Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems

US 20100281542A1
Filed: 07/15/2010
Published: 11/04/2010
Est. Priority Date: 11/24/2004
Status: Active Grant

First Claim

Patent Images

1. A method of responding to a threat to a threatened computer, comprising:

detecting a first intrusion attempt;

detecting a second intrusion attempt;

determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt;

automatically initiating at least one safety process at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt;

indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and

automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.

Citations

37 Claims

1. A method of responding to a threat to a threatened computer, comprising:
- detecting a first intrusion attempt;
  
  detecting a second intrusion attempt;
  
  determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt;
  
  automatically initiating at least one safety process at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt;
  
  indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and
  
  automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the safety process is a checkpointing process.
  - 3. The method of claim 2, wherein the automatically initiating at least one safety process at the collaborating computer comprises creating a Restore Point using an operating system.
  - 4. The method of claim 3, further comprising initiating a System Restore function using the operating system.
  - 5. The method of claim 2, wherein the automatically initiating at least one safety process at the collaborating computer comprises creating a checkpoint state of the collaborating computer.
  - 6. The method of claim 5, wherein the creating a checkpoint state comprising saving at least some information and/or data of the collaborating computer.
  - 7. The method of claim 5, wherein the creating a checkpoint state comprises saving at least one of a file, job data, a setting, an operating system registry, and a file system of the collaborating computer.
  - 8. The method of claim 5, further comprising restoring the collaborating computer to the checkpoint state.
  - 9. The method of claim 1, wherein the safety process is a backup process.
  - 10. The method of claim 9, wherein the automatically initiating at least one safety process at the collaborating computer comprises backing up at least some information and/or data of the collaborating computer.
  - 11. The method of claim 9, wherein the automatically initiating at least one safety process at the collaborating computer comprises backing up at least one of a file, job data, a setting, an operating system registry, and a file system of the collaborating computer.
  - 12. The method of claim 1, wherein the indicating that a threat is present comprises at least one of outputting an IP address of the source of the threat, outputting a signature associated with the threat, and causing a firewall to block traffic from an IP address of the source of the threat.
  - 13. The method of claim 1, wherein at least one of the first and second intrusion attempts is detected by an intrusion detection system.
  - 14. The method of claim 1, further comprising storing information related to the first intrusion attempt in a one-way data structure, wherein determining whether the first intrusion attempt correlates with the second intrusion attempt comprises checking the one-way data structure to determine whether stored information related to the first intrusion attempt correlates with the second intrusion attempt.
  - 15. The method of claim 14, wherein the one-way data structure is a bloom filter.

16. A method of responding to a threat to a threatened computer, comprising:
- receiving information related to a first intrusion attempt;
  
  detecting a second intrusion attempt;
  
  determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt;
  
  automatically initiating at least one safety process by the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt;
  
  indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and
  
  automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The method of claim 16, wherein the receiving information related to a first intrusion attempt comprises receiving information from a second collaborating computer.
  - 18. The method of claim 17, wherein the receiving information from the second collaborating computer comprises receiving a one-way data structure from the second collaborating computer.
  - 19. The method of claim 16, wherein the safety process is a checkpointing process.
  - 20. The method of claim 19, wherein the automatically initiating at least one safety process at the collaborating computer comprises creating a Restore Point using an operating system.
  - 21. The method of claim 20, further comprising initiating a System Restore function using the operating system.
  - 22. The method of claim 19, wherein the automatically initiating at least one safety process at the collaborating computer comprises saving at least one of a file, job data, a setting, an operating system registry, and a file system of the collaborating computer.
  - 23. The method of claim 16, wherein the safety process is a backup process.
  - 24. The method of claim 23, wherein the automatically initiating at least one safety process at the collaborating computer comprises backing up at least one of a file, job data, a setting, an operating system registry, and a file system of the collaborating computer.

25. A method of sharing threat information between at least a first computer and at least a second computer, comprising:
- detecting a threat to the first computer;
  
  indicating to the second computer via a computer network that the threat to the first computer has been detected; and
  
  automatically initiating, before the second computer has been subjected to the threat, at least one safety process at the second computer based at least in part on the indication that the threat is present at the first computer.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The method of claim 25, wherein the detecting a threat to the first computer comprises:
    - detecting a first intrusion attempt to at least one of the first computer and a third computer;
      
      detecting a second intrusion attempt to at least one of the first computer and the third computer; and
      
      determining that the first intrusion attempt correlates with the second intrusion attempt.
  - 27. The method of claim 25, wherein the safety process is a checkpointing process.
  - 28. The method of claim 27, wherein the automatically initiating at least one safety process comprises creating a Restore Point using an operating system.
  - 29. The method of claim 28, further comprising initiating a System Restore function using the operating system.
  - 30. The method of claim 27, wherein the automatically initiating at least one safety process comprises saving at least one of a file, job data, a setting, an operating system registry, and a file system of the second computer.
  - 31. The method of claim 25, wherein the safety process is a backup process.
  - 32. The method of claim 31, wherein the automatically initiating at least one safety process comprises backing up at least one of a file, job data, a setting, an operating system registry, and a file system of the second computer.

33. A system configured to detect intrusion attempts on a threatened computer, comprising:
- an intrusion detection system that detects a first intrusion attempt and a second intrusion attempt;
  
  an alert correlator that receives information related to the first and second intrusion attempts, that determines whether the first intrusion attempt correlates with the second intrusion attempt, and that initiates at least one safety process at the threatened computer and generates an indication that a threat is present if the first intrusion attempt is determined to correlate with the second intrusion attempt; and
  
  a collaborating computer that receives via a computer network the indication that the threat is present at the alert correlator and that initiates, before the collaborating computer has been subjected to the threat, at least one safety process in response to the indication that the threat is present at the alert correlator.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The system of claim 33, wherein the safety process is a checkpointing process.
  - 35. The system of claim 34, wherein the alert correlator initiates the creation of a Restore Point using an operating system if the first intrusion attempt is determined to correlate with the second intrusion attempt.
  - 36. The system of claim 33, wherein the safety process is a backup process.
  - 37. The system of claim 33, wherein the information related to the first intrusion attempt is stored in a one-way data structure, and wherein the alert correlator makes the determination regarding whether the first intrusion attempt correlates with the second intrusion attempt by checking the one-way data structure to determine whether stored information related to the first intrusion attempt correlates with the second intrusion attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Keromytis, Angelos D., Stolfo, Salvatore J., Locasto, Michael E., Parekh, Janak, Misra, Vishal

Granted Patent

US 8,667,588 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links