Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems
First Claim
1. A method of detecting a threat to a computer system in a plurality of collaborating computer systems, the method comprising:
- receiving, at a first computer system, a first bloom filter from a collaborating second computer system, the first bloom filter representing encrypted first data relating to a source of a first intrusion attempt detected by an intrusion detection system of the collaborating second computer system;
detecting, by the first computer system, a second intrusion attempt;
producing a second bloom filter by performing a cryptographic function on second data relating to a source of the second intrusion attempt that results in an output value having a plurality of digits and using a subset of the plurality of digits of the output value as an index to the second bloom filter, wherein the subset does not include all of the plurality of digits of the output value;
determining whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first bloom filter and the second bloom filter; and
indicating that a threat is present if the second intrusion attempt is determined to correlate with the first intrusion attempt,wherein receiving the first bloom filter from the collaborating second computer system comprises;
grouping the collaborating second computer system and other collaborating systems into groups so that each collaborating system in a group occupies a position in that group;
exchanging bloom filters between collaborating systems in the same position in the different groups; and
rotating the position occupied by each member of at least one of the groups according to a schedule.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
-
Citations
12 Claims
-
1. A method of detecting a threat to a computer system in a plurality of collaborating computer systems, the method comprising:
-
receiving, at a first computer system, a first bloom filter from a collaborating second computer system, the first bloom filter representing encrypted first data relating to a source of a first intrusion attempt detected by an intrusion detection system of the collaborating second computer system; detecting, by the first computer system, a second intrusion attempt; producing a second bloom filter by performing a cryptographic function on second data relating to a source of the second intrusion attempt that results in an output value having a plurality of digits and using a subset of the plurality of digits of the output value as an index to the second bloom filter, wherein the subset does not include all of the plurality of digits of the output value; determining whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first bloom filter and the second bloom filter; and indicating that a threat is present if the second intrusion attempt is determined to correlate with the first intrusion attempt, wherein receiving the first bloom filter from the collaborating second computer system comprises;
grouping the collaborating second computer system and other collaborating systems into groups so that each collaborating system in a group occupies a position in that group;exchanging bloom filters between collaborating systems in the same position in the different groups; and
rotating the position occupied by each member of at least one of the groups according to a schedule. - View Dependent Claims (2, 3, 4)
-
-
5. A system of detecting a threat to a computer system in a plurality of collaborating computer systems, the system comprising:
-
at least a portion of a communication network; a first computer system that is coupled to the at least a portion of the communication network and that is configured to; receive a first bloom filter from a collaborating second computer system, the first bloom filter representing encrypted first data relating to a source of a first intrusion attempt detected by an intrusion detection system of the collaborating second computer system; detect a second intrusion attempt; produce a second bloom filter by performing a cryptographic function on second data relating to a source of the second intrusion attempt that results in an output value having a plurality of digits and using a subset of the plurality of digits of the output value as an index to the second bloom filter, wherein the subset does not include all of the plurality of digits of the output value; determine whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first bloom filter and the second bloom filter; and indicate that a threat is present if the second intrusion attempt is determined to correlate with the first intrusion attempt, wherein when receiving the first bloom filter from the collaborating second computer system, the first computer system is configured to;
group the collaborating second computer system and other collaborating systems into groups so that each collaborating system in a group occupies a position in that group;
exchange bloom filters between collaborating systems in the same position in the different groups; and
rotating the position occupied by each member of at least one of the groups according to a schedule. - View Dependent Claims (6, 7, 8)
-
-
9. A non-transitory computer readable medium containing computer executable instructions that, when executed by a processor, cause the processor to perform a method of detecting a threat to a computer system in a plurality of collaborating computer systems, the method comprising:
-
receiving, at a first computer system, a first bloom filter from a collaborating second computer system, the first bloom filter representing encrypted first data relating to a source of a first intrusion attempt detected by an intrusion detection system of the collaborating second computer system; detecting, by the first computer system, a second intrusion attempt; producing a second bloom filter by performing a cryptographic function on second data relating to a source of the second intrusion attempt that results in an output value having a plurality of digits and using a subset of the plurality of digits of the output value as an index to the second bloom filter, wherein the subset does not include all of the plurality of digits of the output value; determining whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first bloom filter and the second bloom filter; and indicating that a threat is present if the second intrusion attempt is determined to correlate with the first intrusion attempt, wherein receiving the first bloom filter from the collaborating second computer system comprises;
grouping the collaborating second computer system and other collaborating systems into groups so that each collaborating system in a group occupies a position in that group;
exchanging bloom filters between collaborating systems in the same position in the different groups; and
rotating the position occupied by each member of at least one of the groups according to a schedule. - View Dependent Claims (10, 11, 12)
-
Specification