Rule based alerting in anomaly detection
First Claim
Patent Images
1. A graphical user interface for constructing rules to run on an intrusion detection system, the graphical user interface comprising:
- a field that specifies a first set of nodes on a network by Host-Group;
a field that specifies a second set of nodes on a network by Host-Group; and
a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.
21 Assignments
0 Petitions
Accused Products
Abstract
A graphical user interface for constructing rules to run on an intrusion detection system is described. The user interface includes a field that specifies a first set of nodes on a network by Host-Group, a field that specifies a second set of nodes on a network by Host-Group and a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.
67 Citations
26 Claims
-
1. A graphical user interface for constructing rules to run on an intrusion detection system, the graphical user interface comprising:
-
a field that specifies a first set of nodes on a network by Host-Group;
a field that specifies a second set of nodes on a network by Host-Group; and
a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of producing a rule to track events in a network comprises:
-
entering data in a field that specifies a first set of nodes on a network by Host-Group;
entering data in a field that specifies a second set of nodes on a network by Host-Group; and
entering data in a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these. - View Dependent Claims (12, 13)
-
-
14. A computer program product residing on a computer readable medium for producing a graphical user interface for an intrusion detection system, the computer program product comprising instructions for causing a computer to generate the user interface comprising:
-
a field that specifies a first set of nodes on a network by Host-Group;
a field that specifies a second set of nodes on a network by Host-Group; and
a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these. - View Dependent Claims (15, 16, 17)
-
-
18. A method comprises:
-
producing a rule that is used by an intrusion detection system to check traffic over a network, by;
specifying a day and time period when the rule is generated;
specifying a first set of nodes on a network by Host-Group and a second set of nodes on a network by Host-Group;
specifying a type basis which determines how to interpret first and second tracked units;
specifying services to track as used or provided by the tracked units;
specifying a direction of traffic flow between the tracked units; and
specifying a duration of the condition necessary to qualify as an event. - View Dependent Claims (19, 20)
-
-
21. A method comprises:
-
providing a user interface, including options to detect a failed service, detect presence of services, detect communication between certain hosts or groups, detect hosts exceeding traffic thresholds; and
in response to a selecting one or more of the options,producing a series of type-specific pages, for the selected detection option calling for specific data for each of the selected options. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification