Adaptive behavioral intrusion detection systems and methods
First Claim
1. A method for detecting network intrusion attempts associated with network objects on a communications network, the method comprising:
- collecting normal traffic behavior associated with network objects on the network on a continuing basis to establish historical data regarding traffic across the network;
monitoring network traffic associated with network objects on the network to detect anomalies;
analyzing the anomalies using the historical data;
generating alerts identifying possible intrusion attempts based on analysis of the anomalies; and
updating the historical data based on the anomalies, the alerts, and network traffic.
13 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for analyzing historical network traffic and determining which traffic does not belong in a network are disclosed. Intrusion detection is performed over a period of time, looking for behavioral patterns within networks or information systems and generating alerts when these patterns change. The intrusion detection system intelligently forms correlations between disparate sources to find traffic anomalies. Over time, behaviors are predictive, and the intrusion detection system attempts to predict outcomes, becoming proactive instead of just reactive. Intrusions occur throughout whole information systems, including both network infrastructure and application servers. By treating the information system as a whole and performing intrusion detection across it, the chances of detection are increased significantly.
-
Citations
22 Claims
-
1. A method for detecting network intrusion attempts associated with network objects on a communications network, the method comprising:
-
collecting normal traffic behavior associated with network objects on the network on a continuing basis to establish historical data regarding traffic across the network;
monitoring network traffic associated with network objects on the network to detect anomalies;
analyzing the anomalies using the historical data;
generating alerts identifying possible intrusion attempts based on analysis of the anomalies; and
updating the historical data based on the anomalies, the alerts, and network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for detecting network intrusion attempts associated with network objects on a communications network, the method comprising:
-
collecting normal traffic behavior associated with network objects on the network on a continuing basis to establish historical data regarding traffic across the network;
monitoring network traffic associated with network objects on the network to detect anomalies comprising;
looking for known strings and series of bytes that indicate signature attacks; and
applying a series of rules to identify anomalous packets and adding the anomalous packets to an anomaly pool;
analyzing the anomalies using the historical data;
generating alerts identifying possible intrusion attempts based on analysis of the anomalies; and
updating the historical data based on the anomalies, the alerts, and network traffic. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. An intrusion detection system for detecting network intrusion attempts associated with network objects on a communications network, the system comprising:
-
a sensor connected to the network for monitoring network traffic associated with network objects on the network comprising;
a knowledge-based component for examining network traffic for known strings and series of bytes that indicate signature attacks; and
a packet logger for reading packets in network traffic, classifying packets by protocols, and creating packages of compressed packets;
a server connected to the sensor that accepts real-time alerts for possible signature attacks and a converter for converting alerts from native signature format to a unified format for storage in at least one relational database;
an analysis server that receives compressed packets from the sensor at periodic intervals, wherein the analysis server conducts a behavioral analysis of the data received from the sensor; and
the at least one relational database, which stores raw packet data, behavioral data, and index data. - View Dependent Claims (21, 22)
-
Specification