Integrated network intrusion detection

US 10,044,738 B2
Filed: 09/22/2015
Issued: 08/07/2018
Est. Priority Date: 02/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a compute device, a request for access to network services from an invoked application;

applying, by the compute device, a set of executable instructions of the invoked application to a hash function to generate a hash value;

identifying, by the compute device, the invoked application based on the hash value;

obtaining, by the compute device, a network policy specific to the identified application;

performing, by the compute device, a statistical analysis of previous communications from the identified application;

setting, by the compute device and as a function of the statistical analysis, a configurable threshold indicative of a severity of a violation of the network policy specific to the identified application;

determining, by the compute device, whether the request is a violation of the network policy;

determining, in response to a determination that the request is a violation of the network policy, the severity of the violation based on the associated configurable threshold in the network policy specific to the identified application; and

performing, by the compute device, one or more actions as a function of the determined severity including loading, from a central security server, application-specific intrusion signatures and searching packets associated with the application for the application-specific intrusion signatures.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion.

112 Citations

10 Claims

1. A method comprising:
- receiving, by a compute device, a request for access to network services from an invoked application;
  
  applying, by the compute device, a set of executable instructions of the invoked application to a hash function to generate a hash value;
  
  identifying, by the compute device, the invoked application based on the hash value;
  
  obtaining, by the compute device, a network policy specific to the identified application;
  
  performing, by the compute device, a statistical analysis of previous communications from the identified application;
  
  setting, by the compute device and as a function of the statistical analysis, a configurable threshold indicative of a severity of a violation of the network policy specific to the identified application;
  
  determining, by the compute device, whether the request is a violation of the network policy;
  
  determining, in response to a determination that the request is a violation of the network policy, the severity of the violation based on the associated configurable threshold in the network policy specific to the identified application; and
  
  performing, by the compute device, one or more actions as a function of the determined severity including loading, from a central security server, application-specific intrusion signatures and searching packets associated with the application for the application-specific intrusion signatures.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein obtaining the network policy comprises receiving the network policy from a remote repository though a network.
  - 3. The method of claim 1, further comprising:
    - blocking inbound traffic; and
      
      analyzing blocked inbound traffic for patterns that span multiple communication channels to determine whether an intrusion prelude is present.

4. One or more non-transitory computer-readable storage media comprising a plurality of instructions that, when executed by a compute device, cause the compute device to:
- receive a request for access to network services from an invoked application;
  
  apply a set of executable instructions of the invoked application to a hash function to generate a hash value;
  
  identify the invoked application based on the hash value;
  
  obtain a network policy specific to the identified application;
  
  perform a statistical analysis of previous communications from the identified application;
  
  set, as a function of the statistical analysis, a configurable threshold indicative of a severity of a violation of the network policy specific to the identified application;
  
  determine whether the request is a violation of the network policy;
  
  determine, in response to a determination that the request is a violation of the network policy, the severity of the violation based on the associated configurable threshold in the network policy specific to the identified application; and
  
  perform one or more actions as a function of the determined severity including loading, from a central security server, application-specific intrusion signatures and searching packets associated with the application for the application-specific intrusion signatures.
- View Dependent Claims (5)
- - 5. The one or more non-transitory computer-readable storage media of claim 4, wherein to obtain the network policy comprises to receive the network policy from a remote repository though a network.

6. A system comprising:
- a processor;
  
  a communication interface coupled with the processor; and
  
  a non-transitory machine-readable medium operatively coupled with the processor and embodying machine instructions for causing the processor to;
  
  receive a request for access to network services from an invoked application;
  
  apply a set of executable instructions of the invoked application to a hash function to generate a hash value;
  
  identify the invoked application based on the hash value;
  
  obtain a network policy specific to the identified application;
  
  perform a statistical analysis of previous communications from the identified application;
  
  set, as a function of the statistical analysis, a configurable threshold indicative of a severity of a violation of the network policy specific to the identified application;
  
  determine whether the request is a violation of the network policy;
  
  determine, in response to a determination that the request is a violation of the network policy, the severity of the violation based on the associated configurable threshold in the network policy specific to the identified application; and
  
  perform one or more actions as a function of the determined severity including loading, from a central security server, application-specific intrusion signatures and searching packets associated with the application for the application-specific intrusion signatures.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein to obtain the network policy comprises to receive the network policy from a remote repository though a network.
  - 8. The system of claim 6, wherein the instructions further cause the processor to notify, in response to a determination that the request is not a violation of the network policy, a network traffic enforcer to open a communication channel.
  - 9. The system claim 6, wherein the instructions further cause the processor to examine an inbound communication for an intrusion prelude.
  - 10. The system of claim 6, wherein the instructions further cause the processor to:
    - determine whether an inbound communication is indicative of an intrusion prelude;
      
      block the inbound communication; and
      
      transmit a fabricated response to the blocked inbound communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Yadav, Satyendra
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/861,232
Publication Number

US 20160088002A1
Time in Patent Office

1,050 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Integrated network intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

112 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated network intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links