Rule based alerting in anomaly detection

US 20050289219A1
Filed: 06/28/2004
Published: 12/29/2005
Est. Priority Date: 06/28/2004
Status: Active Grant

First Claim

Patent Images

1. A graphical user interface for constructing rules to run on an intrusion detection system, the graphical user interface comprising:

a field that specifies a first set of nodes on a network by Host-Group;

a field that specifies a second set of nodes on a network by Host-Group; and

a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A graphical user interface for constructing rules to run on an intrusion detection system is described. The user interface includes a field that specifies a first set of nodes on a network by Host-Group, a field that specifies a second set of nodes on a network by Host-Group and a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.

67 Citations

View as Search Results

26 Claims

1. A graphical user interface for constructing rules to run on an intrusion detection system, the graphical user interface comprising:
- a field that specifies a first set of nodes on a network by Host-Group;
  
  a field that specifies a second set of nodes on a network by Host-Group; and
  
  a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The graphical user interface of claim 1 wherein fields for the first set of nodes and second set of nodes specifies groups of hosts.
  - 3. The graphical user interface of claim 1 further comprising:
    - a per host and aggregate control that determines whether the rule is applied to any host in the group or to the aggregate of the entire group'"'"'s traffic.
  - 4. The graphical user interface of claim 1 further comprising control buttons to allow a user to choose an address of a node or to choose a grouped set of nodes.
  - 5. The graphical user interface of claim 1 further comprising a field to specify a network traffic direction of traffic to monitor.
  - 6. The graphical user interface of claim 1 further comprising a field to specify a time limit of applying the rule.
  - 7. The graphical user interface of claim 1 further comprising a field to specify services used by the nodes tracked.
  - 8. The graphical user interface of claim 1 further comprising a field to specify a threshold type used by the tracked nodes.
  - 9. The graphical user interface of claim 8 further comprising a field to specify a tracking direction of traffic flow between the tracked nodes.
  - 10. The graphical user interface of claim 8 wherein the field to specify threshold type is used to specify when parameter exceeds a traffic upper threshold and/or a traffic lower threshold.

11. A method of producing a rule to track events in a network comprises:
- entering data in a field that specifies a first set of nodes on a network by Host-Group;
  
  entering data in a field that specifies a second set of nodes on a network by Host-Group; and
  
  entering data in a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11 further comprising:
    - entering data to determine whether the rule is applied to any host in the group or to the aggregate of the entire group'"'"'s traffic.
  - 13. The method of claim 11 further comprising:
    - specifying a traffic direction between nodes in the set of nodes to track.

14. A computer program product residing on a computer readable medium for producing a graphical user interface for an intrusion detection system, the computer program product comprising instructions for causing a computer to generate the user interface comprising:
- a field that specifies a first set of nodes on a network by Host-Group;
  
  a field that specifies a second set of nodes on a network by Host-Group; and
  
  a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.
- View Dependent Claims (15, 16, 17)
- - 15. The computer program product of claim 14 further comprising instructions to:
    - receive data to determine whether the rule is applied to any host in the group or to the aggregate of the entire group'"'"'s traffic.
  - 16. The computer program product of claim 14 further comprising instructions to:
    - specify a traffic direction between nodes in the set of nodes to track.
  - 17. The computer program product of claim 14 further comprising instructions to:
    - specify a threshold type used by the tracked nodes.

18. A method comprises:
- producing a rule that is used by an intrusion detection system to check traffic over a network, by;
  
  specifying a day and time period when the rule is generated;
  
  specifying a first set of nodes on a network by Host-Group and a second set of nodes on a network by Host-Group;
  
  specifying a type basis which determines how to interpret first and second tracked units;
  
  specifying services to track as used or provided by the tracked units;
  
  specifying a direction of traffic flow between the tracked units; and
  
  specifying a duration of the condition necessary to qualify as an event.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18 wherein tracked units include a source group and destination group, or client group and server group.
  - 20. The method of claim 18 applying the rule to individual hosts in the groups or to the group statistics in the aggregate according to the rule.

21. A method comprises:
- providing a user interface, including options to detect a failed service, detect presence of services, detect communication between certain hosts or groups, detect hosts exceeding traffic thresholds; and
  
  in response to a selecting one or more of the options, producing a series of type-specific pages, for the selected detection option calling for specific data for each of the selected options.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The method of claim 21 further comprising:
    - producing a user interface for defining a time of operation, and a severity value of a alert that could be generated if the rule is met.
  - 23. The method of claim 21 wherein the type specific page for detecting a failed service includes fields for identifying servers, ports, and how long the service needs to be inactive before producing an event, and a lower bound on traffic that would produce an event.
  - 24. The method of claim 21 wherein the type specific page for detecting the presence of services includes fields for hosts becoming a server, relevant services, to set outbound rates of packets, and to indicate that the event measures an upper-threshold.
  - 25. The method of claim 21 wherein the type specific page for detecting communication between certain hosts or groups includes fields for identifying hosts in at least two groups, a field to set outbound rates of packets, and to indicate that the event measures an upper-threshold for traffic in either direction.
  - 26. The method of claim 21 wherein the type specific page for detecting hosts exceeding traffic thresholds includes fields for identifying hosts in a group, a field to set a traffic threshold, a field to set outbound rates of packets, and to indicate that the event measures an upper-threshold for traffic in either direction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Nazzal, Robert N.

Granted Patent

US 10,284,571 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/203
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

Rule based alerting in anomaly detection

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Rule based alerting in anomaly detection

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links