Intrusion detection system

US 20040098623A1
Filed: 10/30/2003
Published: 05/20/2004
Est. Priority Date: 10/31/2002
Status: Active Grant

First Claim

Patent Images

1. A computer network intrusion detection system comprising:

an intrusion detector for detecting external attacks upon a computer network;

an analyzer coupled to said intrusion detector for analyzing each detected attack and determining a characteristic indicative thereof; and

a filter coupled to said analyzer for generating an alert based upon characteristics of a plurality of attacks.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system monitors the rate and characteristics of Internet attacks on a computer network and filters attack alerts based upon various rates and frequencies of the attacks. The intrusion detection system monitors attacks on other hosts and determines if the attacks are random or general attacks or attacks directed towards a specific computer network and generates a corresponding signal. The intrusion detections system also tests a computer network'"'"'s vulnerability to attacks detected on the other monitored hosts.

179 Citations

20 Claims

1. A computer network intrusion detection system comprising:
- an intrusion detector for detecting external attacks upon a computer network;
  
  an analyzer coupled to said intrusion detector for analyzing each detected attack and determining a characteristic indicative thereof; and
  
  a filter coupled to said analyzer for generating an alert based upon characteristics of a plurality of attacks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system according to claim 1 wherein said filter generates a first alert signal in response to an attack having a new characteristic, and further generates a second alert signal indicative of a predetermined plurality of attacks having the new characteristic occurring within a predetermined time.
  - 3. The system according to claim 1 wherein said filter generates a first alert signal in response to an attack having a new characteristic, and further generates a subsequent first alert signal in response to a subsequent attack having the new characteristic occurring after an absence of attacks having the new characteristic occurring within a predetermined time.
  - 4. The system according to claim 1 wherein said filter generates the alert in response to attacks of a predetermined characteristic exceeding a predetermined rate or frequency.
  - 5. The system according to claim 4 wherein the predetermined rate or frequency deterministically varies.
  - 6. The system according to claim 1 further comprising a second intrusion detector for detecting attacks upon a second computer network, wherein said filter is further coupled to said second intrusion detector and communicates the alert to the computer network in response to attacks of a predetermined characteristic upon the second computer network exceeding a predetermined rate or frequency.
  - 7. The system according to claim 1 further comprising:
    - a vulnerability tester coupled to said analyzer for testing a second computer network for a vulnerability to an attack characteristic detected by said analyzer.
  - 8. The system according to claim 1 further comprising:
    - an second intrusion detector for detecting external attacks upon a second computer network;
      
      a second analyzer coupled to said second intrusion detector for analyzing each detected attack upon the second network and determining a characteristic indicative thereof, wherein said filter is further coupled to said second analyzer and further compares the attack characteristics determined by said analyzer and said second analyzer and generates a general attack alert in response to a substantial similarity in the comparison.
  - 9. The system according to claim 1 further comprising:
    - a second intrusion detector for detecting external attacks upon a second computer network;
      
      a second analyzer coupled to said second intrusion detector for analyzing each detected attack upon the second network and determining a characteristic indicative thereof, wherein said filter is further coupled to said second analyzer and further compares the attack characteristics determined by said analyzer and said second analyzer and generates a specific attack alert in response to a substantial absence of similarity in the comparison.
  - 10. The system according to claim 9 further comprising an alert generator for generating an alert indicative of the specific attack on the one of the networks experiencing the attacks having the absence of similarity of attacks on the other of the networks.
  - 11. The system according to claim 9 further comprising:
    - a vulnerability tester coupled to said filter for testing the one of the networks not experiencing the attacks for a vulnerability to the attack characteristic experienced by the other of the computer networks.

12. A method of generating a network intrusion alert for a first network coupled to a multiple client network system comprising the steps of:
- determining a characteristic of an attack upon the first network;
  
  determining if the characteristic matches a characteristic of an attack upon a second client coupled to the multiple client network system; and
  
  generating a first alert in response to an absence of the match.
- View Dependent Claims (13, 14, 15)
- - 13. The method according to claim 12 further comprising the step of generating a second alert in response to the presence of the match.
  - 14. The method according to claim 13 wherein the first alert is indicative of a specific attack on the first network and the second alert is indicative of a non-specific attack on the first network.
  - 15. The method according to claim 12 wherein said step of determining if the characteristic matches a characteristic of an attack upon a second client determines if the characteristic matches a characteristic of attacks upon multiple clients coupled to the multiple client network system.

16. A method of preempting an intrusion comprising the steps of:
- determining characteristics of an attack upon a first host; and
  
  testing a second host for a susceptibility to an attack of the determined characteristics.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method according to claim 16 further comprising the step of further determining if the characteristic of the attack upon the first host is a new characteristic, wherein said step of testing does not test the susceptibility of the second host if said step of further determining does not determine that the characteristic of the attack upon the first host corresponds to the new characteristic.
  - 18. The method according to claim 17 wherein the new characteristic corresponds to a characteristic not previously determined.
  - 19. The method according to claim 16 further comprising the step of generating an alert if said step of testing indicates that the second host is susceptible to the determined characteristics.
  - 20. The method according to claim 16 further comprising the step of filtering the determined characteristics of a plurality of attacks determined by said step of determining and generating an alert signal in response to a substantial increase in frequency or rate of attacks of the characteristic, wherein said step of testing tests the susceptibility of the second host in response to the alert signal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secnap Networks Security LLC
Original Assignee
Secnap Networks Security LLC
Inventors
Scheidell, Michael

Granted Patent

US 7,603,711 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/16   Threshold monitoring

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Intrusion detection system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

179 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links