Mehtod and system for dynamic network intrusion monitoring detection and response

US 20020087882A1
Filed: 01/19/2001
Published: 07/04/2002
Est. Priority Date: 03/16/2000
Status: Active Grant

First Claim

Patent Images

1. A method of operating a probe as part of a security monitoring system for a computer network, comprising:

a) collecting status data from at least one monitored component of said network;

b) identifying potentially security-related events pertaining to said network by analyzing said status data;

c) transmitting information about said identified events to an analyst associated with said security monitoring system;

d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system in a manner customized to said network; and

e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback in a manner customized to said network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A probe attached to a customer'"'"'s network collects status data and other audit information from monitored components of the network, looking for footprints or evidence of unauthorized intrusions or attacks. The probe filters and analyzes the collected data to identify potentially security-related events happening on the network. Identified events are transmitted to a human analyst for problem resolution. The analyst has access to a variety of databases (including security intelligence databases containing information about known vulnerabilities of particular network products and characteristics of various hacker tools, and problem resolution databases containing information relevant to possible approaches or solutions) to aid in problem resolution. The analyst may follow a predetermined escalation procedure in the event he or she is unable to resolve the problem without assistance from others. Various customer personnel can be alerted in a variety of ways depending on the nature of the problem and the status of its resolution. Feedback from problem resolution efforts can be used to update the knowledge base available to analysts for future attacks and to update the filtering and analysis capabilities of the probe and other systems.

Citations

44 Claims

1. A method of operating a probe as part of a security monitoring system for a computer network, comprising:
- a) collecting status data from at least one monitored component of said network;
  
  b) identifying potentially security-related events pertaining to said network by analyzing said status data;
  
  c) transmitting information about said identified events to an analyst associated with said security monitoring system;
  
  d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system in a manner customized to said network; and
  
