Network intrusion detection system having application inspection and anomaly detection characteristics

US 20060037077A1
Filed: 08/16/2004
Published: 02/16/2006
Est. Priority Date: 08/16/2004
Status: Abandoned Application

First Claim

Patent Images

1. An intrusion detection device for a computer network comprising:

a processor;

one or more programs that run on the processor for inspecting packets traversing the computer network at an application level, the one or more programs obtaining attribute information from the packets specific to a particular application for comparison against a knowledge database that provides a baseline of normal network behavior for the attribute information specific to the particular application, wherein the processor raises an alarm when the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system and method for a computer network includes a processor and one or more programs that run on the processor for application inspection of data packets traversing the computer network. The one or more programs also obtaining attribute information from the packets specific to a particular application and comparing the attribute information against a knowledge database that provides a baseline of normal network behavior. The processor raises an alarm whenever the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.

Citations

19 Claims

1. An intrusion detection device for a computer network comprising:
- a processor;
  
  one or more programs that run on the processor for inspecting packets traversing the computer network at an application level, the one or more programs obtaining attribute information from the packets specific to a particular application for comparison against a knowledge database that provides a baseline of normal network behavior for the attribute information specific to the particular application, wherein the processor raises an alarm when the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior.
- View Dependent Claims (2, 3, 4)
- - 2. The intrusion detection device of claim 1 wherein the one or more programs comprise application inspection and anomaly detection software programs.
  - 3. The intrusion detection device of claim 1 wherein the anomaly detection program is configured to automatically establish the predetermined range of deviation through a learning process.
  - 4. The intrusion detection device of claim 1 wherein the attribute information includes parameter values associated with a method of the particular application.

5. An intrusion detection device for a computer network comprising:
- one or more processors;
  
  a program that runs on the processor for inspecting packets traversing the computer network at an application level, the program obtaining attribute information from the packets specific to a particular application for comparison against a knowledge database that provides a baseline of normal network behavior for the attribute information specific to the particular application, wherein the one or more processors raises an alarm when the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior.
- View Dependent Claims (6, 7, 8)
- - 6. The intrusion detection device of claim 5 wherein the program comprises application inspection and anomaly detection software routines.
  - 7. The intrusion detection device of claim 5 wherein the anomaly detection software routine is configured to automatically establish the predetermined range of deviation through a learning process.
  - 8. The intrusion detection device of claim 5 wherein the attribute information includes parameter values associated with a method of the particular application.

9. A computer-implemented method for intrusion detection on a computer network comprising:
- creating a template that includes fields and attributes specific to a particular application;
  
  establishing a knowledge base of normal network activity at an application level for the computer network;
  
  monitoring packet traffic on the computer network at the application level to detect when attribute information associated of a packet exceeds a specified range and/or threshold about a behavioral norm contained in the knowledge base for the particular application; and
  
  issuing an alarm when the attribute information exceeds the specified range and/or threshold.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-implemented method of claim 9 further comprising:
    - automatically computing the specified range and/or threshold for the particular application from the knowledge base of normal network activity.
  - 11. The computer-implemented method of claim 9 wherein establishing a knowledge base of normal network activity comprises:
    - gathering information about normal network activity over a predetermined period of time.
  - 12. The computer-implemented method of claim 9 wherein the attribute information includes parameter values associated with a method of the particular application.

13. A computer program product comprising a computer useable medium and computer-readable code embodied on the computer useable medium, execution of the computer readable code causing a computer network device to:
- monitor packet traffic on a computer network at an application level;
  
  detect when attribute information associated of a packet exceeds a specified range and/or threshold about a behavioral norm contained in a knowledge base associated with a particular application; and
  
  issue an alarm when the attribute information exceeds the specified range and/or threshold.
- View Dependent Claims (14, 15)
- - 14. The computer program product of claim 13 wherein execution of the computer-readable code further causes the computer network device to:
    - gather information at an application level about normal network activity over a predetermined period of time; and
      
      establish a knowledge base of normal network activity using the information gathered at the application level.
  - 15. The computer program product of claim 13 wherein execution of the computer-readable code further causes the computer network device to:
    - periodically update the knowledge base of normal network activity.

16. An intrusion detection system for a computer network comprising:
- means for inspecting data packets at an application network protocol level and for extracting information that includes one or more parametric values associated with a method of a particular application;
  
  means for examining ongoing data packet traffic of the computer network to identify anomalies and for detecting when the one or more parametric values associated with the method of the particular application deviates from a baseline of normal network traffic, activity, transactions, or behavior, an alarm being raised in response thereto.
- View Dependent Claims (17, 18, 19)
- - 17. The intrusion detection system of claim 16 wherein a deviation is detected and the alarm raised when the one or more parametric values exceeds a predetermined threshold and/or range.
  - 18. The intrusion detection system of claim 16 further comprising means for creating the baseline by monitoring the network traffic, activity, transactions, or behavior over a period of time.
  - 19. The intrusion detection system of claim 16 further comprising means for automatically establishing the predetermined threshold and/or range through a learning process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bhagat, Darshant B., Gadde, Ravi Kumar, Varanasi, Ravi Kumar

Application Number

US10/919,118
Publication Number

US 20060037077A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/168 above the transport layer

Network intrusion detection system having application inspection and anomaly detection characteristics

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Network intrusion detection system having application inspection and anomaly detection characteristics

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links