Mehtod and system for dynamic network intrusion monitoring detection and response
First Claim
1. A method of operating a probe as part of a security monitoring system for a computer network, comprising:
- a) collecting status data from at least one monitored component of said network;
b) identifying potentially security-related events pertaining to said network by analyzing said status data;
c) transmitting information about said identified events to an analyst associated with said security monitoring system;
d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system in a manner customized to said network; and
e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback in a manner customized to said network.
3 Assignments
0 Petitions
Accused Products
Abstract
A probe attached to a customer'"'"'s network collects status data and other audit information from monitored components of the network, looking for footprints or evidence of unauthorized intrusions or attacks. The probe filters and analyzes the collected data to identify potentially security-related events happening on the network. Identified events are transmitted to a human analyst for problem resolution. The analyst has access to a variety of databases (including security intelligence databases containing information about known vulnerabilities of particular network products and characteristics of various hacker tools, and problem resolution databases containing information relevant to possible approaches or solutions) to aid in problem resolution. The analyst may follow a predetermined escalation procedure in the event he or she is unable to resolve the problem without assistance from others. Various customer personnel can be alerted in a variety of ways depending on the nature of the problem and the status of its resolution. Feedback from problem resolution efforts can be used to update the knowledge base available to analysts for future attacks and to update the filtering and analysis capabilities of the probe and other systems.
-
Citations
44 Claims
-
1. A method of operating a probe as part of a security monitoring system for a computer network, comprising:
-
a) collecting status data from at least one monitored component of said network;
b) identifying potentially security-related events pertaining to said network by analyzing said status data;
c) transmitting information about said identified events to an analyst associated with said security monitoring system;
d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system in a manner customized to said network; and
e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback in a manner customized to said network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38, 39, 40, 41, 42, 43, 44)
-
-
19. A computer-readable medium whose contents cause a computer system to operate a probe as part of a security monitoring system for a computer network, by performing the steps of:
-
a) collecting status data from at least one monitored component of said network;
b) identifying potentially security-related events pertaining to said network by analyzing said status data;
c) transmitting information about said identified events to an analyst associated with said security monitoring system;
d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system in a manner customized to said network; and
e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback in a manner customized to said network.
-
-
37. A security monitoring system for a computer network, comprising
a) a plurality of sensors for monitoring components of said network; -
b) at least one secure operations center configured to receive and analyze potentially security-related event data from at least one probe; and
c) at least one probe, wherein said probe is configured to (1) collect status data from at least one sensor monitoring at least one component of said network;
(2) identify potentially security-related events pertaining to said network by analyzing said status data;
(3) transmit information about said identified events to an analyst associated with said secure operations center;
(4) receive feedback based on empirically-derived information reflecting operation of said security monitoring system in a manner customized to said network; and
(5) dynamically modify an analysis capability of said probe during operation thereof based on said received feedback in a manner customized to said network.
-
Specification