Correlating network information and intrusion information to find the entry point of an attack upon a protected computer
First Claim
1. A method of identifying the entry point of an attack upon a device protected by an intrusion detection system, the method comprising the steps of:
- obtaining intrusion information regarding an attack upon a device protected by an intrusion detection system;
obtaining network information regarding the attack upon the device; and
determining a portal of the attack upon the device by correlating the intrusion information and the network information.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for determining the entry point of an attack by a vandal such as a hacker upon a device such as a computer or a server such as a web server that operates under the protection of an intrusion detection system. Intrusion detection information regarding the attack and network information regarding the attack are correlated, and the entry point of the attack thereby deduced. In one embodiment, a source address of a message representative of the attack is found in a router table of a router that provides a connection supporting the attack. Logical ports of the connection are determined, and the corresponding physical ports found, thereby identifying the attack'"'"'s entry point into the protected device.
184 Citations
20 Claims
-
1. A method of identifying the entry point of an attack upon a device protected by an intrusion detection system, the method comprising the steps of:
-
obtaining intrusion information regarding an attack upon a device protected by an intrusion detection system;
obtaining network information regarding the attack upon the device; and
determining a portal of the attack upon the device by correlating the intrusion information and the network information. - View Dependent Claims (2, 3)
-
-
4. A method of identifying the entry point of an attack upon a device protected by an intrusion detection system, the method comprising the steps of:
-
obtaining intrusion information, from an intrusion detection system, regarding an attack upon a device protected by the intrusion detection system;
obtaining network information, from network equipment connected to the device, regarding the attack upon the device; and
determining a portal of the attack upon the device using a correlation engine to correlate the intrusion information and the network information.
-
-
5. A method of identifying the entry point of an attack upon a device protected by an intrusion detection system, the method comprising the steps of:
-
obtaining intrusion information, from an intrusion detection system, regarding an attack upon a device protected by the intrusion detection system;
obtaining network information, from network equipment connected to the device, regarding the attack;
determining a logical entry point of the attack using a correlation engine to correlate the intrusion information and the network information; and
identifying a physical entry point associated with the logical entry point. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification