Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems
First Claim
1. A method of detecting a threat to a computer system in a plurality of collaborating computer systems, the method comprising:
- receiving, at a first computer system, a first one-way data structure from a collaborating second computer system, the first one-way data structure representing first data relating to a first intrusion attempt detected by an intrusion detection system of the collaborating second computer system such that the first data is hidden in the first one-way data structure;
detecting, using an intrusion detection system of the first computer system, a second intrusion attempt;
storing second data relating to the second intrusion attempt in a second one-way data structure of the first computer system such that the second data is hidden in the second one-way data structure;
determining whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first data structure and the second data structure; and
indicating that a threat is present if the second intrusion attempt is determined to correlate with the data received from the collaborating second computer system relating to the first intrusion attempt.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
-
Citations
43 Claims
-
1. A method of detecting a threat to a computer system in a plurality of collaborating computer systems, the method comprising:
-
receiving, at a first computer system, a first one-way data structure from a collaborating second computer system, the first one-way data structure representing first data relating to a first intrusion attempt detected by an intrusion detection system of the collaborating second computer system such that the first data is hidden in the first one-way data structure; detecting, using an intrusion detection system of the first computer system, a second intrusion attempt; storing second data relating to the second intrusion attempt in a second one-way data structure of the first computer system such that the second data is hidden in the second one-way data structure; determining whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first data structure and the second data structure; and indicating that a threat is present if the second intrusion attempt is determined to correlate with the data received from the collaborating second computer system relating to the first intrusion attempt. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method of detecting a threat to a computer system in a plurality of collaborating computer systems, the method comprising:
-
receiving, at a first computer system, a first data structure from a collaborating second computer system, the first data structure representing first data relating to a first intrusion attempt detected by an intrusion detection system of the collaborating second computer system such that the first data is hidden in the first data structure; receiving an indication of a characteristic of the collaborating second computer system; detecting, using an intrusion detection system of the first computer system, a second intrusion attempt; storing second data relating to the second intrusion attempt in a second data structure of the first computer system such that the second data is hidden in the second data structure; determining whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first data structure and the second data structure; and based on the characteristic of the collaborating second computer system, indicating that a threat is present if the second intrusion attempt is determined to correlate with the first intrusion attempt. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A system configured to detect intrusion attempts in a computer system among a plurality of collaborating computer systems, comprising:
at least one server that; receives a first one-way data structure from a collaborating computer system, wherein the first one-way data structure represents first data relating to a first intrusion attempt detected by an intrusion detection system of the collaborating computer system such that the first data is hidden in the first one-way data structure; detects a second intrusion attempt; stores second data relating to the second intrusion attempt in a second one-way data structure such that the second data is hidden in the second one-way data structure; determines whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first one-way data structure and the second one-way data structure; and indicates that a threat is present if the second intrusion attempt is determined to correlate with the first intrusion attempt. - View Dependent Claims (42)
-
43. A system configured to detect intrusion attempts in a computer system among a plurality of collaborating computer systems, comprising:
at least one server that; receives a first data structure from a collaborating computer system, wherein the first data structure represents first data relating to a first intrusion attempt detected by an intrusion detection system of the collaborating computer system such that the first data is hidden in the first data structure; receives an indication of a characteristic of the collaborating computer system; detects a second intrusion attempt; stores second data relating to the second intrusion attempt in a second data structure such that the second data is hidden in the second data structure; determines whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first data structure and the second data structure; and based on the characteristic of the collaborating computer system, indicates that a threat is present if the second intrusion attempt correlates with the first intrusion attempt.
Specification