Method and system for analyzing and addressing alarms from network intrusion detection systems

US 20030196123A1
Filed: 05/14/2003
Published: 10/16/2003
Est. Priority Date: 03/29/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for analyzing and addressing alarms from network intrusion detection systems, comprising:

receiving an alarm indicating an attack on a target host may have occurred;

automatically accessing the target host in response to the alarm; and

automatically identifying the presence of the attack on the target host.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment of the invention, a method for analyzing and addressing alarms from network intrusion detection systems includes receiving an alarm indicating an attack on a target host may have occurred, automatically accessing the target host in response to the alarm, and identifying the presence of the attack on the target host.

107 Citations

View as Search Results

41 Claims

1. A method for analyzing and addressing alarms from network intrusion detection systems, comprising:
- receiving an alarm indicating an attack on a target host may have occurred;
  
  automatically accessing the target host in response to the alarm; and
  
  automatically identifying the presence of the attack on the target host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising automatically identifying whether the attack was successful.
  - 3. The method of claim 2, further comprising storing whether the attack was successful in a storage location for a time period.
  - 4. The method of claim 2, wherein automatically identifying whether the attack was successful comprises automatically identifying an audit trail of the attack on the target host.
  - 5. The method of claim 4, wherein the audit trail is selected from the group consisting of a modification of one or more registry keys, an entry in an access log file, a modification of a configuration file, a modification of a system directory, a modification of a system binary, a suspicious system process, and a suspicious file.
  - 6. The method of claim 4, further comprising storing the audit trail in a storage location if the attack was successful.
  - 7. The method of claim 4, further comprising initiating a remedial measure if the attack was successful.
  - 8. The method of claim 7, wherein the remedial measure is selected from the group consisting of blocking an attacking host, disabling a target host, disabling a computer service, and alerting a network administrator.
  - 9. The method of claim 1, further comprising receiving top level login privileges in order to access the target host.
  - 10. The method of claim 1, further comprising:
    - before automatically accessing the target host, automatically accessing a storage location;
      
      determining whether investigation data for the target host already exists in the storage location; and
      
      if the investigation data exists, then determining whether the investigation data is still valid; and
      
      if the investigation data does not exist, then continuing with the automatically accessing step.

11. A method for analyzing and addressing alarms from network intrusion detection systems, comprising:
- receiving an alarm indicating an attack on a target host may have occurred;
  
  automatically accessing a storage location in response to the alarm;
  
  determining whether investigation data for the target host already exists in the storage location;
  
  if the investigation data exists and the investigation data is still valid, then accessing the investigation data; and
  
  if the investigation data does not exist or if the investigation data exists but is invalid, then;
  
  automatically accessing the target host;
  
  identifying the presence of the attack on the target host;
  
  identifying whether the attack was successful; and
  
  identifying an audit trail of the attack on the target host.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The method of claim 11, further comprising storing whether the attack was successful in the storage location for a time period.
  - 13. The method of claim 11, wherein the audit trail is selected from the group consisting of a modification of one or more registry keys, an entry in an access log file, a modification of a configuration file, a modification of a system directory, a modification of a system binary, a suspicious system process, and a suspicious file.
  - 14. The method of claim 11, further comprising storing the audit trail in the storage location if the attack was successful.
  - 15. The method of claim 11, further comprising initiating a remedial measure if the attack was successful.
  - 16. The method of claim 15, wherein the remedial measure is selected from the group consisting of blocking an attacking host, disabling a target host, disabling a computer service, and alerting a network administrator.
  - 17. The method of claim 11, further comprising determining whether the target host is vulnerable to the attack.
  - 18. The method of claim 17, wherein determining whether the target host is vulnerable to the attack comprises:
    - identifying characteristics of the alarm, including at least an attack type and a target address of the target host;
      
      querying the target host for an operating system fingerprint;
      
      receiving the operating system fingerprint that includes the operating system type from the target host;
      
      comparing the attack type to the operating system type; and
      
      indicating whether the target host is vulnerable to the attack based on the comparison.
  - 19. The method of claim 11, further comprising:
    - after receiving the alarm, determining whether a format for the alarm is valid; and
      
      if the format is not valid, then disregarding the alarm;
      
      otherwise if the format is valid, then continuing the method with the automatically accessing step.
  - 20. The method of claim 11, further comprising:
    - monitoring a dynamic configuration protocol server;
      
      detecting that a lease issue has occurred for a new target host;
      
      accessing the storage location;
      
      determining whether an operating system fingerprint for the new target host already exists in the storage location; and
      
      if the operating system fingerprint for the new target host does not exist, then;
      
