Distributed intrusion response system
First Claim
1. A method of responding to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and one or more network infrastructures, the method comprising the steps of:
- a. monitoring the network system for intrusions;
b. upon detection of an intrusion, identifying one or more sources of the intrusion;
c. identifying one or more enforcement devices of the network system associated with the one or more identified sources; and
d. configuring the identified one or more enforcement devices with one or more policy changes responsive to the detected intrusion.
13 Assignments
0 Petitions
Accused Products
Abstract
A system and method to respond to intrusions detected on a network system including attached functions and a network infrastructure. The system includes means for receiving from an intrusion detection function information about intrusions, a directory service function for gathering and reporting at least the physical and logical addresses of devices of the network infrastructure associated with the detected intrusions, and a plurality of distributed enforcement devices of the network infrastructure for enforcing policies responsive to the detected intrusions. A policy decision function evaluates the reported detected intrusions and makes a determination whether one or more policy changes are required on the enforcement devices in response to a detected intrusion. A policy manager function configures the distributed enforcement devices with the responsive changed policy or policies. Policy changes rules can vary from no change to complete port blocking on one or more identified enforcement devices associated with the detected intrusion, to redirecting the associated traffic including the intrusion and these policies may be modified or removed over time as warranted by network operation.
-
Citations
27 Claims
-
1. A method of responding to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and one or more network infrastructures, the method comprising the steps of:
-
a. monitoring the network system for intrusions;
b. upon detection of an intrusion, identifying one or more sources of the intrusion;
c. identifying one or more enforcement devices of the network system associated with the one or more identified sources; and
d. configuring the identified one or more enforcement devices with one or more policy changes responsive to the detected intrusion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A Distributed Intrusion Response System (DIRS) to respond to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and a network infrastructure, the DIRS comprising:
-
a. a directory service function for receiving address information for attached functions and devices of the network infrastructure;
b. a policy manager function for configuring devices of the network infrastructure with policies;
c. means for identifying one or more sources of one or more intrusions; and
d. one or more enforcement devices of the network infrastructure, wherein each enforcement device is configured to enforce policy changes established thereon by the policy manager function in response to one or more detected intrusions. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
Specification