Application-specific network intrusion detection
First Claim
1. A machine-implemented method comprising:
- examining a set of instructions embodying an invoked application to identify the invoked application;
obtaining an application-specific intrusion detection signature; and
monitoring network communications for the invoked application using the application-specific intrusion detection signature to detect an intrusion.
2 Assignments
0 Petitions
Accused Products
Abstract
Network intrusion detection accurately identifies and takes into consideration currently running network applications by examining machine instructions embodying those applications. Intrusion detection using application-specific intrusion criteria (e.g., normal communication behavior tracking criteria and/or intrusion signatures) allows application-specific responses to intrusions. Dynamic loading and checking for intrusion signatures may be performed by intrusion detection components that run in the same context as the running application being monitored. A central security authority may provide a repository for, and maintain, up to the minute intrusion signatures for networked machines. Application communications may be tracked to identify abnormal application behavior, and a network security administrator may be notified that a particular application may be making the network vulnerable to intrusion. Immediate response to abnormal application behavior or detection of an intrusion signature is made possible, while non-targeted applications on a targeted computing system may continue their network activity.
-
Citations
30 Claims
-
1. A machine-implemented method comprising:
-
examining a set of instructions embodying an invoked application to identify the invoked application;
obtaining an application-specific intrusion detection signature; and
monitoring network communications for the invoked application using the application-specific intrusion detection signature to detect an intrusion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A machine-readable medium embodying machine instructions for causing one or more machines to perform operations comprising:
-
examining a set of instructions embodying an invoked application to identify the invoked application;
obtaining an application-specific intrusion detection signature; and
monitoring network communications for the invoked application using the application-specific intrusion detection signature to detect an intrusion. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
a network;
a security operation center coupled with the network; and
one or more machines coupled with the network, each machine comprising a communication interface and a memory including an execution area configured to perform operations comprising examining a set of instructions embodying an invoked application to identify the invoked application, obtaining application-specific intrusion criteria, and monitoring network communications for the invoked application using the application-specific intrusion criteria to detect an intrusion. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
-
29. A system comprising:
-
a security operation center;
one or more machines, each machine including means for identifying a process, obtaining a process-specific intrusion detection signature, and monitoring network communications for the process using the process-specific intrusion detection signature to detect an intrusion; and
communication means coupling the one or more machines with the security operation center. - View Dependent Claims (30)
-
Specification