Intrusion event correlation with network discovery information

US 20080244741A1
Filed: 11/14/2005
Published: 10/02/2008
Est. Priority Date: 11/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for automatically and passively determining the characteristics of a network, comprising:

storing policy configuration information in a policy component, wherein the policy configuration information comprises one or more rules;

detecting an intrusion event, wherein the intrusion event comprises information including an associated device address;

storing a network map in memory, wherein the network map contains service and network topology information;

linking the intrusion event information to the network map information by way of the associated device address; and

correlating the intrusion event information with the network map information in order to answer queries associated with one or more of the rules in the policy component.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy component comprises policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations.

Citations

21 Claims

1. A method for automatically and passively determining the characteristics of a network, comprising:
- storing policy configuration information in a policy component, wherein the policy configuration information comprises one or more rules;
  
  detecting an intrusion event, wherein the intrusion event comprises information including an associated device address;
  
  storing a network map in memory, wherein the network map contains service and network topology information;
  
  linking the intrusion event information to the network map information by way of the associated device address; and
  
  correlating the intrusion event information with the network map information in order to answer queries associated with one or more of the rules in the policy component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising generating a policy violation event.
  - 3. The method of claim 1, wherein the device address is an Internet protocol address.
  - 4. The method of claim 1, wherein the device address is a MAC address.
  - 5. The method of claim 2, wherein the policy violation event is generated based on the identification of an unauthorized service event on a network device.
  - 6. The method of claim 2, further comprising initiating a remediation.
  - 7. The method of claim 2, further comprising initiating an alert.
  - 8. The method of claim 1, further comprising determining that the intrusion event is not a policy violation event.
  - 9. The method of claim 1, wherein one or more packets transmitted on the network are used to identify the intrusion event.

10. A system for automatically and passively determining the characteristics of a network, comprising:
- a network map storage device, wherein the network map storage device contains device addresses, service and network topology information;
  
  a policy component, operably in communications with the network map storage device, wherein the policy component receives an intrusion event and enforces one or more network configuration rules, andwherein the policy component accesses information in the network map storage device using the device address associated with the intrusion event to determine if information associated with the intrusion event matches network map information as part of evaluating one or more rules.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, further comprising a response component, wherein a policy violation event is generated by the response component.
  - 12. The system of claim 10, further comprising an intrusion detection device, wherein the intrusion detection device detects the intrusion event.
  - 13. The system of claim 10, wherein the device address is an Internet protocol address.
  - 14. The system of claim 10, wherein the device address is a MAC address.
  - 15. The system of claim 10, further comprising a response component, wherein an alert is generated by the response component.

16. A system for automatically and passively determining the characteristics of a network, comprising:
- a means for storing a network map, wherein the network map storage device contains device addresses, service and network topology information;
  
  a means for storing a policy component, operably in communications with the network map storing means, wherein the policy component storing means receives an intrusion event and enforces one or more network configuration rules;
  
  wherein the policy component storing means accesses information in the network map storing means using the device address associated with the intrusion event to determine if information associated with the intrusion event matches network map information as part of evaluating one or more rules.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, further comprising a response component, wherein a policy violation event is generated by the response component.
  - 18. The system of claim 16, further comprising an intrusion detection device, wherein the intrusion detection device detects the intrusion event.
  - 19. The system of claim 16, wherein the device address is an Internet protocol address.
  - 20. The system of claim 16, wherein the device address is a MAC address.
  - 21. The system of claim 16, further comprising a response component, wherein an alert is generated by the response component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Gustafson, Eric, Rittermann, Brian P.

Granted Patent

US 8,046,833 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/20 for managing network securi...

Intrusion event correlation with network discovery information

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion event correlation with network discovery information

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links