	US 11,949,704 B2
	Attribute-based policies for integrity monitoring and network intrusion detection
Elisa Costante, Eindhoven (NL)
Assigned to Forescout Technologies, Inc., San Jose, CA (US)
Filed by FORESCOUT TECHNOLOGIES, INC., San Jose, CA (US)
Filed on Mar. 17, 2023, as Appl. No. 18/122,919.
Application 18/122,919 is a continuation of application No. 16/975,561, granted, now 11,641,370, previously published as PCT/NL2019/050147, filed on Mar. 7, 2019.
Claims priority of application No. 2020552 (NL), filed on Mar. 8, 2018; application No. 2020632 (NL), filed on Mar. 20, 2018; application No. 2020633 (NL), filed on Mar. 20, 2018; application No. 2020634 (NL), filed on Mar. 20, 2018; and application No. 2020635 (NL), filed on Mar. 20, 2018.
Prior Publication US 2023/0254328 A1, Aug. 10, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/1425 (2013.01) [H04L 63/0236 (2013.01); H04L 63/1416 (2013.01); H04L 63/145 (2013.01); H04L 63/20 (2013.01)]

17 Claims

1. A method of detecting anomalous behaviour in data traffic on a data communication network, a first host and a second host being connected to the data communication network, the data traffic on the data communication network providing a link forming a network communication between the first host and the second host, the method comprising:

parsing the data traffic to extract protocol field values of a protocol message of the data traffic;

deriving, from the extracted protocol field values, attribute values of attributes of one of the first host, the second host, and the link;

selecting from a set of models, a model relating to the one of the first host, the second host, and the link, wherein the selected model comprises a plurality of attributes to describe the one of the first host, the second host, and the link, wherein at least one of the attributes is a semantic attribute, the semantic attribute expressing a semantic meaning for the one of the first host, the second host, and the link, wherein the at least one semantic attribute value is derived from a combination of protocol field values obtained from at least two protocol messages transmitted over the data communication network at different points in time;

updating the selected model with the derived attribute values, in response to the derived attribute values not being featured in the selected model relating to the one of the first host, the second host and the link;

assessing whether the updated, selected model complies with a set of attribute-based policies, each attribute-based policy of the set of attribute-based policies defining a security constraint of the data communication network based on at least one of the attributes of the first host, the second host or the link; and

generating an alert signal in case the attribute-based policies indicate that the updated, selected model violates at least one of the attribute-based policies.