INTRUSION DETECTION METHOD AND SYSTEM
First Claim
1. Intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps:
- creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities;
creating assurance references corresponding to said defined preconditions and considering the targeted perimetercapturing data related to the targeted system;
comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match;
capturing assurance data from monitoring of the targeted perimetercomparing assurance data, issued from assurance monitoring of the targeted perimeter, with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference matchretrieving the preconditions of the generated security alertchecking if assurance information corresponding to said preconditions has been retrievedgenerating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance informationfiltering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information;
emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.
3 Assignments
0 Petitions
Accused Products
Abstract
Intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps: creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities; creating assurance references corresponding to said defined preconditions and considering the targeted perimeter capturing data related to the targeted system; comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match; capturing assurance data from monitoring of the targeted perimeter comparing assurance data, issued from assurance monitoring of the targeted perimeter, with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference match retrieving the preconditions of the generated security alert checking if assurance information corresponding to said preconditions has been retrieved generating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance information filtering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information; emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.
41 Citations
5 Claims
-
1. Intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps:
-
creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities; creating assurance references corresponding to said defined preconditions and considering the targeted perimeter capturing data related to the targeted system; comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match; capturing assurance data from monitoring of the targeted perimeter comparing assurance data, issued from assurance monitoring of the targeted perimeter, with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference match retrieving the preconditions of the generated security alert checking if assurance information corresponding to said preconditions has been retrieved generating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance information filtering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information; emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined. - View Dependent Claims (2, 3)
-
-
4. An intrusion detection system for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising
means for creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploits one or several vulnerabilities means for creating references corresponding to said defined preconditions and considering the targeted perimeter a sniffer capturing data related to the targeted system means for comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match means for capturing assurance date from monitoring the targeted perimeter means for comparing assurance data issued from assurance monitoring of the targeted perimeter with assurance references and for generating assurance information when said data issued from assurance monitoring and at least one assurance reference match means for retrieving the preconditions of the generated security alert means checking if assurance information corresponding to said preconditions has been retrieved said system generating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance information said system filtering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information said system emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.
-
5. A computer program product comprising a computer usable medium having control logic stored therein for causing a computer to detect unauthorized use or abnormal activities of a targeted system of a network, said control logic comprising:
-
first computer readable program code for creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities second computer readable program code for creating assurance references corresponding to said defined preconditions and considering the targeted perimeter third computer readable program code for capturing data related to the targeted system fourth computer readable program code for comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match fifth computer readable program code for capturing assurance data from monitoring of the targeted perimeter sixth computer readable program code for comparing assurance data issued from assurance monitoring of the targeted perimeter with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference match seventh computer readable program code for retrieving the preconditions of the generated security alert eighth computer readable program code for checking if assurance information corresponding to said preconditions has been retrieved said computer program product generating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance information filtering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.
-
Specification