Rule based alerting in anomaly detection

US 10,284,571 B2
Filed: 06/28/2004
Issued: 05/07/2019
Est. Priority Date: 06/28/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an intrusion event in a network, the method comprising:

receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with a computer, and wherein the threshold value corresponds to an alert severity level;

receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value;

receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI;

constructing, by the computer, a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration;

compiling the constructed rule for execution; and

executing the constructed rule, wherein said executing the constructed rule comprises;

generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit;

generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and

wherein a severity level of the alert is set to the alert severity level corresponding to the threshold value.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A graphical user interface for constructing rules to run on an intrusion detection system is described. The user interface includes a field that specifies a first set of nodes on a network by Host-Group, a field that specifies a second set of nodes on a network by Host-Group and a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.

Citations

15 Claims

1. A method for detecting an intrusion event in a network, the method comprising:
- receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with a computer, and wherein the threshold value corresponds to an alert severity level;
  
  receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value;
  
  receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI;
  
  constructing, by the computer, a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration;
  
  compiling the constructed rule for execution; and
  
  executing the constructed rule, wherein said executing the constructed rule comprises;
  
  generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit;
  
  generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and
  
  wherein a severity level of the alert is set to the alert severity level corresponding to the threshold value.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - receiving information about a first set of nodes and a second set of nodes in the network; and
      
      determining whether the second set of nodes are clients, servers, source nodes, or destination nodes based on the received information about the first set of nodes.
  - 3. The method of claim 1, further comprising receiving information on whether the rule applies to a host or to an aggregate of an entire node set'"'"'s traffic.
  - 4. The method of claim 1, further comprising receiving information specifying a start time and a stop time for application of the rule.
  - 5. The method of claim 1, further comprising:
    - receiving information specifying services for which the rule is applicable, wherein a respective service is specified by at least a port and a protocol.

6. A non-transitory computer-readable storage medium storing instructions which when executed by a computer cause the computer to perform a method for detecting an intrusion event in a network, the method comprising:
- receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with the computer, and wherein the threshold value corresponds to an alert severity level;
  
  receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value;
  
  receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI;
  
  constructing a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration;
  
  compiling the constructed rule for execution; and
  
  subsequently executing the constructed rule, wherein said executing the constructed rule comprises;
  
  generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit;
  
  generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and
  
  wherein a severity level of the alert is set to the alert severity level corresponding to the threshold value.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The non-transitory computer-readable storage medium of claim 6, wherein the method further comprises:
    - receiving information about a first set of nodes and a second set of nodes in the network; and
      
      determining whether the second set of nodes are clients, servers, source nodes, or destination nodes based on the received information about the first set of nodes.
  - 8. The non-transitory computer-readable storage medium of claim 6, wherein the method further comprises receiving information on whether the rule applies to a host or to an aggregate of an entire node set'"'"'s traffic.
  - 9. The non-transitory computer-readable storage medium of claim 6, wherein the method further comprises receiving information specifying a start time and a stop time for application of the rule.
  - 10. The non-transitory computer-readable storage medium of claim 6, wherein the method further comprises receiving information specifying services for which the rule is applicable, wherein a respective service is specified by at least a port and a protocol.

11. A system for detecting an intrusion event in a network comprising:
- a processor; and
  
  a non-transitory storage medium storing instructions which, when executed by the processor, cause the system to perform a method comprising;
  
  receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with the system, and wherein the threshold value corresponds to an alert severity level;
  
  receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value;
  
  receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI;
  
  constructing a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration;
  
  compiling the constructed rule for execution; and
  
  executing the constructed rule, wherein said executing the constructed rule comprises;
  
  generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit;
  
  generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and
  
  wherein a severity level of the alert is set to the alert severity level corresponding to the threshold value.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the non-transitory storage medium further comprises instructions that, when executed by the processor, cause the system to:
    - receive information about a first set of nodes and a second set of nodes in the network; and
      
      determine whether the second set of nodes are clients, servers, source nodes, or destination nodes based on the received information about the first set of nodes.
  - 13. The system of claim 11, wherein non-transitory storage medium further comprises instructions that, when executed by the processor, cause the system to receive information specifying whether the constructed rule applies to a host or to an aggregate of an entire node set'"'"'s traffic.
  - 14. The system of claim 11, wherein the non-transitory storage medium further comprises instructions that, when executed by the processor, cause the system to receive information specifying a start time and a stop time for application of the constructed rule.
  - 15. The system of claim 11, wherein the non-transitory storage medium further comprises instructions that, when executed by the processor, cause the system to receive information specifying services for which the rule is applicable, wherein a respective service is specified by at least a port and a protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Nazzal, Robert N.
Primary Examiner(s)
Zand, Davoud A
Assistant Examiner(s)
Belani, Kishin G

Application Number

US10/880,332
Publication Number

US 20050289219A1
Time in Patent Office

5,426 Days
Field of Search

709217
US Class Current
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

Rule based alerting in anomaly detection

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Rule based alerting in anomaly detection

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links