Modular system for detecting, filtering and providing notice about attack events associated with network security

US 20040049693A1
Filed: 09/11/2002
Published: 03/11/2004
Est. Priority Date: 09/11/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium having computer-executable instructions for performing intrusion detection of a computer network having at least one host computer coupled thereto, said computer-readable medium being loadable on the at least one host computer, said computer-readable medium comprising an array of event processing means wherein each one of said event processing means runs concurrently without impeding each other'"'"'s performance, said array of event processing means monitoring resources on the at least one host computer or monitoring activity forwarded to the at least one host computer via the computer network and generating event data corresponding to said monitoring.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host-based intrusion detection system (HIDS) sensor that monitors system logs for evidence of malicious or suspicious application activity running in real time and monitors key system files for evidence of tampering. This system detects attacks targeted at the host system on which it is installed and monitors output to the system and audit logs. It is signature-based and identifies and analyzes system and audit messages for signs of system misuse or attack. The system monitors the logs of applications running on the host, including mail servers, web servers and FTP servers. The system also monitors system files and notifies the system administrator when key system and security files have been accessed, modified or even deleted.

Citations

44 Claims

1. A computer-readable medium having computer-executable instructions for performing intrusion detection of a computer network having at least one host computer coupled thereto, said computer-readable medium being loadable on the at least one host computer, said computer-readable medium comprising an array of event processing means wherein each one of said event processing means runs concurrently without impeding each other'"'"'s performance, said array of event processing means monitoring resources on the at least one host computer or monitoring activity forwarded to the at least one host computer via the computer network and generating event data corresponding to said monitoring.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The computer-readable medium of claim 1 wherein one of said array of event processing means comprises a plurality of file monitoring means.
  - 3. The computer-readable medium of claim 2 wherein one of said plurality of file monitoring means comprises means for monitoring an MD5 checksum of files.
  - 4. The computer-readable medium of claim 2 wherein one of said plurality of file monitoring means comprises means for monitoring file attributes.
  - 5. The computer-readable medium of claim 2 wherein one of said plurality of file monitoring means comprises means for monitoring signature patterns in the content of file logs.
  - 6. The computer-readable medium of claim 1 wherein one of said array of event processing means comprises means for monitoring SNMP traps using signatures.
  - 7. The computer-readable medium of claim 1 wherein the at least one host computer comprises an operating system and wherein one of said array of event processing means comprises means for monitoring TCP/IP service requests that interact with the operating system.
  - 8. The computer-readable medium of claim 1 wherein the at least one host computer comprises an operating system and wherein one of said array of event processing means event detection engine comprises means for monitoring the kernel of the operating system.
  - 9. The computer-readable medium of claim 1 wherein the at least one host computer comprises an operating system having an event log and wherein one of said array of event processing means comprises means for monitoring the event log using signatures.
  - 10. The computer-readable medium of claim 1 wherein the at least one host computer comprises an operating system having an event registry and wherein one of said array of event processing means comprises means for monitoring the event registry.
  - 11. The computer readable medium of claim 1 wherein each of said array of event processing means comprises a dynamically-linked module.
  - 12. The computer readable medium of claim 1 wherein any one of said array of event processing means comprises simple scripts.
  - 13. The computer-readable medium of claim 1 further comprising an event filter engine for filtering all event data from said array of event processing means, said event filter engine either altering the contents of the event data to form filtered event data or discarding the event data.
  - 14. The computer-readable medium of claim 13 wherein said event filter engine alters the contents of the event data by altering an event data name based on a source network address related to said event data.
  - 15. The computer-readable medium of claim 14 wherein said event filter engine comprises a plurality of configured modules, said event filter engine passing all event data through said configured modules serially.
  - 16. The computer readable medium of claim 15 wherein each of said configured modules comprises a dynamically-linked module.
  - 17. The computer readable medium of claim 15 wherein any one of said configured modules comprises simple scripts.
  - 18. The computer-readable medium of claim 13 further comprising an event alerting engine for generating alerts based on said filtered event data or forwarding said filtered event data to a destination.
  - 19. The computer-readable medium of claim 18 wherein said event alerting engine generates SNMP traps based on said filtered event data.
  - 20. The computer-readable medium of claim 18 wherein said event alerting engine transfers said filtered event data to a screen or updates SQL databases based on said filtered event data.
  - 21. The computer-readable medium of claim 15 wherein said event alerting engine comprises a second plurality of configured modules and wherein each of said second plurality of configured modules receives all of said filtered event data.
  - 22. The computer readable medium of claim 21 wherein each of said second plurality of configured modules comprises a dynamically linked module.
  - 23. The computer readable medium of claim 21 wherein any one of said second plurality of configured modules comprises simple scripts.
  - 24. The computer-readable medium of claim 21 wherein one of said second plurality of configured modules is a ring buffer alert module for providing an event flow processor with said filtered data to report said filtered event data.
  - 25. The computer-readable medium of claim 21 wherein one of said second plurality of configured modules is a replication agent alerting module for providing an event flow processor with said filtered data to report said filtered event data.
  - 26. The computer-readable medium of claim 21 wherein one of said second plurality of configured modules is a database alerting module for recording said filtered event data in an intrusion system database.
  - 27. The computer-readable medium of claim 21 wherein one of said second plurality of configured modules is an export log alerting module for generating a local export log of said filtered event data.
  - 28. The computer-readable medium of claim 21 wherein one of said second plurality of configured modules is an SNMP trap alerting module for generating alerts based on events that are detected.
  - 29. The computer-readable medium of claim 21 wherein one of said second plurality of configured modules is a hex dump alerting module for displaying events on a monitor as the events occur.

