Computer Network Intrusion Detection System and Method

US 20080209541A1
Filed: 05/31/2006
Published: 08/28/2008
Est. Priority Date: 06/06/2005
Status: Active Grant

First Claim

Patent Images

1-19. -19. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes a managed device and a security event log. The managed device detects an incoming TCP/IP connection by the attacker device to the network. TCP/IP information relating to the attacker device is extracted from a TCP/IP stack of the managed device. It is ascertained that a port number of the incoming TCP/IP connection is identical to a predefined port number. A performed process includes determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device. Event log information, which is associated with the detected incoming TCP/IP connection, is retrieved from the security event log. A generated report is generated and stored in a database of the network. The report includes the extracted TCP/IP information and the retrieved event log information.

26 Citations

View as Search Results

40 Claims

1-19. -19. (canceled)

20. A method for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes at least one managed device and a security event log, said method comprising:
- detecting, by the at least one managed device, an incoming TCP/IP connection by the attacker device to the network;
  
  after said detecting, extracting from a TCP/IP stack of the at least one managed device TCP/IP information relating to the attacker device;
  
  after said extracting, ascertaining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers;
  
  after said ascertaining, performing a process, wherein said performing the process comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, followed by retrieving event log information from the security event log, and wherein the retrieved event log information is associated with the detected incoming TCP/IP connection; and
  
  generating a report comprising report information that includes the extracted TCP/IP information and the retrieved event log information; and
  
  storing the report in a central violation database of the network.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The method of claim 20, wherein said performing the process comprises determining a warning level associated with the invalid logon, and wherein the report comprises the warning level.
  - 22. The method of claim 21, wherein the report information comprises a userid relating to the invalid logon, and wherein said determining the warning level comprises:
    - determining that the userid is a local userid defined on the at least one managed device, resulting in determining that the warning level is a low warning level;
      
      determining that the userid is not said local userid and that the userid is not defined in a local SPY list, resulting in determining that the warning level is a medium warning level;
      
      ordetermining that the userid is defined in said local SPY list, resulting in determining that the warning level is a high warning level.
  - 23. The method of claim 20, wherein said performing the process comprises determining a MAC address of the attacker device, and wherein the report information comprises the determined MAC address.
  - 24. The method of claim 20, wherein the method further comprises determining a host name of the network, and wherein the report comprises the determined host name of the network.
  - 25. The method of claim 20, wherein the report comprises a host name of the network, an IP address of the at least one managed device, a local subnet of the network, a host name of the attacker device, an IP address of the attacker device, a TCP port of the attacker device, the port number of the incoming TCP/IP connection, a MAC address of the attacker device, a userid relating to the invalid logon, a warning level associated with the invalid logon, a date and time of the incoming TCP/IP connection, and a network switch through which the incoming TCP/IP connection was established.
  - 26. The method of claim 20, wherein the report comprises a city, building, and floor in which the attacker device is located.

27. A system comprising at least one managed device for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network, said network including the at least one managed device and a security event log, said at least one managed device configured to perform a method comprising:
- detecting, by the at least one managed device, an incoming TCP/IP connection by the attacker device to the network;
  
  after said detecting, extracting from a TCP/IP stack of the at least one managed device TCP/IP information relating to the attacker device;
  
  after said extracting, ascertaining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers;
  
  after said ascertaining, performing a process, wherein said performing the process comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, followed by retrieving event log information from the security event log, and wherein the retrieved event log information is associated with the detected incoming TCP/IP connection; and
  
  generating a report comprising report information that includes the extracted TCP/IP information and the retrieved event log information; and
  
  storing the report in a central violation database of the network.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The system of claim 27, wherein said performing the process comprises determining a warning level associated with the invalid logon, and wherein the report comprises the warning level.
  - 29. The system of claim 28, wherein the report information comprises a userid relating to the invalid logon, and wherein said determining the warning level comprises:
    - determining that the userid is a local userid defined on the at least one managed device, resulting in determining that the warning level is a low warning level;
      
      determining that the userid is not said local userid and that the userid is not defined in a local SPY list, resulting in determining that the warning level is a medium warning level;
      
      ordetermining that the userid is defined in said local SPY list, resulting in determining that the warning level is a high warning level.
  - 30. The system of claim 27, wherein said performing the process comprises determining a MAC address of the attacker device, and wherein the report information comprises the determined MAC address.
  - 31. The system of claim 27, wherein the method further comprises determining a host name of the network, and wherein the report comprises the determined host name of the network.
  - 32. The system of claim 27, wherein the report comprises a host name of the network, an IP address of the at least one managed device, a local subnet of the network, a host name of the attacker device, an IP address of the attacker device, a TCP port of the attacker device, the port number of the incoming TCP/IP connection, a MAC address of the attacker device, a userid relating to the invalid logon, a warning level associated with the invalid logon, a date and time of the incoming TCP/IP connection, and a network switch through which the incoming TCP/IP connection was established.
  - 33. The system of claim 27, wherein the report comprises a city, building, and floor in which the attacker device is located.

34. A computer program product stored on a storage medium readable by a computer machine, the computer program product tangibly embodying readable program code for causing the computer machine to perform a method comprising:
- detecting, by the at least one managed device, an incoming TCP/IP connection by the attacker device to the network;
  
  after said detecting, extracting from a TCP/IP stack of the at least one managed device TCP/IP information relating to the attacker device;
  
  after said extracting, ascertaining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers;
  
  after said ascertaining, performing a process, wherein said performing the process comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, followed by retrieving event log information from the security event log, and wherein the retrieved event log information is associated with the detected incoming TCP/IP connection; and
  
  generating a report comprising report information that includes the extracted TCP/IP information and the retrieved event log information; and
  
  storing the report in a central violation database of the network.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The computer program product of claim 34, wherein said performing the process comprises determining a warning level associated with the invalid logon, and wherein the report comprises the warning level.
  - 36. The computer program product of claim 35, wherein the report information comprises a userid relating to the invalid logon, and wherein said determining the warning level comprises:
    - determining that the userid is a local userid defined on the at least one managed device, resulting in determining that the warning level is a low warning level;
      
      determining that the userid is not said local userid and that the userid is not defined in a local SPY list, resulting in determining that the warning level is a medium warning level;
      
      ordetermining that the userid is defined in said local SPY list, resulting in determining that the warning level is a high warning level.
  - 37. The computer program product of claim 34, wherein said performing the process comprises determining a MAC address of the attacker device, and wherein the report information comprises the determined MAC address.
  - 38. The computer program product of claim 34, wherein the method further comprises determining a host name of the network, and wherein the report comprises the determined host name of the network.
  - 39. The computer program product of claim 34, wherein the report comprises a host name of the network, an IP address of the at least one managed device, a local subnet of the network, a host name of the attacker device, an IP address of the attacker device, a TCP port of the attacker device, the port number of the incoming TCP/IP connection, a MAC address of the attacker device, a userid relating to the invalid logon, a warning level associated with the invalid logon, a date and time of the incoming TCP/IP connection, and a network switch through which the incoming TCP/IP connection was established.
  - 40. The computer program product of claim 34, wherein the report comprises a city, building, and floor in which the attacker device is located.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Dequevy, Jean-Jacques

Granted Patent

US 8,272,054 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 2101/663   Transport layer addresses, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Computer Network Intrusion Detection System and Method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Computer Network Intrusion Detection System and Method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links