Network intrusion detection system having application inspection and anomaly detection characteristics
First Claim
1. An intrusion detection device for a computer network comprising:
- a processor;
one or more programs that run on the processor for inspecting packets traversing the computer network at an application level, the one or more programs obtaining attribute information from the packets specific to a particular application for comparison against a knowledge database that provides a baseline of normal network behavior for the attribute information specific to the particular application, wherein the processor raises an alarm when the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection system and method for a computer network includes a processor and one or more programs that run on the processor for application inspection of data packets traversing the computer network. The one or more programs also obtaining attribute information from the packets specific to a particular application and comparing the attribute information against a knowledge database that provides a baseline of normal network behavior. The processor raises an alarm whenever the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.
-
Citations
19 Claims
-
1. An intrusion detection device for a computer network comprising:
-
a processor;
one or more programs that run on the processor for inspecting packets traversing the computer network at an application level, the one or more programs obtaining attribute information from the packets specific to a particular application for comparison against a knowledge database that provides a baseline of normal network behavior for the attribute information specific to the particular application, wherein the processor raises an alarm when the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior. - View Dependent Claims (2, 3, 4)
-
-
5. An intrusion detection device for a computer network comprising:
-
one or more processors;
a program that runs on the processor for inspecting packets traversing the computer network at an application level, the program obtaining attribute information from the packets specific to a particular application for comparison against a knowledge database that provides a baseline of normal network behavior for the attribute information specific to the particular application, wherein the one or more processors raises an alarm when the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior. - View Dependent Claims (6, 7, 8)
-
-
9. A computer-implemented method for intrusion detection on a computer network comprising:
-
creating a template that includes fields and attributes specific to a particular application;
establishing a knowledge base of normal network activity at an application level for the computer network;
monitoring packet traffic on the computer network at the application level to detect when attribute information associated of a packet exceeds a specified range and/or threshold about a behavioral norm contained in the knowledge base for the particular application; and
issuing an alarm when the attribute information exceeds the specified range and/or threshold. - View Dependent Claims (10, 11, 12)
-
-
13. A computer program product comprising a computer useable medium and computer-readable code embodied on the computer useable medium, execution of the computer readable code causing a computer network device to:
-
monitor packet traffic on a computer network at an application level;
detect when attribute information associated of a packet exceeds a specified range and/or threshold about a behavioral norm contained in a knowledge base associated with a particular application; and
issue an alarm when the attribute information exceeds the specified range and/or threshold. - View Dependent Claims (14, 15)
-
-
16. An intrusion detection system for a computer network comprising:
-
means for inspecting data packets at an application network protocol level and for extracting information that includes one or more parametric values associated with a method of a particular application;
means for examining ongoing data packet traffic of the computer network to identify anomalies and for detecting when the one or more parametric values associated with the method of the particular application deviates from a baseline of normal network traffic, activity, transactions, or behavior, an alarm being raised in response thereto. - View Dependent Claims (17, 18, 19)
-
Specification