Modular system for detecting, filtering and providing notice about attack events associated with network security
First Claim
1. A computer-readable medium having computer-executable instructions for performing intrusion detection of a computer network having at least one host computer coupled thereto, said computer-readable medium being loadable on the at least one host computer, said computer-readable medium comprising an array of event processing means wherein each one of said event processing means runs concurrently without impeding each other'"'"'s performance, said array of event processing means monitoring resources on the at least one host computer or monitoring activity forwarded to the at least one host computer via the computer network and generating event data corresponding to said monitoring.
13 Assignments
0 Petitions
Accused Products
Abstract
A host-based intrusion detection system (HIDS) sensor that monitors system logs for evidence of malicious or suspicious application activity running in real time and monitors key system files for evidence of tampering. This system detects attacks targeted at the host system on which it is installed and monitors output to the system and audit logs. It is signature-based and identifies and analyzes system and audit messages for signs of system misuse or attack. The system monitors the logs of applications running on the host, including mail servers, web servers and FTP servers. The system also monitors system files and notifies the system administrator when key system and security files have been accessed, modified or even deleted.
-
Citations
44 Claims
- 1. A computer-readable medium having computer-executable instructions for performing intrusion detection of a computer network having at least one host computer coupled thereto, said computer-readable medium being loadable on the at least one host computer, said computer-readable medium comprising an array of event processing means wherein each one of said event processing means runs concurrently without impeding each other'"'"'s performance, said array of event processing means monitoring resources on the at least one host computer or monitoring activity forwarded to the at least one host computer via the computer network and generating event data corresponding to said monitoring.
-
30. A method for efficiently managing and reporting intrusion, or attempted intrusion, events of a computer network, said method comprising the steps of:
-
(a) providing an array of event processing means on a host computer, coupled to the computer network, that operate concurrently without impeding each other'"'"'s performance, each of said event processing means detecting a corresponding event related to intrusion, or intrusion attempts, to form event data;
(b) passing said event data to a plurality of configured modules on the host computer, in serial fashion, that alter the contents of said event data that is to be reported to form filtered event data or that discard said event data not considered of value to report; and
(c) passing all of said filtered event data to a second plurality of configured modules for providing notification of the intrusion or intrusion attempts. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
Specification