30. A method for efficiently managing and reporting intrusion, or attempted intrusion, events of a computer network, said method comprising the steps of:
- (a) providing an array of event processing means on a host computer, coupled to the computer network, that operate concurrently without impeding each other'"'"'s performance, each of said event processing means detecting a corresponding event related to intrusion, or intrusion attempts, to form event data;
  
  (b) passing said event data to a plurality of configured modules on the host computer, in serial fashion, that alter the contents of said event data that is to be reported to form filtered event data or that discard said event data not considered of value to report; and
  
  (c) passing all of said filtered event data to a second plurality of configured modules for providing notification of the intrusion or intrusion attempts.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 31. The method of claim 30 wherein said step of providing an array of event processing means comprises monitoring an MD5 checksum of files.
  - 32. The method of claim 30 wherein said step of providing an array of event processing means comprises monitoring file attributes.
  - 33. The method of claim 30 wherein said step of providing an array of event processing means comprises monitoring signature patterns in the content of file logs.
  - 34. The method of claim 30 wherein said step of providing an array of event processing means comprises monitoring SNMP traps using signatures.
  - 35. The method of claim 30 wherein the host computer comprises an operating system and wherein said step of providing an array of event processing means comprises monitoring TCP/IP service requests that interact with the operating system.
  - 36. The method of claim 30 wherein the host computer comprises an operating system and wherein said step of providing an array of event processing means comprises monitoring the kernel of the operating system.
  - 37. The method of claim 30 wherein the host computer comprises an operating system and wherein said step of providing an array of event processing means comprises monitoring the event log using signatures.
  - 38. The method of claim 30 wherein the host computer comprises an operating system and wherein said step of providing an array of event processing means comprises monitoring the event registry.
  - 39. The method of claim 30 wherein said step of altering the contents of said event data that is to be reported to form filtered event data comprises altering the name of event data based on a source network address related to said event data.
  - 40. The method of claim 30 wherein said step of passing all of said filtered event data to a second plurality of configured modules comprises providing notification providing an event flow processor with said filtered data to report said filtered event data.
  - 41. The method of claim 30 wherein said step of passing all of said filtered event data to a second plurality of configured modules comprises recording said filtered event data in an intrusion system database.
  - 42. The method of claim 30 wherein said step of passing all of said filtered event data to a second plurality of configured modules comprises generating a local expert log of said filtered event data.
  - 43. The method of claim 30 wherein said step of passing all of said filtered event data to a second plurality of configured modules comprises generating alerts based on events that are detected.
  - 44. The method of claim 30 wherein said step of passing all of said filtered event data to a second plurality of configured modules comprises displaying events on a monitor as the events occur.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Douglas, Kevin

Granted Patent

US 7,152,242 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1408 by monitoring network traff...

Modular system for detecting, filtering and providing notice about attack events associated with network security

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Modular system for detecting, filtering and providing notice about attack events associated with network security

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links