrusion. An assessment of the threat is made in multiple dimensions. The topology of the network may be changed in accordance with the threat assessment.

For more information, contact the National Security Agency Technology Transfer Program Office at This email address is being protected from spambots. You need JavaScript enabled to view it.; 866-680-4539.