Integrated data traffic monitoring system
First Claim
1. A method of automatically generating rules for an intrusion detection module comprising:
- analyzing a data packet received from a communication network by the intrusion detection module using a set of rules, the data packet containing a source IP address;
in response to the packet failing the analyzing operation, searching an event database for events associated with the source IP address of the packet, if the event database contains an event record associated with the source IP address of the packet, generating a new rule to block subsequent packets from the source IP address of the packet for a predetermined period of time; and
adding the new rule to the set of rules used by the intrusion detection module.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention includes an integrated data traffic monitoring system monitoring data traffic received from a communication network and destined for a protected network. The monitoring system includes a security appliance and one or more security and monitoring technologies such as hardware and open source and proprietary software products. The security appliance and the security and monitoring technologies may be implemented as separate and distinct modules or combined into a single security appliance. The security and monitoring technologies monitor network data traffic on, or directed to, the protected network. The monitoring system collects data from each of the technologies into an event database and, based on the data, automatically generates rules directing one or more of the technologies to prevent subsequent communications traffic from specific sources from entering the protected network.
-
Citations
16 Claims
-
1. A method of automatically generating rules for an intrusion detection module comprising:
-
analyzing a data packet received from a communication network by the intrusion detection module using a set of rules, the data packet containing a source IP address;
in response to the packet failing the analyzing operation, searching an event database for events associated with the source IP address of the packet, if the event database contains an event record associated with the source IP address of the packet, generating a new rule to block subsequent packets from the source IP address of the packet for a predetermined period of time; and
adding the new rule to the set of rules used by the intrusion detection module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of screening packets received from a communication network comprising:
-
receiving a packet associated with one of an e-mail message, a VPN connection, and a web page response, the packet having a source;
performing an intrusion detection analysis on the packet using a set of intrusion detection rules;
if the packet passes the intrusion detection analysis, performing a firewall analysis on the packet using a set of firewall rules;
if the packet passes the firewall analysis, determining if the packet is associated with an e-mail message, a VPN connection or a web page response;
if the packet is associated with an e-mail message, performing a virus analysis on the packet using a set of virus definitions;
if the packet is associated with a VPN connection, performing an authentication analysis on the packet using a set of authentication criteria; and
if the packet fails any of the intrusion detection analysis, the firewall analysis, the virus analysis, or the authentication analysis, automatically generating a new intrusion detection rule to delete any subsequent packets received from the same source as the packet. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computing system for receiving communication packets from a communication network and transmitting the communication packets to a protected network, the computing system comprising:
-
an intrusion detection module that compares a communication packet to a set of rules and, based on the comparison, either transmits the communication packet to a firewall or deletes the communication packet and transmits event data based on the deleted communication packet to an event database;
an event database that stores an event record based on the event data received from the intrusion detection module and maintains a plurality of event records based on previously received event data; and
an integrated security system that analyzes the event data and the plurality of event records and, based on the results of the analysis, automatically generates at least one rule to the intrusion detection module.
-
Specification