Intelligent intrusion detection system utilizing enhanced graph-matching of network activity with context data
First Claim
1. In a network computer environment comprising an intrusion detection system (IDS) server communicatively connected to one or more host devices, a method comprising:
- receiving from at least one of the one or more host devices activity data corresponding to the specific host device and operations and activity occurring on the host device and among two or more host devices;
converting the received activity data into a specialized format, which supports data fusion;
generating a graphical representation of the activity within and communication amongst the one or more host devices and the IDS server, said graphical representation being an activity graph comprising a series of interconnected nodes and edges each representing one or more of the host devices and the activities occurring at the host device and communications between host devices;
comparing one or more pre-determined threat patterns against said activity graph, wherein said threat patterns represent activities of interest; and
providing an alert when at least one of the one or more pre-determined threat patterns matches up to connected nodes and edges within the activity graph.
3 Assignments
0 Petitions
Accused Products
Abstract
A method, system, and computer program product for utilizing a mapping of activity occurring at and between devices on a computer network to detect and prevent network intrusions. An enhanced graph matching intrusion detection system (eGMIDS) is provided that provides data collection functions, data fusion techniques, graph matching algorithms, and secondary and other search mechanisms. Threats are modeled as a set of entities and interrelations between the entities and sample threat patterns are stored within a database. The eGMIDS utility initiates a graph matching algorithm by which the threat patterns are compared within the generated activity graph via subgraph isomorphism. A multi-layered approach including a targeted secondary layer search following a match during a primary layer search is provided. Searches are tempered by attributes and constraints and the eGMIDS reduces the number of threat patterns searched by utilizing ontological generalization.
133 Citations
30 Claims
-
1. In a network computer environment comprising an intrusion detection system (IDS) server communicatively connected to one or more host devices, a method comprising:
-
receiving from at least one of the one or more host devices activity data corresponding to the specific host device and operations and activity occurring on the host device and among two or more host devices;
converting the received activity data into a specialized format, which supports data fusion;
generating a graphical representation of the activity within and communication amongst the one or more host devices and the IDS server, said graphical representation being an activity graph comprising a series of interconnected nodes and edges each representing one or more of the host devices and the activities occurring at the host device and communications between host devices;
comparing one or more pre-determined threat patterns against said activity graph, wherein said threat patterns represent activities of interest; and
providing an alert when at least one of the one or more pre-determined threat patterns matches up to connected nodes and edges within the activity graph. - View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
6. The method of claim 6, wherein said first exhaustive search method comprises:
-
matching nodes in the pattern graph to nodes in the activity graph when the connections between the nodes within the activity graph matches the connections between the nodes of the pattern graph;
determining whether a match is found to the threat pattern within the activity graph; and
when a match is fund, generating and outputting an alert indicating the match was found within the activity graph.
-
-
17. A data processing system (DPS) comprising:
-
a processor and memory connected via a system bus;
a network interface device by which the data processing system connects to an external network and communicates with external network devices;
an intrusion detection system (IDS) utility comprising instruction code that when executed by the processor provides the functions of;
receiving from at least one of the one or more host devices activity data corresponding to the specific host device and operations and activity occurring on the host device and among two or more host devices;
converting the received activity data into a specialized format, which supports data fusion;
generating a graphical representation of the activity within and communication amongst the one or more host devices and the IDS server, said graphical representation being an activity graph comprising a series of interconnected nodes and edges each representing one or more of the host devices and the activities occurring at the host device and communications between host devices;
comparing one or more pre-determined threat patterns against said activity graph, wherein said threat patterns represent activities of interest; and
providing an alert when at least one of the one or more pre-determined threat patterns matches up to connected nodes and edges within the activity graph. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer program product comprising:
-
a computer readable medium; and
program code on the computer readable medium that when executed by a processor performs the functions of;
receiving from at least one of the one or more host devices activity data corresponding to the specific host device and operations and activity occurring on the host device and among two or more host devices;
converting the received activity data into a specialized format, which supports data fusion;
generating a graphical representation of the activity within and communication amongst the one or more host devices and the IDS server, said graphical representation being an activity graph comprising a series of interconnected nodes and edges each representing one or more of the host devices and the activities occurring at the host device and communications between host devices;
comparing one or more pre-determined threat patterns against said activity graph, wherein said threat patterns represent activities of interest; and
providing an alert when at least one of the one or more pre-determined threat patterns matches up to connected nodes and edges within the activity graph. - View Dependent Claims (26, 27, 28, 29, 30)
-
Specification