Network intrusion detection system and method

US 20030084323A1
Filed: 10/31/2001
Published: 05/01/2003
Est. Priority Date: 10/31/2001
Status: Abandoned Application

First Claim

Patent Images

1. A network intrusion detection system, comprising:

a processor;

a memory accessible by the processor;

a monitor application stored in the memory and executable by the processor, the monitor application adapted to monitor network activity associated with a network node;

a profile application stored in the memory and executable by the processor, the profile application adapted to automatically generate an activity profile associated with the network node using the monitored network activity; and

a recognition engine stored in the memory and executable by the processor, the recognition engine adapted to compare a network event to the activity profile to determine whether the network event is authorized for the network node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network intrusion detection system comprises a processor and a memory accessible by the processor. The system also comprises a monitor application stored in the memory and executable by the processor. The monitor application is adapted to monitor network activity associated with a network node. The system also comprises a profile application stored in the memory and executable by the processor. The profile application is adapted to automatically generate an activity profile associated with the network node using the monitored network activity. The system further comprises a recognition engine stored in the memory and executable by the processor. The recognition engine is adapted to compare a network event to the activity profile to determine whether the network event is authorized for the network node.

166 Citations

33 Claims

1. A network intrusion detection system, comprising:
- a processor;
  
  a memory accessible by the processor;
  
  a monitor application stored in the memory and executable by the processor, the monitor application adapted to monitor network activity associated with a network node;
  
  a profile application stored in the memory and executable by the processor, the profile application adapted to automatically generate an activity profile associated with the network node using the monitored network activity; and
  
  a recognition engine stored in the memory and executable by the processor, the recognition engine adapted to compare a network event to the activity profile to determine whether the network event is authorized for the network node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the network activity comprises inbound data communications and outbound data communications.
  - 3. The system of claim 2, wherein the inbound and outbound data communications comprise electronic mail communications.
  - 4. The system of claim 2, wherein the inbound and outbound data communications comprise Internet communications.
  - 5. The system of claim 1, wherein the profile application generates the activity profile corresponding to network activity occurring over a predetermined time period.
  - 6. The system of claim 1, wherein the profile application is further adapted to automatically update the activity profile in response to a predetermined event.
  - 7. The system of claim 1, wherein the profile application is further adapted to automatically update the activity profile corresponding to a predetermined time period.
  - 8. The system of claim 1, wherein the recognition engine is further adapted to block the network event if the network event exceeds the activity profile.
  - 9. The system of claim 1, wherein the profile application is further adapted to automatically update the activity profile if the network event is authorized.
  - 10. The system of claim 1, further comprising an event library accessible by the recognition engine to determine whether the network event is authorized, the event library comprising information associated with authorized network activities not reflected in the activity profile.

11. A method for network intrusion detection, comprising:
- monitoring network activity associated with a network node for a predetermined time period;
  
  automatically generating an activity profile corresponding to the network node using the monitored network activity;
  
  identifying a network event associated with the network node; and
  
  automatically determining whether the network event is authorized for the network node using the activity profile.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein monitoring the network activity comprises monitoring inbound data communications and outbound data communications associated with the network node.
  - 13. The method of claim 11, wherein monitoring the network activity comprises monitoring network application usage corresponding to the network node.
  - 14. The method of claim 11, further comprising accessing an event library to determine whether the network event is authorized, the event library comprising information associated with authorized network activities not reflected in the activity profile.
  - 15. The method of claim 11, further comprising automatically updating the activity profile if the network event is authorized.
  - 16. The method of claim 11, further comprising automatically blocking the network event if the network event is not authorized.
  - 17. The method of claim 11, further comprising automatically updating the activity profile in response to a predetermined network event.
  - 18. The method of claim 11, further comprising automatically updating the activity profile corresponding to a predetermined time period.

19. A network detection intrusion system, comprising:
- a plurality of nodes coupled to a server via a network;
  
  a monitoring application accessibly by the server and adapted to monitor network activity between the plurality of nodes;
  
  a profile application accessible by the server and adapted to generate an activity profile for each of the plurality of nodes; and
  
  a recognition engine accessible by the server and adapted to compare a network event corresponding to one of the plurality of nodes to the activity profile corresponding to the one node to determine whether the network event is authorized for the one node.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19 wherein the profile application is further adapted to automatically update the activity profile corresponding to the one node if the network event is authorized.
  - 21. The system of claim 19 wherein the monitoring application is adapted to monitor inbound data communications and outbound data communications associated with each of the nodes.
  - 22. The system of claim 19 further comprising an event library accessible by the server to determine whether the network event is authorized, the event library comprising information associated with authorized network activities not reflected in the activity profile for the one node.
  - 23. The system of claim 19 wherein the monitoring application is adapted to monitor network application usage for each of the nodes.
  - 24. The system of claim 19 wherein the recognition engine is further adapted to generate an event alarm log for the network event if the network event is not authorized.
  - 25. The system of claim 19, wherein the profile application is further adapted to automatically update the activity profile for each of the nodes corresponding to a predetermined time period.
  - 26. The system of claim 19, wherein the profile application is further adapted to automatically update an activity profile corresponding to a node in response to a predetermined network event corresponding to the node.

27. A computer program for assisting in network intrusion detection, comprising:
- a computer-readable medium; and
  
  a profile application stored on the computer-readable medium, the profile application adapted to monitor network activity and generate an activity profile using the monitored network activity, the activity profile used to determine whether a network event is authorized.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The computer program of claim 27, wherein the profile application is configured to automatically update the activity profile in response to a predetermined network event.
  - 29. The computer program of claim 27, wherein the profile application is further configured to automatically update the activity profile corresponding to a predetermined time interval.
  - 30. The computer program of claim 27, further comprising a recognition engine stored on the computer-readable medium and adapted to compare the network event to the activity profile.
  - 31. The computer program of claim 27, wherein the profile application is adapted to monitor inbound data communications and outbound data communications corresponding to the network.
  - 32. The computer program of claim 27, further comprising a recognition engine adapted to compare the network event to the activity profile and block the network event if the network event exceeds the activity profile.
  - 33. The computer program of claim 27, wherein the profile application generates the activity profile corresponding to network activity occurring over a predetermined time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Gales, George S.

Application Number

US10/002,423
Publication Number

US 20030084323A1
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 43/00   Arrangements for monitoring...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Network intrusion detection system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Network intrusion detection system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links