Multi-tier intrusion detection system

US 20040123141A1
Filed: 12/18/2002
Published: 06/24/2004
Est. Priority Date: 12/18/2002
Status: Abandoned Application

First Claim

Patent Images

1. A system comprising:

a global intrusion detection (GID) agent, the GID agent to generate an update in response to first received information;

a number of network intrusion detection (NID) agents, each of the NID agents coupled with the GID agent, each NID agent to generate an alert in response to second received information; and

a number of local intrusion detection (LID) agents, each of the LID agents coupled with one of the NID agents, each LID agent to generate an alert in response to a detected event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic, multi-tier intrusion detection system for a computer network. The multi-tier intrusion detection system includes a global intrusion detection (GID) agent. A number of network intrusion detection (NID) agents may each be coupled with the GID agent, each NID agent being associated with a network. One or more local intrusion detection (LID) agents are coupled with each NID agent.

Citations

44 Claims

1. A system comprising:
- a global intrusion detection (GID) agent, the GID agent to generate an update in response to first received information;
  
  a number of network intrusion detection (NID) agents, each of the NID agents coupled with the GID agent, each NID agent to generate an alert in response to second received information; and
  
  a number of local intrusion detection (LID) agents, each of the LID agents coupled with one of the NID agents, each LID agent to generate an alert in response to a detected event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the first received information includes the alert provided by one of the NID agents.
  - 3. The system of claim 1, further comprising a database associated with the GID agent.
  - 4. The system of claim 3, wherein the database has an intrusion signature stored therein.
  - 5. The system of claim 4, wherein the GID agent modifies the intrusion signature based upon the first received information and the update includes the modified intrusion signature.
  - 6. The system of claim 4, wherein the intrusion signature comprises part of a sensor rule.
  - 7. The system of claim 1, wherein the GID agent creates an intrusion signature based upon the first received information and includes the created intrusion signature in the update.
  - 8. The system of claim 1, wherein the GID agent provides the update to each of the NID agents.
  - 9. The system of claim 1, wherein the second received information includes the alert provided by one of the LID agents.
  - 10. The system of claim 1, further comprising a database associated with each of the NID agents.
  - 11. The system of claim 10, the database of each NID agent to store the update received from the GID agent.
  - 12. The system of claim 1, each NID agent to generate an update in response to the second received information.
  - 13. The system of claim 12, each NID agent to provide the update to each LID agent coupled therewith.
  - 14. The system of claim 1, further comprising a database associated with each of the LID agents.

15. A method comprising:
- running a global intrusion detection (GID) agent on a first computer system;
  
  running a network intrusion detection (NID) agent on each of a number of second computer systems, each second computer system coupled with the first computer system; and
  
  running a local intrusion detection (LID) agent on each of a number of computing nodes, each computing node coupled with one of the second computer systems;
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The method of claim 15, further comprising providing a sensor rule to the GID agent.
  - 17. The method of claim 16, further comprising storing the sensor rule in a database of the GID agent.
  - 18. The method of claim 15, further comprising transmitting an update from the GID agent to each of the NID agents.
  - 19. The method of claim 18, further comprising storing the update in a database of each NID agent.
  - 20. The method of claim 18, wherein the update includes an intrusion signature.
  - 21. The method of claim 15, further comprising transmitting an update from one of the NID agents to the LID agents coupled with the one NID agent.
  - 22. The method of claim 21, further comprising storing the update in a database of each of the LID agents coupled with the one NID agent.
  - 23. The method of claim 21, wherein the update includes an intrusion signature.
  - 24. The method of claim 15, further comprising:
    - detecting an event at one of the LID agents;
      
      generating an alert in response to the detected event; and
      
      transmitting the alert from the one LID agent to the NID agent of the one second computer system.
  - 25. The method of claim 24, further comprising:
    - generating an update at the NID agent of the one second computer system in response to the alert; and
      
      transmitting the update to each computing node coupled with the one second computer system.
  - 26. The method of claim 15, further comprising:
    - receiving a number of alerts at one of the NID agents, each of the alerts received from one of the LID agents;
      
      generating a second alert in response to the received alerts; and
      
      transmitting the second alert from the one NID agent to the GID agent.
  - 27. The method of claim 26, further comprising:
    - generating an update at the GID agent in response to the second alert; and
      
      transmitting the update to the NID agent on each of the second computer systems.

28. A method comprising:
- monitoring for the occurrence of an event at one of a number of local intrusion detection (LID) agents, each of the LID agents coupled with a network intrusion detection (NID) agent;
  
  transmitting a first alert from the one LID agent to the NID agent in response to detection of the event, the NID agent coupled with a global intrusion detection (GID) agent; and
  
  transmitting a second alert from the NID agent to the GID agent in response to the first alert.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 29. The method of claim 28, wherein the second alert is transmitted in response to the first alert and at least one other alert received from one of the LID agents.
  - 30. The method of claim 28, wherein the first alert is transmitted in response to detection of the event and detection of at least one more of the events.
  - 31. The method of claim 28, wherein the event corresponds to an intrusion signature.
  - 32. The method of claim 28, further comprising:
    - generating an update at the GID agent in response to the second alert; and
      
      transmitting the update from the GID agent to the NID agent and a number of other NID agents.
  - 33. The method of claim 32, further comprising transmitting another update from the NID agent to each of the LID agents in response to receipt of the update from the GID agent.
  - 34. The method of claim 28, further comprising:
    - generating an update at the NID agent in response to receipt of the first alert; and
      
      transmitting the update from the NID agent to each of the LID agents.
  - 35. The method of claim 28, further comprising modifying a database of the GID agent in response to the second alert.
  - 36. The method of claim 28, further comprising modifying a database of the NID agent in response to the first alert.
  - 37. The method of claim 28, further comprising modifying a database of the one LID agent in response to detection of the event.

38. An intrusion detection system comprising:
- a first tier, the first tier including a global intrusion detection (GID) agent running on a first computer system;
  
  a second tier, the second tier including a number of network intrusion detection (NID) agents, each of the NID agents running on one of a number of second computer systems, each second computer system coupled with the first computer system; and
  
  a third tier, the third tier including a number of local intrusion detection (LID) agents, each LID agent running on a computing node coupled with one of the second computer systems.
- View Dependent Claims (39, 40)
- - 39. The intrusion detection system of claim 38, wherein each of the second computer systems and the computing nodes coupled therewith comprises a network.
  - 40. The intrusion detection system of claim 39, wherein the network comprises an enterprise network.

41. A product comprising:
- a first machine accessible medium providing content that, when accessed by a first machine, causes the first machine to provide a global intrusion detection agent;
  
  a second machine accessible medium providing content that, when accessed by a second machine, causes the second machine to provide a network intrusion detection agent, the second machine coupled with the first machine; and
  
  a third machine accessible medium providing content that, when accessed by a third machine, causes the third machine to provide a local intrusion detection agent, the third machine coupled with the second machine.
- View Dependent Claims (42, 43, 44)
- - 42. The product of claim 41, wherein the second machine and the third machine are associated with a network.
  - 43. The product of claim 42, wherein the network comprises one of a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), and a wireless LAN (VLAN).
  - 44. The product of claim 42, wherein the network comprises an enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Yadav, Satyendra

Application Number

US10/323,476
Publication Number

US 20040123141A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

Multi-tier intrusion detection system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tier intrusion detection system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links