Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks

US 20080295172A1
Filed: 05/22/2007
Published: 11/27/2008
Est. Priority Date: 05/22/2007
Status: Abandoned Application

First Claim

Patent Images

1. In a computer network having a switch and an event correlation computer, a method of intrusion detection, the method comprising:

establishing a library of profiles accessible to the event correlation computer, each profile comprising a record of observable conditions that when detected in combination indicate the potential occurrence of an intrusion attempt;

providing a library of sub-profiles to the switch, each sub-profile comprising a subset of the observable conditions of a unique profile;

enabling the switch to examine communications traffic and determine when the behavior of the communications traffic matches any one of the sub-profiles; and

directing the switch to inform the event correlation computer upon detection of a match between contemporaneously detected communications traffic and at least one sub-profile.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer-readable media that enable the employment of an intrusion detection process are provided. This present invention is able to differentiate between certain malicious and benign incidents by means of a two-stage anomaly-based intrusion detection and prevention system. The invented system works at high-speed and with low-memory resources requirements. In particular, the invented method is implemented in a two-stage detector that performs coarse grain detection using sub-profiles 30A-30H (key features extracted from a profile) at one stage and fine grain (detailed behavioral profile) detection at another stage to eliminate unwanted attacks and false positives. Furthermore, in order to suppress specific alarms, the invented system allows the administrator to specify detailed profiles 32A-32H. By using a sub-profile extractor, a sub-profile is extracted, which is then downloaded into the coarse grain detector.

343 Citations

20 Claims

1. In a computer network having a switch and an event correlation computer, a method of intrusion detection, the method comprising:
- establishing a library of profiles accessible to the event correlation computer, each profile comprising a record of observable conditions that when detected in combination indicate the potential occurrence of an intrusion attempt;
  
  providing a library of sub-profiles to the switch, each sub-profile comprising a subset of the observable conditions of a unique profile;
  
  enabling the switch to examine communications traffic and determine when the behavior of the communications traffic matches any one of the sub-profiles; and
  
  directing the switch to inform the event correlation computer upon detection of a match between contemporaneously detected communications traffic and at least one sub-profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 20)
- - 2. The method of claim 1, wherein the computer network further comprises a plurality of switches, each switch communicatively coupled with the event correlation computer and each switch comprising a library of sub-profiles, whereby each switch is enabled to examine communications traffic and determine when the behavior of the communications traffic matches any one of the sub-profiles, and each switch informs the event correlation computer upon detection of a match between contemporaneously detected communications traffic and at least one sub-profile.
  - 3. The method of claim 1, wherein the switch is communicatively coupled with a computer network selected from the group consisting of the Internet, an intranet, an extranet, a telephony system, and an electronic communications network.
  - 4. The method of claim 1, wherein the method further comprises:
    - providing the event correlation computer with a sampling of the contemporaneously detected communications traffic; and
      
      directing the event correlation computer to determine whether the sampling includes a plurality of observable conditions matching at least one profile that when detected in combination indicate the potential occurrence of an unwanted alarm or a false positive.
  - 5. The method of claim 4, wherein the event correlation computer directs the switch to trigger an intrusion detection alarm when the sampling includes a plurality of observable conditions of at least one profile that when detected in combination indicate the potential occurrence of an unwanted alarm or a false positive finding of an intrusion attempt.
  - 6. The method of claim 4, wherein the event correlation computer triggers an intrusion detection alarm when the sampling includes a plurality of observable conditions matching at least one profile that when detected in combination indicate the potential occurrence of an intrusion attempt.
  - 7. The method of claim 4, wherein the method further comprises:
    - providing a library of benign profiles to the event correlation computer, each benign profile comprising a record of observable conditions that when detected in combination shall direct the event correlation computer to not initiate an intrusion alarm;
      
      directing the event correlation computer to compare the sampling with the library of benign profiles when the sampling includes a plurality of observable conditions matching at least one profile that when detected in combination indicate the potential occurrence of a benign alarm; and
      
