Integrated data traffic monitoring system
First Claim
Patent Images
1. A method of automatically generating rules for an intrusion detection module comprising:
- analyzing a data packet received from a communication network by the intrusion detection module using a set of rules, the data packet containing a source IP address;
in response to the packet failing the analyzing operation,searching an event database for events associated with the source IP address of the packet,if the event database contains an event record associated with the source IP address of the packet,generating a new rule to block subsequent packets from the source IP address of the packet for a predetermined period of time; and
adding the new rule to the set of rules used by the intrusion detection module.
9 Assignments
0 Petitions
Accused Products
Abstract
The present invention includes an integrated data traffic monitoring system monitoring data traffic received from a communication network and destined for a protected network. The monitoring system includes a security appliance and one or more security and monitoring technologies such as hardware and open source and proprietary software products. The security appliance and the security and monitoring technologies may be implemented as separate and distinct modules or combined into a single security appliance. The security and monitoring technologies monitor network data traffic on, or directed to, the protected network. The monitoring system collects data from each of the technologies into an event database and, based on the data, automatically generates rules directing one or more of the technologies to prevent subsequent communications traffic from specific sources from entering the protected network.
70 Citations
16 Claims
-
1. A method of automatically generating rules for an intrusion detection module comprising:
-
analyzing a data packet received from a communication network by the intrusion detection module using a set of rules, the data packet containing a source IP address; in response to the packet failing the analyzing operation, searching an event database for events associated with the source IP address of the packet, if the event database contains an event record associated with the source IP address of the packet, generating a new rule to block subsequent packets from the source IP address of the packet for a predetermined period of time; and adding the new rule to the set of rules used by the intrusion detection module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of screening packets received from a communication network comprising:
-
receiving a packet associated with one of an e-mail message, a VPN connection, and a web page response, the packet having a source; performing an intrusion detection analysis on the packet using a set of intrusion detection rules; if the packet passes the intrusion detection analysis, performing a firewall analysis on the packet using a set of firewall rules; if the packet passes the firewall analysis, determining if the packet is associated with an e-mail message, a VPN connection or a web page response; if the packet is associated with an e-mail message, performing a virus analysis on the packet using a set of virus definitions; if the packet is associated with a VPN connection, performing an authentication analysis on the packet using a set of authentication criteria; and if the packet fails any of the intrusion detection analysis, the firewall analysis, the virus analysis, or the authentication analysis, automatically generating a new intrusion detection rule to delete any subsequent packets received from the same source as the packet. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computing system for receiving communication packets from a communication network and transmitting the communication packets to a protected network, the computing system comprising:
-
an intrusion detection module that compares a communication packet to a set of rules and, based on the comparison, either transmits the communication packet to a firewall or deletes the communication packet and transmits event data based on the deleted communication packet to an event database; an event database that stores an event record based on the event data received from the intrusion detection module and maintains a plurality of event records based on previously received event data; and an integrated security system that analyzes the event data and the plurality of event records and, based on the results of the analysis, automatically generates at least one rule to the intrusion detection module.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCloudCover Ltd.
-
Original AssigneeThe Barrier Group, LLC
-
InventorsFladebo, David James, Demopoulos, Robert James
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current726/13
-
CPC Class CodesG06F 21/552 involving long-term monitor...H04L 41/16 using machine learning or a...H04L 51/212 using filtering or selectiv...H04L 63/02 for separating internal fro...H04L 63/0209 Architectural arrangements,...H04L 63/0236 Filtering by address, proto...H04L 63/0245 Filtering by information in...H04L 63/0254 Stateful filteringH04L 63/0263 Rule managementH04L 63/0281 ProxiesH04L 63/1408 by monitoring network traff...H04L 63/1416 Event detection, e.g. attac...H04L 63/1425 Traffic logging, e.g. anoma...H04L 63/1441 Countermeasures against mal...H04L 63/145 the attack involving the pr...H04L 63/1458 Denial of ServiceH04L 63/1466 Active attacks involving in...H04L 63/1475 Passive attacks, e.g. eaves...
