Adaptive intrusion detection system

US 20040073800A1
Filed: 05/22/2003
Published: 04/15/2004
Est. Priority Date: 05/22/2002
Status: Abandoned Application

First Claim

Patent Images

8. An intrusion detection system comprising:

a vulnerability determination tool to identify defects on one or more computers, hosts, or combination thereof a correlation engine and database to correlate the defects with attack signatures to identify specific attack signatures that relate to the specific vulnerabilities identified;

an intrusion detection sensor to facilitate identifying and inhibiting or dropping IP sessions or communication traffic associated with the attempted exploitation of the specific vulnerabilities identified.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection method wherein a vulnerability determination or vulnerability assessment of one or more computers or hosts is performed to determine whether and what vulnerabilities exist on the computers or hosts, accomplished by using existing vulnerability determination or vulnerability assessment information that can be continually updated. Attack signatures, which can also be continually updated, are identified and correlated with the specific vulnerabilities identified. One or more designated IP sessions associated with attempted vulnerability exploitation are then inhibited or disconnected.

145 Citations

16 Claims

8. An intrusion detection system comprising:
- a vulnerability determination tool to identify defects on one or more computers, hosts, or combination thereof a correlation engine and database to correlate the defects with attack signatures to identify specific attack signatures that relate to the specific vulnerabilities identified;
  
  an intrusion detection sensor to facilitate identifying and inhibiting or dropping IP sessions or communication traffic associated with the attempted exploitation of the specific vulnerabilities identified.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15)
- - 1. An intrusion detection method comprising:
    - retrieving vulnerability information;
      
      retrieving attack signatures;
      
      performing a vulnerability assessment of one or more of the following, computers, hosts or combination thereof to determine what vulnerabilities exist on the aforementioned; and
      
      correlating the attack signatures with the determined existing vulnerabilities to identify vulnerability exploit attempts.
  - 2. The intrusion detection method of claim 1 further comprising:
    - distinguishing between traffic to the one or more computers and/or host having vulnerabilities and those not having vulnerabilities; and
      
      only performing a vulnerability assessment on the one or more computers and/or hosts having vulnerabilities.
  - 3. The intrusion detection method of claim 1 further comprising:
    - only including attack signatures that are specific to the identified vulnerabilities in the correlation step.
  - 4. The intrusion detection method of claim 1 wherein the existence of vulnerabilities on the computer(s) is determined by:
    - querying a security gateway for IP addresses and services of the computers; and
      
      using the vulnerability information and the IP addresses and services.
  - 5. The intrusion detection method of claim 1 further comprising:
    - inhibiting or disconnecting one or more designated IP sessions associated with attempted vulnerability exploitation.
  - 6. The intrusion detection method of claim 1 further comprising:
    - updating the vulnerability information; and
      
      repeating the steps of claim 1.
  - 7. The intrusion detection method of claim 1 further comprising:
    - determining the computer'"'"'s vulnerability state, and if the computer is not vulnerable, bypassing the signature correlation step.
  - 9. The intrusion detection system of claim 8 further comprising a firewall, wherein the intrusion detection sensor instructs the firewall to inhibit or drop IP sessions or communication traffic associated with the attempted exploitation of the specific vulnerabilities identified.
  - 10. The intrusion detection system of claim 9 further comprising an application programming interface to pull vulnerability information into a vulnerability determination tool;
    - and wherein the application programming interface and firewall are integrated into a single component.
  - 11. The intrusion detection system of claim 8 wherein a security gateway or firewall are integrated into a single component and or on a single device or computer.
  - 12. The intrusion detection system of claim 1 further comprising an Internet-based Web interface.
  - 13. The intrusion detection system of claim 1 further comprising a means for updating the vulnerability determination assessment tool.
  - 14. A computer readable medium to carry out the method of claim 1.
  - 15. A system comprising one or more computers to carry out the method of claim 1.

10-1. The intrusion detection system of claim 8 further comprising:
- an application programming interface to pull vulnerability information into a vulnerability determination tool.

16. An intrusion detection method comprising:
- retrieving network and system configuration information;
  
  retrieving vulnerability information and attack signature rules;
  
  analyzing potential vulnerabilities only for systems and services present in the network;
  
  determining the presence of vulnerabilities or performing a vulnerability assessment of one or more computers or hosts to determine if the computers or hosts are vulnerable and what specific vulnerabilities exist on the computers;
  
  retrieving vulnerability assessment information;
  
  correlating the attack signatures with the specific vulnerabilities identified;
  
  only examining communication traffic bound for vulnerable computers or hosts and/or only comparing communication traffic to the attack signatures that relate to the specific vulnerabilities of the computers, hosts or systems and services identified by the intrusion detection system; and
  
  dropping or inhibiting traffic or instructing the security gateway to drop or inhibit traffic identified by the intrusion detection engine of the system or the firewall as matching the attack signatures that relate to the specific vulnerabilities identified by the intrusion detection system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Phatak, Vikram, Shah, Paragi, Scipioni, Robert

Application Number

US10/443,568
Publication Number

US 20040073800A1
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Adaptive intrusion detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive intrusion detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links