      directing the event correlation computer to not issue an intrusion alarm when the sampling matches a benign profile.
  - 8. The method of claim 7, wherein the computer network further comprises a plurality of switches, each switch communicatively coupled with the event correlation computer and each switch comprising a library of sub-profile, whereby each switch is enabled to examine communications traffic and determine when the behavior of the communications traffic matches any one of the sub-profiles, and each switch informs the event correlation computer upon detection of a match between contemporaneously detected communications traffic and at least one sub-profile.
  - 9. The method of claim 7, wherein the switch is communicatively coupled with a computer network selected from the group consisting of the Internet, an intranet, and extranet, a telephony system, and an electronic communications network.
  - 10. The method of claim 7, wherein at least one benign profile describes a set of observable conditions of a false positive communications traffic behavior.
  - 11. The method of claim 7, wherein at least one benign profile is modified on the basis of communications traffic observed by the switch.
  - 12. The method of claim 8, wherein at least one benign profile is modified on the basis of communications traffic observed by at least two switches.
  - 20. A computer-readable media comprising software-encoded instructions that direct an information technology system to practice the method of claim 1.

13. In a computer network comprising a tier-1 intrusion detector and a tier-2 intrusion detector, a method for reducing an incidence of undesired intrusion alarms, the method comprising:
- setting a threshold-low for host'"'"'s anomaly score and a threshold-high for host'"'"'s anomaly score;
  
  directing the tier-1 intrusion detector to initiate intrusion counter measures when a source'"'"'s anomaly score exceeds the threshold-high; and
  
  directing the tier-2 intrusion detector to determine whether to initiate intrusion counter measures when a source'"'"'s anomaly score exceeds threshold-low and does not exceed the threshold-low.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, the method further comprising:
    - directing the tier-1 intrusion detector to transmit a trigger event message to the tier-2 intrusion detector when there is at least one sub-profile match; and
      
      enabling the tier-2 intrusion detector to determine whether to initiate intrusion counter measures.
  - 15. The method of claim 14, the method further comprising enabling the tier-1 intrusion detector to determine whether to initiate intrusion counter measures when no sub-profile match is detected.Please replace “
    - a change in sub-profile”
      
      to “
      
      a sub-profile match”
      
      or “
      
      sub-profile detection”
      
      .
  - 16. The method of claim 13, wherein the computer network further comprises a plurality of tier-1 intrusion detectors, each tier-1 intrusion detector communicatively coupled with the tier-2 intrusion detector and each tier-1 intrusion detector comprising a library of sub-profiles 32A-32H, whereby each tier-1 intrusion detector is enabled to examine communications traffic and determine when the behavior of the communications traffic matches any one of the sub-profiles 32A-32H, and each tier-1 intrusion detector informs the tier-2 intrusion detector upon detection of a match between contemporaneously detected communications traffic and at least one sub-profile.
  - 17. The method of claim 13, wherein the tier-1 intrusion detector is communicatively coupled with a computer network selected from the group consisting of the Internet, an intranet, and extranet, a telephony system, and an electronic communications network.
  - 18. The method of claim 13, the system further comprising:
    - means for directing the tier-1 intrusion detector to transmit a trigger event message to the tier-2 intrusion detector when there is sub-profile match detection; and
      
      means for enabling the tier-2 intrusion detector to determine whether to initiate intrusion counter measures upon receipt of the trigger event message.

19. An electronic communications system, the system comprising:
- a tier-1 intrusion detector and a tier-2 intrusion detector;
  
  means for setting a threshold-low and a threshold-high;
  
  means for directing the tier-1 intrusion detector to initiate intrusion counter measures when a source exceeds the threshold-high traffic anomaly score; and
  
  means for directing the tier-2 intrusion detector to determine whether to initiate intrusion counter measures when a source anomaly score exceeds threshold-low traffic anomaly score and does not exceed the threshold-low traffic anomaly score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nevis Networks, Inc. (Qualys Incorporated)
Original Assignee
Nevis Networks, Inc. (Qualys Incorporated)
Inventors
Bohacek, Khushboo

Application Number

US11/805,552
Publication Number

US 20080295172A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

343 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

343 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others