Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks
First Claim
1. In a computer network having a switch and an event correlation computer, a method of intrusion detection, the method comprising:
- establishing a library of profiles accessible to the event correlation computer, each profile comprising a record of observable conditions that when detected in combination indicate the potential occurrence of an intrusion attempt;
providing a library of sub-profiles to the switch, each sub-profile comprising a subset of the observable conditions of a unique profile;
enabling the switch to examine communications traffic and determine when the behavior of the communications traffic matches any one of the sub-profiles; and
directing the switch to inform the event correlation computer upon detection of a match between contemporaneously detected communications traffic and at least one sub-profile.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, system and computer-readable media that enable the employment of an intrusion detection process are provided. This present invention is able to differentiate between certain malicious and benign incidents by means of a two-stage anomaly-based intrusion detection and prevention system. The invented system works at high-speed and with low-memory resources requirements. In particular, the invented method is implemented in a two-stage detector that performs coarse grain detection using sub-profiles 30A-30H (key features extracted from a profile) at one stage and fine grain (detailed behavioral profile) detection at another stage to eliminate unwanted attacks and false positives. Furthermore, in order to suppress specific alarms, the invented system allows the administrator to specify detailed profiles 32A-32H. By using a sub-profile extractor, a sub-profile is extracted, which is then downloaded into the coarse grain detector.
343 Citations
20 Claims
-
1. In a computer network having a switch and an event correlation computer, a method of intrusion detection, the method comprising:
-
establishing a library of profiles accessible to the event correlation computer, each profile comprising a record of observable conditions that when detected in combination indicate the potential occurrence of an intrusion attempt; providing a library of sub-profiles to the switch, each sub-profile comprising a subset of the observable conditions of a unique profile; enabling the switch to examine communications traffic and determine when the behavior of the communications traffic matches any one of the sub-profiles; and directing the switch to inform the event correlation computer upon detection of a match between contemporaneously detected communications traffic and at least one sub-profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 20)
-
-
13. In a computer network comprising a tier-1 intrusion detector and a tier-2 intrusion detector, a method for reducing an incidence of undesired intrusion alarms, the method comprising:
-
setting a threshold-low for host'"'"'s anomaly score and a threshold-high for host'"'"'s anomaly score; directing the tier-1 intrusion detector to initiate intrusion counter measures when a source'"'"'s anomaly score exceeds the threshold-high; and directing the tier-2 intrusion detector to determine whether to initiate intrusion counter measures when a source'"'"'s anomaly score exceeds threshold-low and does not exceed the threshold-low. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. An electronic communications system, the system comprising:
-
a tier-1 intrusion detector and a tier-2 intrusion detector; means for setting a threshold-low and a threshold-high; means for directing the tier-1 intrusion detector to initiate intrusion counter measures when a source exceeds the threshold-high traffic anomaly score; and
means for directing the tier-2 intrusion detector to determine whether to initiate intrusion counter measures when a source anomaly score exceeds threshold-low traffic anomaly score and does not exceed the threshold-low traffic anomaly score.
-
Specification