Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems
First Claim
1. A method of responding to a threat to a threatened computer, comprising:
- detecting a first intrusion attempt;
detecting a second intrusion attempt;
determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt;
automatically initiating at least one safety process at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt;
indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and
automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
-
Citations
37 Claims
-
1. A method of responding to a threat to a threatened computer, comprising:
-
detecting a first intrusion attempt; detecting a second intrusion attempt; determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt; automatically initiating at least one safety process at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method of responding to a threat to a threatened computer, comprising:
-
receiving information related to a first intrusion attempt; detecting a second intrusion attempt; determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt; automatically initiating at least one safety process by the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method of sharing threat information between at least a first computer and at least a second computer, comprising:
-
detecting a threat to the first computer; indicating to the second computer via a computer network that the threat to the first computer has been detected; and automatically initiating, before the second computer has been subjected to the threat, at least one safety process at the second computer based at least in part on the indication that the threat is present at the first computer. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
-
33. A system configured to detect intrusion attempts on a threatened computer, comprising:
-
an intrusion detection system that detects a first intrusion attempt and a second intrusion attempt; an alert correlator that receives information related to the first and second intrusion attempts, that determines whether the first intrusion attempt correlates with the second intrusion attempt, and that initiates at least one safety process at the threatened computer and generates an indication that a threat is present if the first intrusion attempt is determined to correlate with the second intrusion attempt; and a collaborating computer that receives via a computer network the indication that the threat is present at the alert correlator and that initiates, before the collaborating computer has been subjected to the threat, at least one safety process in response to the indication that the threat is present at the alert correlator. - View Dependent Claims (34, 35, 36, 37)
-
Specification