System and method of dynamically weighted analysis for intrusion decison-making
First Claim
1. A computer implemented method for intrusion detection in a computer environment, the computer implemented method comprising:
- receiving first configuration information from an intrusion detection skin, wherein the first configuration information identifies a set of one or more analysis approaches to be executed and a weight to apply to each of the one or more analysis approaches;
executing the set of one or more analysis approaches against event information generated by one or more computing elements in the computer environment;
determining a score based on one or more policies; and
determining whether the event information represents an intrusion based on the score.
2 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection mechanism is provided for flexible, automatic, thorough, and consistent security checking and vulnerability resolution in a heterogeneous environment. The mechanism may provide a predefined number of default intrusion analysis approaches, such as signature-based, anomaly-based, scan-based, and danger theory. The intrusion detection mechanism also allows a limitless number of intrusion analysis approaches to be added on the fly. Using an intrusion detection skin, the mechanism allows various weights to be assigned to specific intrusion analysis approaches. The mechanism may adjust these weights dynamically. The score ration can be tailored to determine if an intrusion occurred and adjusted dynamically. Also, multiple security policies for any type of computing element may be enforced.
18 Citations
20 Claims
-
1. A computer implemented method for intrusion detection in a computer environment, the computer implemented method comprising:
-
receiving first configuration information from an intrusion detection skin, wherein the first configuration information identifies a set of one or more analysis approaches to be executed and a weight to apply to each of the one or more analysis approaches;
executing the set of one or more analysis approaches against event information generated by one or more computing elements in the computer environment;
determining a score based on one or more policies; and
determining whether the event information represents an intrusion based on the score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An intrusion detection system, comprising:
-
an analysis module that receives first configuration information from an intrusion detection skin, wherein the first configuration information identifies a set of one or more analysis approaches to be executed and a weight to apply to each of the one or more analysis approaches, and executes the set of one or more analysis approaches against event information generated by one or more computing elements in a computer environment;
a filtering mechanism that determines a score based on one or more policies; and
a score interpreter that determines whether the event information represents an intrusion based on the score. - View Dependent Claims (13, 14, 15)
-
-
16. A computer program product for intrusion detection in a computer environment, the computer program product comprising:
-
a computer usable medium having computer usable program code embodied therein;
computer usable program code configured to receive first configuration information from an intrusion detection skin, wherein the first configuration information identifies a set of one or more analysis approaches to be executed and a weight to apply to each of the one or more analysis approaches;
computer usable program code configured to execute the set of one or more analysis approaches against event information generated by one or more computing elements in the computer environment;
computer usable program code configured to determine a score based on one or more policies; and
computer usable program code configured to determine whether the event information represents an intrusion based on the score. - View Dependent Claims (17, 18, 19, 20)
-
Specification