      querying the new target host for the operating system fingerprint;
      
      receiving the operating system fingerprint from the new target host; and
      
      storing the operating system fingerprint of the new target host in the storage location for a time period; and
      
      if the operating system fingerprint for the new target host does exist, then;
      
      purging the existing operating system fingerprint for the new target host from the storage location;
      
      querying the new target host for a new operating system fingerprint;
      
      receiving the new operating system fingerprint from the new target host; and
      
      storing the new operating system fingerprint of the new target host in the storage location for a time period.
  - 21. The method of claim 11, further comprising:
    - monitoring a dynamic configuration protocol server;
      
      detecting that a lease expire has occurred for an existing target host;
      
      accessing the storage location;
      
      determining whether an operating system fingerprint for the existing target host already exists in the storage location; and
      
      if the operating system fingerprint for the existing target host does not exist, then disregarding the lease expire; and
      
      if the operating system fingerprint for the existing target host does exist, then purging the existing operating system fingerprint for the existing target host from the storage location.

22. A system for analyzing and addressing alarms from network intrusion detection systems, comprising:
- a network intrusion detection system (NIDS) operable to transmit an alarm indicating an attack on a target host may have occurred;
  
  a software program embodied in a computer readable medium, the software program, when executed by a processor, operable to;
  
  receive the alarm;
  
  automatically access the target host in response to the alarm; and
  
  automatically identify the presence of the attack on the target host.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The system of claim 22, wherein the software program is further operable to automatically identify whether the attack was successful.
  - 24. The system of claim 23, wherein the software program is further operable to store whether the attack was successful in a storage location for a time period.
  - 25. The system of claim 23, wherein the software program is further operable to automatically identify an audit trail of the attack on the target host.
  - 26. The system of claim 25, wherein the audit trail is selected from the group consisting of a modification of one or more registry keys, an entry in an access log file, a modification of a configuration file, a modification of a system directory, a modification of a system binary, a suspicious system process, and a suspicious file.
  - 27. The system of claim 25, wherein the software program is further operable to store the audit trail in a storage location if the attack was successful.
  - 28. The system of claim 25, wherein the software program is further operable to initiate a remedial measure if the attack was successful.
  - 29. The system of claim 28, wherein the remedial measure is selected from the group consisting of blocking an attacking host, disabling a target host, disabling a computer service, and alerting a network administrator.
  - 30. The system of claim 22, wherein the software program is further operable to receive top level login privileges in order to access the target host.
  - 31. The system of claim 22, wherein the software program is further operable to:
    - automatically access a storage location before automatically accessing the target host;
      
      determine whether investigation data for the target host already exists in the storage location; and
      
      if the investigation data exists, then determine whether the investigation data is still valid.

32. A system for analyzing and addressing alarms from network intrusion detection systems, comprising:
- means for receiving an alarm indicating an attack on a target host may have occurred;
  
  means for automatically accessing the target host in response to the alarm; and
  
  means for automatically identifying the presence of the attack on the target host.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 33. The system of claim 32, further comprising means for automatically identifying whether the attack was successful.
  - 34. The system of claim 33, further comprising means for storing whether the attack was successful for a time period.
  - 35. The system of claim 33, wherein means for identifying whether the attack was successful comprises means for automatically identifying an audit trail of the attack on the target host.
  - 36. The system of claim 35, wherein the audit trail is selected from the group consisting of a modification of one or more registry keys, an entry in an access log file, a modification of a configuration file, a modification of a system directory, a modification of a system binary, a suspicious system process, and a suspicious file.
  - 37. The system of claim 35, further comprising means for storing the audit trail if the attack was successful.
  - 38. The system of claim 35, further comprising means for initiating a remedial measure if the attack was successful.
  - 39. The system of claim 38, wherein the remedial measure is selected from the group consisting of blocking an attacking host, disabling a target host, disabling a computer service, and alerting a network administrator.
  - 40. The system of claim 32, further comprising means for receiving top level login privileges in order to access the target host.
  - 41. The system of claim 32, further comprising:
    - means for automatically accessing a storage location before accessing the target host;
      
      means for determining whether investigation data of the target host already exists in the storage location; and
      
      if the investigation data exists, then means for determining whether the investigation data is still valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cohen, Nathan M., Campos, Stephen B., Burke, Stephen A., Snapp, Steve R., Rowland, Craig H., Shanklin, Steven D.

Application Number

US10/439,030
Publication Number

US 20030196123A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 43/00   Arrangements for monitoring...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Method and system for analyzing and addressing alarms from network intrusion detection systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Method and system for analyzing and addressing alarms from network intrusion detection systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others