Adaptive intrusion detection for autonomic systems

US 20060129382A1
Filed: 02/09/2006
Published: 06/15/2006
Est. Priority Date: 06/10/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for adaptively identifying unauthorized intrusions in a networked data processing system, said method comprising:

receiving system event data;

processing the system event data utilizing at least one behavior-based intrusion detection technique to generate an intrusion detection result; and

responsive to the intrusion detection result indicating an unauthorized intrusion, updating at least one knowledge-based intrusion detection corpus utilizing the system event data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product for adaptively identifying unauthorized intrusions in a networked data processing system. In accordance with the method of the present invention, an intrusion detection module receives system event data that may be utilized for intrusion detection. The received system event data is processed utilizing multiple intrusion detection techniques including at least one behavior-based intrusion detection technique to generate an intrusion detection result. In response to the intrusion detection result indicating an unauthorized intrusion, at least one knowledge-based intrusion detection corpus is updated utilizing the system event data. In a preferred embodiment, the intrusion detection system/method is implemented in a network data processing environment in which the knowledge-based intrusion detection corpus is communicatively accessible by multiple elements coupled to the networked data processing system. The method preferably includes issuing a network update to update knowledge-based intrusion detection corpora associated with the multiple elements included in the network.

113 Citations

View as Search Results

20 Claims

1. A method for adaptively identifying unauthorized intrusions in a networked data processing system, said method comprising:
- receiving system event data;
  
  processing the system event data utilizing at least one behavior-based intrusion detection technique to generate an intrusion detection result; and
  
  responsive to the intrusion detection result indicating an unauthorized intrusion, updating at least one knowledge-based intrusion detection corpus utilizing the system event data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the knowledge-based intrusion detection corpus is communicatively accessible by multiple elements coupled to the networked data processing system, said method further comprising issuing a network update to update knowledge-based intrusion detection corpora associated with said multiple elements.
  - 3. The method of claim 1, said processing the system event data utilizing at least one behavior-based intrusion detection technique further comprising collectively processing the received system event data utilizing multiple intrusion detection techniques.
  - 4. The method of claim 3, wherein said multiple intrusion detection techniques are selected from the group comprising:
    - anomaly-based intrusion detection techniques;
      
      signature-based intrusion detection techniques;
      
      scan-based intrusion detection techniques; and
      
      danger theory intrusion detection techniques.
  - 5. The method of claim 3, further comprising, responsive to the intrusion detection result indicating a non-intrusion, updating at least one behavior-based detection corpus to identify the system event data as representing a non-intrusion.
  - 6. The method of claim 3, wherein said collectively processing the received system event data utilizing multiple intrusion detection techniques comprises statistically filtering intrusion detection results from multiple intrusion detection modules.
  - 7. The method of claim 6, wherein said statistical filtering comprises Bayesian filtering.

8. An intrusion detection system that adaptively identifies unauthorized intrusions in a networked data processing system, said intrusion detection system comprising:
- computer processing means for receiving system event data;
  
  computer processing means for processing the system event data utilizing at least one behavior-based intrusion detection technique to generate an intrusion detection result; and
  
  computer processing means, responsive to the intrusion detection result indicating an unauthorized intrusion, for updating at least one knowledge-based intrusion detection corpus utilizing the system event data.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The intrusion detection system of claim 8, wherein the knowledge-based intrusion detection corpus is communicatively accessible by multiple elements coupled to the networked data processing system, said intrusion detection system further comprising computer processing means for issuing a network update to update knowledge-based intrusion detection corpora associated with said multiple elements.
  - 10. The intrusion detection system of claim 8, said computer processing means for processing the system event data utilizing at least one behavior-based intrusion detection technique further comprising computer processing means for collectively processing the received system event data utilizing multiple intrusion detection techniques.
  - 11. The intrusion detection system of claim 10, wherein said multiple intrusion detection techniques are selected from the group comprising:
    - anomaly-based intrusion detection techniques;
      
      signature-based intrusion detection techniques;
      
      scan-based intrusion detection techniques; and
      
      danger theory intrusion detection techniques.
  - 12. The intrusion detection system of claim 10, further comprising computer processing means, responsive to the intrusion detection result indicating a non-intrusion, for updating at least one behavior-based detection corpus to identify the system event data as representing a non-intrusion.
  - 13. The intrusion detection system of claim 10, wherein said computer processing means for collectively processing the received system event data utilizing multiple intrusion detection techniques comprises a statistical filter for statistically filtering intrusion detection results from multiple intrusion detection modules.
  - 14. The intrusion detection system of claim 13, wherein said statistical filter comprises a Bayesian filter.

15. A computer-readable medium having stored thereon computer-executable instructions for adaptively identifying unauthorized intrusions in a networked data processing system, said computer-executable instructions performing a method comprising:
- receiving system event data;
  
  processing the system event data utilizing at least one behavior-based intrusion detection technique to generate an intrusion detection result; and
  
  responsive to the intrusion detection result indicating an unauthorized intrusion, updating at least one knowledge-based intrusion detection corpus utilizing the system event data.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, wherein the knowledge-based intrusion detection corpus is communicatively accessible by multiple elements coupled to the networked data processing system, said method further comprising issuing a network update to update knowledge-based intrusion detection corpora associated with said multiple elements.
  - 17. The computer-readable medium of claim 15, said processing the system event data utilizing at least one behavior-based intrusion detection technique further comprising collectively processing the received system event data utilizing multiple intrusion detection techniques.
  - 18. The computer-readable medium of claim 17, wherein said multiple intrusion detection techniques are selected from the group comprising:
    - anomaly-based intrusion detection techniques;
      
      signature-based intrusion detection techniques;
      
      scan-based intrusion detection techniques; and
      
      danger theory intrusion detection techniques.
  - 19. The computer-readable medium of claim 17, further comprising, responsive to the intrusion detection result indicating a non-intrusion, updating at least one behavior-based detection corpus to identify the system event data as representing a non-intrusion.
  - 20. The computer-readable medium of claim 17, wherein said collectively processing the received system event data utilizing multiple intrusion detection techniques comprises statistically filtering intrusion detection results from multiple intrusion detection modules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Anand, Vaijayanthimala K., Johnson, Sandra K., Simon, Kimberly D.

Application Number

US11/351,062
Publication Number

US 20060129382A1
Time in Patent Office

Days
Field of Search
US Class Current

704/9
CPC Class Codes

G06F 21/552 involving long-term monitor...

Adaptive intrusion detection for autonomic systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

113 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive intrusion detection for autonomic systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links