Rule-based network survivability framework

US 20040111638A1
Filed: 12/09/2002
Published: 06/10/2004
Est. Priority Date: 12/09/2002
Status: Abandoned Application

First Claim

Patent Images

1. :

A hierarchical system comprising;

at least one network sensor device (NSD) to monitor a behaviour of a network and perform a first action based at least in part upon a first set of rules;

at least one network operating center (NOC) to at least process events received from the at least one network sensor device; and

at least one system operating center (SOC) to at least create a second set of rules and distribute the second set of rules to selected ones of the at least one network sensor device or the at least one network operating center.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to the survivability of a network system and, more particularly, to a multi-tiered network intrusion detection and response system.

62 Citations

View as Search Results

32 Claims

1. :
- A hierarchical system comprising;
  
  at least one network sensor device (NSD) to monitor a behaviour of a network and perform a first action based at least in part upon a first set of rules;
  
  at least one network operating center (NOC) to at least process events received from the at least one network sensor device; and
  
  at least one system operating center (SOC) to at least create a second set of rules and distribute the second set of rules to selected ones of the at least one network sensor device or the at least one network operating center.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. :
    - The hierarchal system of claim 1, wherein the at least one network sensor device, the at least one network operating center, and the at least one system operating center are arranged in a tiered fashion;
      
      the at least one network sensor device occupies the lowest tier of the hierarchical arrangement; and
      
      the at least one system operating center occupies the highest tier of the hierarchical arrangement.
  - 3. :
    - The system of claim 1, wherein the network sensor device includes;
      
      a network interface to facilitate the monitoring of the behaviour of a network;
      
      a storage medium to store a first set of rules; and
      
      a rule engine to detect a first adverse network condition utilizing, at least in part, the first set of rules; and
      
      performing a first action based, at least in part, upon the first adverse network condition and the first set of rules.
  - 4. :
    - The system of claim 1, wherein the first action performed by the rule engine includes at least one of the following;
      
      logging information pertaining to the first adverse network condition to a file;
      
      forwarding data to a second network sensor device;
      
      transmitting an instruction or rule to a second network sensor device;
      
      transmitting a request for data to second network sensor device;
      
      ignoring the first adverse network condition;
      
      altering an internal state of the rules engine; and
      
      altering the first set of rules utilized by the network sensor device.
  - 5. :
    - The system of claim 1, wherein the at least one network sensor device is capable of receiving the second set of rules; and
      
      updating the first set of rules utilizing the second set of rules.
  - 6. :
    - The system of claim 1, wherein the network operating center includes a network sensor device.
  - 7. :
    - The system of claim 1, wherein the network operating center is capable of receiving events from the at least one network sensor device;
      
      filtering the events utilizing a third set of rules; and
      
      reporting at least one event to the system operating center.
  - 8. :
    - The system of claim 7, wherein the network operating center is capable of determining a second action to perform based on the third set of rules; and
      
      transmitting a fourth set of rules to the network sensor device; and
      
      wherein the NSD is capable of, during operation, receiving the fourth set of rules;
      
      updating the first set of rules utilizing the fourth set of rules.
  - 9. :
    - The system of claim 8, wherein the network sensor device is capable of updating the first set of rules utilizing at least one of the following;
      
      modifying the first set of rules as instructed by the fourth set of rules;
      
      replacing the first set of rules with the fourth set of rules; and
      
      appending the fourth set of rules to the first set of rules.
  - 10. :
    - The system of claim 8, wherein the network operating center is capable of transmitting a fourth set of rules to a first network sensor device; and
      
      transmitting a fifth set of rules to a second network sensor device.
  - 11. :
    - The system of claim 8, wherein the system operating center is capable of receiving a report from the at least one network operating center; and
      
      transmitting the second set of rules in response to the received report.
  - 12. :
    - The system of claim 11, wherein the system operating center is capable of transmitting the second set of rules to at least one network sensor device.
  - 13. :
    - The system of claim 11, wherein the sensor operating center includes a network sensor device.
  - 14. :
    - The system of claim 13, wherein the sensor operating center is capable of dynamically creating the second set of rules utilizing a third set of rules.

15. :
- An apparatus comprising;
  
  a network interface to facilitate the monitoring of the behaviour of a network;
  
  a memory to store a first set of rules; and
  
  a rule engine to detect a first adverse network condition utilizing, at least in part, the first set of rules; and
  
  perform a first action based, at least in part, upon the first adverse network condition and the first set of rules.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. :
    - The apparatus of claim 15, wherein the first action performed by the rule engine includes at least one of the following;
      
      logging information pertaining to the first adverse network condition to a file;
      
      forwarding data to a second network sensor device;
      
      transmitting an instruction or rule to a second network sensor device;
      
      transmitting a request for data to second network sensor device;
      
      ignoring the first adverse network condition;
      
      altering an internal state of the rules engine; and
      
      altering the first set of rules utilized by the network sensor device.
  - 17. :
    - The apparatus of claim 15, wherein the rule engine is capable of receiving a second set of rules; and
      
