Method and system for responding to network intrusions

US 20050076236A1
Filed: 10/03/2003
Published: 04/07/2005
Est. Priority Date: 10/03/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for responding to network intrusions, comprising:

a) receiving an intrusion detection system (IDS) alert from an IDS sensor located in a network of computing resources, wherein said IDS alert indicates an unauthorized intrusion upon a remotely located computing resource in said network of computing resources;

b) identifying said IDS alert; and

c) determining an appropriate response to said IDS alert that is identified at a location separate from said remotely located computing resource so that said determining said appropriate response is unaffected by said unauthorized intrusion; and

d) automatically implementing said appropriate response to mitigate damage to said network of computing resources from said unauthorized intrusion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for responding to network intrusions. Specifically, in one embodiment, the method begins by receiving an intrusion detection system (IDS) alert from an IDS sensor located in a network of computing resources. The IDS alert indicates an unauthorized intrusion upon a remotely located computing resource in the network of computing resources. The embodiment of the method continues by identifying the IDS alert. Then, the embodiment continues by determining an appropriate response to the IDS alert that is identified at a location separate from the remotely located computing resource so that the appropriate response is unaffected by the unauthorized intrusion. The embodiment of the method automatically implements the appropriate response to mitigate damage to the network of computing resources from the unauthorized intrusion.

29 Citations

View as Search Results

33 Claims

1. A method for responding to network intrusions, comprising:
- a) receiving an intrusion detection system (IDS) alert from an IDS sensor located in a network of computing resources, wherein said IDS alert indicates an unauthorized intrusion upon a remotely located computing resource in said network of computing resources;
  
  b) identifying said IDS alert; and
  
  c) determining an appropriate response to said IDS alert that is identified at a location separate from said remotely located computing resource so that said determining said appropriate response is unaffected by said unauthorized intrusion; and
  
  d) automatically implementing said appropriate response to mitigate damage to said network of computing resources from said unauthorized intrusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein a) further comprises:
    - a1) detecting a suspicious intrusion into said computing resource;
      
      a2) determining said suspicious intrusion is unauthorized;
      
      a3) generating said IDS alert; and
      
      a4) sending said IDS alert to an IDS manager that is located remotely from said computing resource within said network of computing resources.
  - 3. The method of claim 2, wherein a2) further comprises:
    - determining said suspicious intrusion is unauthorized when said suspicious intrusion matches with at least one of a list of unauthorized intrusions.
  - 4. The method of claim 2, wherein a1) comprises:
    - detecting said suspicious intrusion at a host-based intrusion detection system (HIDS) sensor located on said computing resource.
  - 5. The method of claim 2, wherein a1) comprises:
    - detecting said suspicious intrusion at a network-based intrusion detection system (NIDS) sensor located within said network of computing resources.
  - 6. The method of claim 1, wherein d) further comprises:
    - d1) interfacing with a power controller that controls power to said computing resource to shut power to said computing resource.
  - 7. The method of claim 1, wherein d) further comprises:
    - d1) interfacing with at least one switch, an associated switch, in said network of computing resources to virtually reconfigure said associated switch in order to virtually isolate said computing resource from remaining computing resources in said network of computing resources.
  - 8. The method of claim 7, wherein said associated switch comprises an Ethernet switch.
  - 9. The method of claim 7, wherein said associated switch comprises a Storage Area Network (SAN) switch.
  - 10. The method of claim 7, wherein said at least one switch comprises a SAN switch and an Ethernet switch.
  - 11. The method of claim 1, wherein said network of computing resources comprises a provisional data center.

12. A method for responding to network intrusions, comprising:
- a) receiving an intrusion detection system (IDS) alert from an IDS sensor in a network of computing resources at a location separate from an infected computing resource, wherein said IDS alert indicates an unauthorized intrusion upon said infected computing resource in said network of computing resources, wherein implementation of a response to said IDS alert is unaffected by said unauthorized intrusion;
  
  b) responding to said IDS alert by automatically interfacing with at least one switch in said network of computing resources to virtually reconfigure said at least one switch, an associated switch, in order to virtually isolate said computing resource from remaining computing resources in said network of computing resources; and
  
  c) responding to said IDS alert by automatically interfacing with a power controller that controls power to said computing resource to shut power to said computing resource.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein a) further comprises:
    - a1) detecting a suspicious intrusion into said computing resource;
      
