System and method of dynamically weighted analysis for intrusion decison-making

US 20070169195A1
Filed: 01/18/2006
Published: 07/19/2007
Est. Priority Date: 01/18/2006
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for intrusion detection in a computer environment, the computer implemented method comprising:

receiving first configuration information from an intrusion detection skin, wherein the first configuration information identifies a set of one or more analysis approaches to be executed and a weight to apply to each of the one or more analysis approaches;

executing the set of one or more analysis approaches against event information generated by one or more computing elements in the computer environment;

determining a score based on one or more policies; and

determining whether the event information represents an intrusion based on the score.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection mechanism is provided for flexible, automatic, thorough, and consistent security checking and vulnerability resolution in a heterogeneous environment. The mechanism may provide a predefined number of default intrusion analysis approaches, such as signature-based, anomaly-based, scan-based, and danger theory. The intrusion detection mechanism also allows a limitless number of intrusion analysis approaches to be added on the fly. Using an intrusion detection skin, the mechanism allows various weights to be assigned to specific intrusion analysis approaches. The mechanism may adjust these weights dynamically. The score ration can be tailored to determine if an intrusion occurred and adjusted dynamically. Also, multiple security policies for any type of computing element may be enforced.

18 Citations

View as Search Results

20 Claims

1. A computer implemented method for intrusion detection in a computer environment, the computer implemented method comprising:
- receiving first configuration information from an intrusion detection skin, wherein the first configuration information identifies a set of one or more analysis approaches to be executed and a weight to apply to each of the one or more analysis approaches;
  
  executing the set of one or more analysis approaches against event information generated by one or more computing elements in the computer environment;
  
  determining a score based on one or more policies; and
  
  determining whether the event information represents an intrusion based on the score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer implemented method of claim 1, wherein the intrusion detection skin defines at least one of:
    - which filters are to be used to produce the score;
      
      what score ratio is to be produced to rate if an intrusion has occurred;
      
      assignment of rules on how weights for each analysis approach are to be dynamically adjusted;
      
      assignment of rules on how the score is to be dynamically adjusted;
      
      interval/frequency in which the set of one or more analysis approaches is to be executed;
      
      look and feel of output;
      
      how to determine false positives and false negatives produced by the set of one ore more analysis approaches;
      
      how detected intrusions are resolved;
      
      where to send reports and errors;
      
      or what statistics/metrics to collect on intrusion activity.
  - 3. The computer implemented method of claim 1, wherein the set of one or more analysis approaches comprises one or more default analysis approaches.
  - 4. The computer implemented method of claim 3, wherein the one or more default analysis approaches comprises at least one of a signature-based analysis approach, an anomaly-based analysis approach, a scan-based analysis approach, or a danger theory analysis approach.
  - 5. The computer implemented method of claim 3, wherein the set of one or more analysis approaches comprises at least one analysis approach added through a pluggable analysis module.
  - 6. The computer implemented method of claim 1, further comprising:
    - responsive to a determination that the event information represents an intrusion based on the score, determining whether the determination is a false positive.
  - 7. The computer implemented method of claim 6, further comprising:
    - responsive to a predetermined number of false positives, adjusting the weight to apply to each of the one or more analysis approaches.
  - 8. The computer implemented method of claim 1, further comprising:
    - responsive to a determination that the event information does not represent an intrusion based on the score, determining whether the determination is a false negative.
  - 9. The computer implemented method of claim 8, further comprising:
    - responsive to a predetermined number of false negatives, adjusting the weight to apply to each of the one or more analysis approaches.
  - 10. The computer implemented method of claim 1, further comprising:
    - responsive to a determination that the event information represents an intrusion based on the score, notifying an administrator of the intrusion according to the one or more policies.
  - 11. The computer implemented method of claim 1, further comprising:
    - responsive to a determination that the event information represents an intrusion based on the score, resolving the intrusion according to the one or more policies.

12. An intrusion detection system, comprising:
- an analysis module that receives first configuration information from an intrusion detection skin, wherein the first configuration information identifies a set of one or more analysis approaches to be executed and a weight to apply to each of the one or more analysis approaches, and executes the set of one or more analysis approaches against event information generated by one or more computing elements in a computer environment;
  
  a filtering mechanism that determines a score based on one or more policies; and
  
  a score interpreter that determines whether the event information represents an intrusion based on the score.
- View Dependent Claims (13, 14, 15)
- - 13. The intrusion detection system of claim 12, further comprising:
    - a pluggable analysis module configured to allow an administrator to add at least one analysis approach to the set of one or more analysis approaches.
  - 14. The intrusion detection system of claim 12, further comprising:
    - an intrusion manager that notifies an administrator of the intrusion according to the one or more policies responsive to a determination that the event information represents an intrusion based on the score.
  - 15. The intrusion detection system of claim 12, further comprising:
    - an intrusion manager that resolves the intrusion according to the one or more policies responsive to a determination that the event information represents an intrusion based on the score.

16. A computer program product for intrusion detection in a computer environment, the computer program product comprising:
- a computer usable medium having computer usable program code embodied therein;
  
  computer usable program code configured to receive first configuration information from an intrusion detection skin, wherein the first configuration information identifies a set of one or more analysis approaches to be executed and a weight to apply to each of the one or more analysis approaches;
  
  computer usable program code configured to execute the set of one or more analysis approaches against event information generated by one or more computing elements in the computer environment;
  
  computer usable program code configured to determine a score based on one or more policies; and
  
  computer usable program code configured to determine whether the event information represents an intrusion based on the score.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16, wherein the set of one or more analysis approaches comprises one or more default analysis approaches and wherein the one or more default analysis approaches comprises at least one of a signature-based analysis approach, an anomaly-based analysis approach, a scan-based analysis approach, or a danger theory analysis approach.
  - 18. The computer program product of claim 16, further comprising:
    - computer usable program code configured to adjust the weight to apply to each of the one or more analysis approaches responsive to a predetermined number of false positives or a predetermined number of false negatives.
  - 19. The computer program product of claim 16, further comprising:
    - computer usable program code configured to notify an administrator of the intrusion according to the one or more policies responsive to a determination that the event information represents an intrusion based on the score.
  - 20. The computer program product of claim 16, further comprising:
    - computer usable program code configured to resolve the intrusion according to the one or more policies responsive to a determination that the event information represents an intrusion based on the score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Safford, David, Johnson, Sandra, Anand, Vaijayanthimala, Simon, Kimberly

Granted Patent

US 7,450,005 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1416 Event detection, e.g. attac...

System and method of dynamically weighted analysis for intrusion decison-making

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of dynamically weighted analysis for intrusion decison-making

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links