      updating the first set of rules utilizing the second set of rules.
  - 18. :
    - The apparatus of claim 17, wherein the rule engine is capable of receiving events from at least one network sensor device;
      
      filtering the events utilizing the first set of rules; and
      
      reporting at least one event to a system operating center.
  - 19. :
    - The apparatus of claim 17, wherein the rule engine is capable of dynamically creating a third set of rules utilizing the first set of rules.
  - 20. :
    - The apparatus of claim 19, wherein the rule engine is capable of monitoring a behaviour of a network.
  - 21. :
    - The apparatus of claim 20, wherein the rule engine is capable of monitoring at least one of the following;
      
      the state of a computer;
      
      an amount of computer processor usage;
      
      an amount of storage space available to a computer;
      
      traffic on a network; and
      
      the available bandwidth of a network.
  - 22. :
    - The apparatus of claim 21, wherein the set of rules includes rules for generating an event as a result of at least one of the following network attacks;
      
      a network identify spoofing attack;
      
      a denial-of-service attack;
      
      a password-based attack;
      
      a data modification attack;
      
      a man-in-the-middle attack;
      
      a worm attack;
      
      a compromised key attack; and
      
      an application-layer attack.

23. :
- A method of utilizing a first network intrusion detection device (NIDD) that is part of a network intrusion detection system (NIDS) that is arranged in a hierarchal fashion comprising;
  
  monitoring a behaviour of a network;
  
  detecting a first adverse network condition utilizing, at least in part, a first set of rules;
  
  performing a first action to facilitate attempting to maintain the survivability of the network; and
  
  dynamically changing the first set of rules based, at least in part, upon the behaviour of the network.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. :
    - The method of claim 23, wherein dynamically changing the first set of rules includes;
      
      reporting an event to a second device that is part of the network intrusion detection system that is part of a higher tier;
      
      receiving a second set of rules from the second device; and
      
      altering the first set of rules utilizing, at least in part, the second set of rules.
  - 25. :
    - The method of claim 23, further comprising;
      
      generating a first event based, at least in part, upon the monitored behaviour and the first set of rules; and
      
      wherein detecting a first adverse network condition includes;
      
      considering the first event to be an adverse network condition based, at least in part, upon the first set of rules.
  - 26. :
    - The method of claim 25, further comprising;
      
      monitoring, at least in part, of at least one of the following;
      
      the state of a computer;
      
      an amount of computer processor usage;
      
      an amount of storage space available to a computer;
      
      traffic on a network; and
      
      the available bandwidth of a network; and
      
      generating a first event based at leats in part upon the monitoring.
  - 27. :
    - The method of claim 25, wherein performing the first action includes;
      
      assigning the first adverse network condition a priority based, at least in part upon, the first set of rules; and
      
      further comprising;
      
      selecting the first action to perform based, at least in part, upon the assigned priority.
  - 28. :
    - The method of claim 25, wherein performing the first action includes ignoring the first adverse network condition if the first network condition is assigned a low priority.
  - 29. :
    - The method of claim 25, wherein performing the first action includes performing at least one of the following actions;
      
      logging the occurrence of the adverse network condition;
      
      forwarding data to a second device that is part of the network intrusion detection system;
      
      transmitting an instruction or rule to a second device that is part of the network intrusion detection system;
      
      transmitting a request for data to a second device that is part of the network intrusion detection system;
      
      altering an internal state machine of to a second device that is part of the network intrusion detection system; and
      
      altering a rule utilized by to a second device that is part of the network intrusion detection system.

30. :
- An article comprising;
  
  a storage medium having a plurality of machine accessible instructions, wherein when the instructions are executed by a machine, the instructions provide for utilizing a first network intrusion detection device (NIDD) that is part of a network intrusion detection system (NIDS) that is arranged in a hierarchal fashion comprising;
  
  monitoring a behaviour of a network;
  
  detecting a first adverse network condition utilizing, at least in part, a first set of rules;
  
  performing a first action to facilitate attempting to maintain the survivability of the network; and
  
  dynamically changing the first set of rules based, at least in part, upon the behaviour of the network.
- View Dependent Claims (31, 32)
- - 31. :
    - The article of claim 30, wherein the instructions providing for dynamically changing the first set of rules includes instructions for;
      
      reporting an event to a second device that is part of the network intrusion detection system that is part of a higher tier;
      
      receiving a second set of rules from the second device; and
      
      altering the first set of rules utilizing, at least in part, the second set of rules.
  - 32. :
    - The article of claim 30, wherein the instructions providing for performing a first action to facilitate attempting to maintain the survivability of the network includes instructions for;
      
      logging the occurrence of the adverse network condition to a file; and
      
      transmitting data to a second network intrusion detection device that is part of a higher tier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Bhide, Nilesh M., Yadav, Satyendra

Application Number

US10/315,579
Publication Number

US 20040111638A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1458 Denial of Service

Rule-based network survivability framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Rule-based network survivability framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others