      a2) determining said suspicious intrusion is unauthorized;
      
      a3) generating said IDS alert; and
      
      a4) sending said IDS alert to an IDS manager that is located remotely from said computing resource within said network of computing resources.
  - 14. The method of claim 13, wherein a2) further comprises:
    - determining said suspicious intrusion is unauthorized when said suspicious intrusion matches with at least one of a list of unauthorized intrusions.
  - 15. The method of claim 13, wherein a1) comprises:
    - detecting said suspicious intrusion at a host-based intrusion detection system (HIDS) sensor located on said computing resource.
  - 16. The method of claim 13, wherein a1) comprises:
    - detecting said suspicious intrusion at a network-based intrusion detection system (NIDS) sensor located within said network of computing resources.
  - 17. The method of claim 12, wherein said network of computing resources comprises a provisional data center.
  - 18. The method of claim 12, wherein said switch couples said computing resource to a virtual local area network.
  - 19. The method of claim 12, wherein said switch comprises an Ethernet switch.
  - 20. The method of claim 12, wherein said associated switch comprises a Storage Area Network (SAN) switch.
  - 21. The method of claim 12, wherein said at least one switch comprises a SAN switch and an Ethernet switch.
  - 22. The method of claim 12, wherein further comprising:
    - automatically interfacing with said associated switch in said network of computing resources; and
      
      automatically interfacing with said power controller.

23. A computer system comprising:
- a bus for communicating information associated with a method for responding to network intrusions;
  
  a processor coupled to said bus for processing said information associated with said method for responding to network intrusions; and
  
  a computer readable memory coupled to said processor containing program instructions, that when executed by said processor, implement said method for responding to network intrusions, comprising;
  
  a) receiving an intrusion detection system (IDS) alert from an IDS sensor located in a network of computing resources, wherein said IDS alert indicates an unauthorized intrusion upon a remotely located computing resource in said network of computing resources;
  
  b) identifying said IDS alert; and
  
  c) determining an appropriate response to said IDS alert that is identified at a location separate from said remotely located computing resource so that said determining said appropriate response is unaffected by said unauthorized intrusion; and
  
  d) automatically implementing said appropriate response to mitigate damage to said network of computing resources from said unauthorized intrusion.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer system of claim 23, wherein a) in said method further comprises:
    - a1) detecting a suspicious intrusion into said computing resource;
      
      a2) determining said suspicious intrusion is unauthorized;
      
      a3) generating said IDS alert; and
      
      a4) sending said IDS alert to an IDS manager that is located remotely from said computing resource within said network of computing resources.
  - 25. The computer system of claim 24, wherein a2) in said method further comprises:
    - determining said suspicious intrusion is unauthorized when said suspicious intrusion matches with at least one of a list of unauthorized intrusions.
  - 26. The computer system of claim 24, wherein a1) in said method comprises:
    - detecting said suspicious intrusion at a host-based intrusion detection system (HIDS) sensor located on said computing resource.
  - 27. The computer system of claim 24, wherein a1) in said method comprises:
    - detecting said suspicious intrusion at a network-based intrusion detection system (NIDS) sensor located within said network of computing resources.
  - 28. The computer system of claim 23, wherein d) in said method further comprises:
    - d1) interfacing with a power controller that controls power to said computing resource to shut power to said computing resource.
  - 29. The computer system of claim 23, wherein d) in said method further comprises:
    - d1) interfacing with at least one switch, an associated switch, in said network of computing resources to virtually reconfigure said associated switch in order to virtually isolate said computing resource from remaining computing resources in said network of computing resources.
  - 30. The computer system of claim 29, wherein said associated switch comprises an Ethernet switch.
  - 31. The computer system of claim 29, wherein said associated switch comprises a Storage Area Network (SAN) switch.
  - 32. The computer system of claim 29, wherein said at least one switch comprises a SAN switch and an Ethernet switch.
  - 33. The computer system of claim 23, wherein said network of computing resources comprises a provisional data center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Stephenson, Bryan

Application Number

US10/678,333
Publication Number

US 20050076236A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

H04L 41/28   Restricting access to netwo...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Method and system for responding to network intrusions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for responding to network intrusions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links