Correlating network information and intrusion information to find the entry point of an attack upon a protected computer

US 20030023876A1
Filed: 07/27/2001
Published: 01/30/2003
Est. Priority Date: 07/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method of identifying the entry point of an attack upon a device protected by an intrusion detection system, the method comprising the steps of:

obtaining intrusion information regarding an attack upon a device protected by an intrusion detection system;

obtaining network information regarding the attack upon the device; and

determining a portal of the attack upon the device by correlating the intrusion information and the network information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for determining the entry point of an attack by a vandal such as a hacker upon a device such as a computer or a server such as a web server that operates under the protection of an intrusion detection system. Intrusion detection information regarding the attack and network information regarding the attack are correlated, and the entry point of the attack thereby deduced. In one embodiment, a source address of a message representative of the attack is found in a router table of a router that provides a connection supporting the attack. Logical ports of the connection are determined, and the corresponding physical ports found, thereby identifying the attack'"'"'s entry point into the protected device.

184 Citations

20 Claims

1. A method of identifying the entry point of an attack upon a device protected by an intrusion detection system, the method comprising the steps of:
- obtaining intrusion information regarding an attack upon a device protected by an intrusion detection system;
  
  obtaining network information regarding the attack upon the device; and
  
  determining a portal of the attack upon the device by correlating the intrusion information and the network information.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the portal of the attack is an entry point of the attack.
  - 3. The method of claim 1, wherein the portal of the attack is an exit point of the attack.

4. A method of identifying the entry point of an attack upon a device protected by an intrusion detection system, the method comprising the steps of:
- obtaining intrusion information, from an intrusion detection system, regarding an attack upon a device protected by the intrusion detection system;
  
  obtaining network information, from network equipment connected to the device, regarding the attack upon the device; and
  
  determining a portal of the attack upon the device using a correlation engine to correlate the intrusion information and the network information.

5. A method of identifying the entry point of an attack upon a device protected by an intrusion detection system, the method comprising the steps of:
- obtaining intrusion information, from an intrusion detection system, regarding an attack upon a device protected by the intrusion detection system;
  
  obtaining network information, from network equipment connected to the device, regarding the attack;
  
  determining a logical entry point of the attack using a correlation engine to correlate the intrusion information and the network information; and
  
  identifying a physical entry point associated with the logical entry point.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 6. The method of claim 5, wherein the intrusion information includes an address.
  - 7. The method of claim 5, wherein the address is a source address.
  - 8. The method of claim 5, wherein the address is a destination address.
  - 9. The method of claim 5, wherein the network information includes a logical port identifier of a logical port associated with the address.
  - 10. The method of claim 9, wherein the step of determining a logical entry point includes the step of finding, in the network data, the logical port identifier of the logical port associated with the address.
  - 11. The method of claim 9, wherein the step of identifying a physical entry point includes the step of identifying a physical port associated with the logical port.
  - 12. The method of claim 5, wherein the network equipment includes a network router.
  - 13. The method of claim 12, wherein the physical entry point includes a physical port of the network router.
  - 14. The method of claim 12, wherein the logical entry point includes a logical port of the network router.
  - 15. The method of claim 5, wherein the network equipment includes a firewall with routing function.
  - 16. The method of claim 5, wherein the network equipment includes a network dispatcher.
  - 17. The method of claim 5, wherein the network equipment includes a load balancer.
  - 18. The method of claim 5, wherein the intrusion detection system includes network based intrusion detection equipment.
  - 19. The method of claim 5, wherein the intrusion detection system includes host based intrusion detection equipment.
  - 20. The method of claim 5, wherein the intrusion detection system includes application based intrusion detection equipment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Lingafelt, Charles Steven, Bardsley, Jeffrey Scott, Kim, Nathaniel Wook, Brock, Ashley Anderson

Granted Patent

US 7,845,004 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Correlating network information and intrusion information to find the entry point of an attack upon a protected computer

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

184 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Correlating network information and intrusion information to find the entry point of an attack upon a protected computer

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links