Multiparameter network fault detection system using probabilistic and aggregation analysis
First Claim
Patent Images
1. A network monitoring system, comprising:
- a rules server, running a plurality of separate rules which monitor aspects of a network, including at least a first rule that monitors operations of the network to produce a first alarm representing a first specified probability of attack on the network, based on a first network condition other than content of packets of information being processed by the network, and a second rule that detects content of network packets being processed by the network, to produce a second alarm representing a second specified probability of attack on the network, based on suspicious content in said network packets, and a third rule that correlates results of said first and second rules, to produce information indicative of a correlated probability of attack on the network that represents a higher probability than a probability represented by either said first alarm or said second alarm.
1 Assignment
0 Petitions
Accused Products
Abstract
A network intrusion detection system using both probabilistic analysis and aggregation analysis. The system is run within a network system, and includes a first set of firewall rules, a second set of intrusion detection rules, and a third set of authentication rules which authenticates the user, the VPN, and host intrusion. A special correlation rule set correlates among the other rules in order to determine information from patterns. The rules look at probabilistic information and also look at patterns within the data, attempting to find where intrusions may exist prior to their actual occurance.
-
Citations
44 Claims
-
1. A network monitoring system, comprising:
a rules server, running a plurality of separate rules which monitor aspects of a network, including at least a first rule that monitors operations of the network to produce a first alarm representing a first specified probability of attack on the network, based on a first network condition other than content of packets of information being processed by the network, and a second rule that detects content of network packets being processed by the network, to produce a second alarm representing a second specified probability of attack on the network, based on suspicious content in said network packets, and a third rule that correlates results of said first and second rules, to produce information indicative of a correlated probability of attack on the network that represents a higher probability than a probability represented by either said first alarm or said second alarm. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. A system, comprising:
-
a network monitoring system which monitors network traffic; and
a rules server including a first set of rules detecting alarms based on a network firewall, a second set of rules detecting alarms based on network intrusion detection events, and a third set of rules detecting alarms based on authentication events, each detection of each alarm having a criticality, and a fourth set of rules correlating at least one of said rules with another of said rules to produce an alarm that has a higher criticality than that produced by either of said one rule or said another rule individually. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A system comprising:
-
a network monitoring system that monitors network traffic; and
a rules server, including a set of firewall rules, a set of network intrusion detection rules, and a set of authentication rules, and a set of correlating rules which correlates at least one of said rules with another of said rules, at least one of said correlating rules detecting first and second alarms from violations of rules, said first and second alarms each having a specified criticality, and using the correlating to increase a criticality of an alarm from violating the combination of rules as compared with violating either of the rules individually. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
-
-
35. A method of monitoring a network, comprising:
-
running a first rule that monitors operations of a first part of the network to produce a first alarm based on a first network condition, said first alarm having a first criticality;
running a second rule that detects operations of a second part of the network, to produce a second alarm based on suspicious content in said second part of said network, said second alarm having a second criticality; and
running a third rule that correlates the first and second alarms produced by said first and second rules, to produce correlation alarm information that represents a higher criticality than a criticality of either said first alarm or said second alarm. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44)
-
Specification