INTRUSION DETECTION METHOD AND SYSTEM

US 20100287615A1
Filed: 09/19/2008
Published: 11/11/2010
Est. Priority Date: 09/19/2007
Status: Active Grant

First Claim

Patent Images

1. Intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps:

creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities;

creating assurance references corresponding to said defined preconditions and considering the targeted perimetercapturing data related to the targeted system;

comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match;

capturing assurance data from monitoring of the targeted perimetercomparing assurance data, issued from assurance monitoring of the targeted perimeter, with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference matchretrieving the preconditions of the generated security alertchecking if assurance information corresponding to said preconditions has been retrievedgenerating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance informationfiltering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information;

emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps: creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities; creating assurance references corresponding to said defined preconditions and considering the targeted perimeter capturing data related to the targeted system; comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match; capturing assurance data from monitoring of the targeted perimeter comparing assurance data, issued from assurance monitoring of the targeted perimeter, with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference match retrieving the preconditions of the generated security alert checking if assurance information corresponding to said preconditions has been retrieved generating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance information filtering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information; emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.

41 Citations

View as Search Results

5 Claims

1. Intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps:
- creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities;
  
  creating assurance references corresponding to said defined preconditions and considering the targeted perimetercapturing data related to the targeted system;
  
  comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match;
  
  capturing assurance data from monitoring of the targeted perimetercomparing assurance data, issued from assurance monitoring of the targeted perimeter, with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference matchretrieving the preconditions of the generated security alertchecking if assurance information corresponding to said preconditions has been retrievedgenerating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance informationfiltering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information;
  
  emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.
- View Dependent Claims (2, 3)
- - 2. Intrusion detection method according to claim 1, wherein after detection of vulnerabilities alerts, an enrichment process is made, said enrichment process comprising definition of assurance references to be monitored for each of said new vulnerabilities or attack exploiting one or several vulnerabilities (i.e. a combination of at least one new vulnerability and already processed vulnerabilities);
    - definition of security events for each of said new vulnerabilities or attack exploiting one or several vulnerabilities and definition of preconditions for said security events.
  - 3. Intrusion detection method according to claim 2, comprising a translation of the vulnerabilities alerts in a correlation engine understandable language.

4. An intrusion detection system for detecting unauthorized use or abnormal activities of a targeted system of a network, comprisingmeans for creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploits one or several vulnerabilitiesmeans for creating references corresponding to said defined preconditions and considering the targeted perimetera sniffer capturing data related to the targeted systemmeans for comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature matchmeans for capturing assurance date from monitoring the targeted perimetermeans for comparing assurance data issued from assurance monitoring of the targeted perimeter with assurance references and for generating assurance information when said data issued from assurance monitoring and at least one assurance reference matchmeans for retrieving the preconditions of the generated security alertmeans checking if assurance information corresponding to said preconditions has been retrievedsaid system generating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance informationsaid system filtering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance informationsaid system emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.

5. A computer program product comprising a computer usable medium having control logic stored therein for causing a computer to detect unauthorized use or abnormal activities of a targeted system of a network, said control logic comprising:
- first computer readable program code for creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilitiessecond computer readable program code for creating assurance references corresponding to said defined preconditions and considering the targeted perimeterthird computer readable program code for capturing data related to the targeted systemfourth computer readable program code for comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature matchfifth computer readable program code for capturing assurance data from monitoring of the targeted perimetersixth computer readable program code for comparing assurance data issued from assurance monitoring of the targeted perimeter with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference matchseventh computer readable program code for retrieving the preconditions of the generated security alerteighth computer readable program code for checking if assurance information corresponding to said preconditions has been retrievedsaid computer program productgenerating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance informationfiltering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance informationemitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Dubus, Samuel, Martin, Antony, Sinnaya, Anula, Clevy, Laurent

Granted Patent

US 8,418,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

INTRUSION DETECTION METHOD AND SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

INTRUSION DETECTION METHOD AND SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links