  e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback in a manner customized to said network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38, 39, 40, 41, 42, 43, 44)
- - 2. The method of claim 1, wherein said identifying step includes performing a multi-stage analysis of said status data.
  - 3. The method of claim 2, wherein said multi-stage analysis includes performing a discrimination analysis on said status data.
  - 4. The method of claim 3, wherein the discrimination analysis includes positive filtering.
  - 5. The method of claim 3, wherein the discrimination analysis includes negative filtering.
  - 6. The method of claim 3, wherein the discrimination analysis includes filtering followed by an analysis of post-filtering residue.
  - 7. The method of claim 2, wherein said multi-stage analysis includes analysis at the probe and analysis at a secure operations center configured to receive data from said probe.
  - 8. The method of claim 1, wherein said identifying step includes aggregating and synthesizing said status data at the probe.
  - 9. The method of claim 8, wherein said identifying step includes cross-correlating data across said monitored components.
  - 10. The method of claim 8, wherein said identifying step includes analyzing the frequency of occurrence of said events.
  - 11. The method of claim 1, further comprising after said step (c), performing further computer-based analysis at a secure operations center configured to receive data from said probe.
  - 12. The method of claim 11, wherein said computer-based analysis includes aggregating, synthesizing, and presenting alerts on an ensemble basis.
  - 13. The method of claim 11, wherein said identifying step includes cross-correlating data across said monitored components.
  - 14. The method of claim 11, wherein said identifying step includes analyzing the frequency of occurrence of said events.
  - 15. The method of claim 11, wherein said computer-based analysis includes cross-probe correlation.
  - 16. The method of claim 1, further comprising instantaneously self-tuning said probe based on previously collected status data.
  - 17. The method of claim 1, wherein said dynamic modifying step includes consideration of non-real-time information from ongoing security research efforts.
  - 18. The method of claim 1, wherein said receiving feedback step occurs in substantially real time.
  - 20. The computer-readable medium of claim 19, wherein said identifying step includes performing a multi-stage analysis of said status data.
  - 21. The computer-readable medium of claim 20, wherein said multi-stage analysis includes performing a discrimination analysis on said status data.
  - 22. The computer-readable medium of claim 21, wherein the discrimination analysis includes positive filtering.
  - 23. The computer-readable medium of claim 21, wherein the discrimination analysis includes negative filtering.
  - 24. The computer-readable medium of claim 21, wherein the discrimination analysis includes filtering followed by an analysis of post-filtering residue.
  - 25. The computer-readable medium of claim 20, wherein said multi-stage analysis includes analysis at the probe and analysis at a secure operations center configured to receive data from said probe.
  - 26. The computer-readable medium of claim 19, wherein said identifying step includes aggregating and synthesizing said status data at the probe.
  - 27. The computer-readable medium of claim 26, wherein said identifying step includes cross-correlating data across said monitored components.
  - 28. The computer-readable medium of claim 26, wherein said identifying step includes analyzing the frequency of occurrence of said events.
  - 29. The computer-readable medium of claim 19, further comprising after said step (c), performing further computer-based analysis at a secure operations center configured to receive data from said probe.
  - 30. The computer-readable medium of claim 29, wherein said computer-based analysis includes aggregating, synthesizing, and presenting alerts on an ensemble basis.
  - 31. The computer-readable medium of claim 29, wherein said identifying step includes cross-correlating data across said monitored components.
  - 32. The computer-readable medium of claim 29, wherein said identifying step includes analyzing the frequency of occurrence of said events.
  - 33. The computer-readable medium of claim 29, wherein said computer-based analysis includes cross-probe correlation.
  - 34. The computer-readable medium of claim 19, further comprising instantaneously self-tuning said probe based on previously collected status data.
  - 35. The computer-readable medium of claim 19, wherein said dynamic modifying step includes consideration of non-real-time information from ongoing security research efforts.
  - 36. The computer-readable medium of claim 19, wherein said receiving feedback step occurs in substantially real time.
  - 38. The security monitoring system of claim 37, wherein said probe is configured to identify potentially security-related events by performing a discrimination analysis on said status data.
  - 39. The security monitoring system of claim 38, wherein said probe is configured to identify potentially security-related events by performing a positive filter discrimination analysis on said status data.
  - 40. The security monitoring system of claim 38, wherein said probe is configured to identify potentially security-related events by performing a negative filter discrimination analysis on said status data.
  - 41. The security monitoring system of claim 37, wherein said probe and said secure operations center are configured to identify potentially security-related events by performing a multi-stage analysis of said status data.
  - 42. The security monitoring system of claim 41, wherein said multi-stage analysis includes analysis at the probe and analysis at said secure operations center.
  - 43. The security monitoring system of claim 37, wherein said secure operations center is configured to identify potentially security-related events by performing a computer-based analysis of said potentially security-related event data received from said probe.
  - 44. The security monitoring system of claim 43, wherein said computer-based analysis is configured to correlate data from different probes.

19. A computer-readable medium whose contents cause a computer system to operate a probe as part of a security monitoring system for a computer network, by performing the steps of:
- a) collecting status data from at least one monitored component of said network;
  
  b) identifying potentially security-related events pertaining to said network by analyzing said status data;
  
  c) transmitting information about said identified events to an analyst associated with said security monitoring system;
  
  d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system in a manner customized to said network; and
  
  e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback in a manner customized to said network.

37. A security monitoring system for a computer network, comprising a) a plurality of sensors for monitoring components of said network;
- b) at least one secure operations center configured to receive and analyze potentially security-related event data from at least one probe; and
  
  c) at least one probe, wherein said probe is configured to (1) collect status data from at least one sensor monitoring at least one component of said network;
  
  (2) identify potentially security-related events pertaining to said network by analyzing said status data;
  
  (3) transmit information about said identified events to an analyst associated with said secure operations center;
  
  (4) receive feedback based on empirically-derived information reflecting operation of said security monitoring system in a manner customized to said network; and
  
  (5) dynamically modify an analysis capability of said probe during operation thereof based on said received feedback in a manner customized to said network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BT Americas Incorporated (BT Group PLC)
Original Assignee
BT Counterpane Internet Security, Inc. (BT Group PLC)
Inventors
Gross, Andrew H., Schneier, Bruce, Callas, Jonathan D.

Granted Patent

US 7,159,237 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Mehtod and system for dynamic network intrusion monitoring detection and response

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Mehtod and system for dynamic network intrusion monitoring detection and response

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links