Integrated network intrusion detection
First Claim
1. A machine-implemented method comprising:
- receiving requests for network communication services from an invoked application;
selectively designating each of the received requests as authorized or unauthorized based on an application-specific network policy; and
monitoring inbound network communications, based on the authorized requests, to detect an intrusion.
1 Assignment
0 Petitions
Accused Products
Abstract
Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion.
-
Citations
33 Claims
-
1. A machine-implemented method comprising:
-
receiving requests for network communication services from an invoked application;
selectively designating each of the received requests as authorized or unauthorized based on an application-specific network policy; and
monitoring inbound network communications, based on the authorized requests, to detect an intrusion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A machine-implemented method comprising:
-
identifying an invoked application;
receiving requests for network communication services from the invoked application;
selectively designating each of the received requests as authorized or unauthorized based on an application-specific network policy;
blocking inbound network communications that fail to correspond to an authorized request;
monitoring the blocked inbound network communications to detect an intrusion; and
initiating monitoring of network communications for the invoked application using an application-specific intrusion signature in response to one or more unauthorized requests. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
an application network policy enforcer, which services network requests from an application invoked on a machine, identifies the network requests that fail to satisfy an application-specific network policy, and identifies the network requests that satisfy the application-specific network policy;
a network traffic enforcer, which blocks inbound network traffic that does not correspond to the network requests identified by the application network policy enforcer as satisfying the application-specific network policy; and
an intrusion detector, which responds to the network requests identified by the application network policy enforcer as failing to satisfy the application-specific network policy, and which responds to the inbound network traffic blocked by the network traffic enforcer. - View Dependent Claims (23)
-
-
24. A system comprising:
-
means for servicing network requests from an application invoked on a machine;
means for authorizing the network requests using an application-specific network policy;
means for blocking traffic that does not correspond to an authorized request;
means for monitoring blocked traffic to identify an intrusion prelude and to identify abnormal application behavior;
means for detecting an intrusion in response to an identified intrusion prelude; and
means for detecting an intrusion in response to identified abnormal application behavior. - View Dependent Claims (25)
-
-
26. A machine-readable medium embodying machine instructions for causing one or more machines to perform operations comprising:
-
identifying an invoked application;
receiving requests for network communication services from the invoked application;
selectively designating each of the received requests as authorized or unauthorized based on an application-specific network policy;
blocking inbound network communications that fail to correspond to an authorized request;
monitoring the blocked inbound network communications to detect an intrusion; and
initiating monitoring of network communications for the invoked application using an application-specific intrusion signature in response to one or more unauthorized requests. - View Dependent Claims (27, 28, 29, 30)
-
-
31. A machine-implemented method comprising:
-
blocking inbound network communications that fail to correspond to a network policy;
detecting a potential intrusion prelude from the blocked inbound network communications;
selectively generating a fabricated response to the detected potential intrusion prelude; and
receiving information about a potential intruder in response to the generated fabricated response. - View Dependent Claims (32, 33)
-
Specification