Suppression of False Alarms in Alarms Arising from Intrusion Detection Probes in a Monitored Information System

US 20080165000A1
Filed: 05/09/2005
Published: 07/10/2008
Est. Priority Date: 05/10/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method of suppressing false alarms among alarms issued by intrusion detection sensors (13a, 13b, 13c) of a protected information system (1) including entities (9, 11a, 11b) generating attacks associated with the alarms and an alarm management system (15), the method being characterized in that it comprises the following steps:

using a false alarm suppression module (23) to define qualitative relationships between the entities (9, 11a, 11b) and a set of profiles;

using the false alarm suppression module (23) to define nominative relationships between the set of profiles and a set of names of attacks which that set of profiles is recognized as generating; and

using the false alarm suppression module (23) to qualify a given alarm as a false alarm if the entity (9, 11a, 11b) implicated in the given alarm has a profile recognized as generating the attack associated with that given alarm.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a system and a method of suppressing false alarms among alarms issued by intrusion detection sensors (13a, 13b, 13c) of a protected information system (1) including entities (9, 11a, 11b) generating attacks associated with the alarms and an alarm management system (15), the method comprising the following steps:

- using a false alarm suppression module (23) to define qualitative relationships between the entities (9, 11a, 11b) and a set of profiles;
- using the false alarm suppression module (23) to define nominative relationships between the set of profiles and a set of names of attacks which that set of profiles is recognized as generating; and
- using the false alarm suppression module (23) to qualify a given alarm as a false alarm if the entity (9, 11a, 11b) implicated in the given alarm has a profile recognized as generating the attack associated with that given alarm.

44 Citations

View as Search Results

16 Claims

1. A method of suppressing false alarms among alarms issued by intrusion detection sensors (13a, 13b, 13c) of a protected information system (1) including entities (9, 11a, 11b) generating attacks associated with the alarms and an alarm management system (15), the method being characterized in that it comprises the following steps:
- using a false alarm suppression module (23) to define qualitative relationships between the entities (9, 11a, 11b) and a set of profiles;
  
  using the false alarm suppression module (23) to define nominative relationships between the set of profiles and a set of names of attacks which that set of profiles is recognized as generating; and
  
  using the false alarm suppression module (23) to qualify a given alarm as a false alarm if the entity (9, 11a, 11b) implicated in the given alarm has a profile recognized as generating the attack associated with that given alarm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, characterized in that each entity (9, 11a, 11b) is an attacker or a victim.
  - 3. A method according to claim 1, characterized in that the false alarm suppression module (23) defines the qualitative relationships by successively inferring new qualitative relationships, so that if a given entity is implicated in alarms associated with a given attack according to a first statistical criterion, and if that given entity does not have a profile recognized as generating the given attack, then the false alarm suppression module (23) infers a new qualitative relationship by allocating said profile recognized as generating the given attack to said given entity.
  - 4. A method according to claim 3, characterized in that the first statistical criterion verifies whether the frequency of alarms implicating said given entity is greater than an alarm threshold frequency associated with said given attack.
  - 5. A method according to claim 1, characterized in that the false alarm suppression module (23) defines the nominative relationships by successively inferring new nominative relationships, so that if a given profile is common to a plurality of entities implicated in alarms associated with a particular attack according to a second statistical criterion, and there is no profile recognized as generating that particular attack, then the false alarm suppression module infers a new nominative relationship by allocating said particular attack to said given profile.
  - 6. A method according to claim 5, characterized in that the second statistical criterion verifies whether the frequency of said particular attack is higher than an alarm threshold frequency.
  - 7. A method according to claim 1, characterized in that the qualitative relationships are stored in a first database (27a) and the nominative relationships are stored in a second database (27b) after they are validated by a security operator.
  - 8. A method according to claim 1, characterized in that some of the qualitative and nominative relationships are defined explicitly by the security operator.
  - 9. A method according to claim 1, characterized in that the false alarm is forwarded to the alarm management system (15).

10. A false alarm suppression module, characterized in that it includes data processor means (25) for defining qualitative relationships between entities (9, 11a, 11b) and a set of profiles, for defining nominative relationships between the set of profiles and a set of names of attacks which that set of profiles is recognized as generating, and for qualifying a given alarm as a false alarm if the entity implicated in the given alarm has a profile recognized as generating the attack associated with that given alarm.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. A module according to claim 10, characterized in that it further includes memory means (27) for storing the qualitative relationships in a first database (27a) and for storing the nominative relationships in a second database (27b).
  - 12. A module according to claim 10, characterized in that it further includes an output unit (33) a security operator uses to validate the qualitative and nominative relationships.
  - 13. A module according to claim 10, characterized in that it is connected between an alarm management system (15) and intrusion detection sensors (13a, 13b, 13c) issuing alarms associated with attacks generated by the entities (9, 11a, 11b).
  - 14. A protected information system including entities (9, 11a, 11b), intrusion detection sensors (13a, 13b, 13c), and an alarm management system (15), characterized in that it further includes a false alarms suppression module (23) according to claim 10.
  - 15. Intrusion detection sensor, characterized in that it is adapted to monitor attacks and to issue alarms if attacks are detected to the false alarm suppression module according claim 10.
  - 16. Computer program designed to implement the method of suppressing false alarms according to claim 10.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
Morin, Benjamin, Debar, Herve

Application Number

US11/579,901
Publication Number

US 20080165000A1
Time in Patent Office

Days
Field of Search
US Class Current

340/541
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

H04L 67/125   involving control of end-de...

Suppression of False Alarms in Alarms Arising from Intrusion Detection Probes in a Monitored Information System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Suppression of False Alarms in Alarms Arising from Intrusion Detection Probes in a Monitored Information System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links