NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION
First Claim
1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
- receiving, at a first host machine of the plurality of host machines, a first security report from a second host machine of the plurality of host machines, wherein the first security report summarizes network activity at the second host machine;
processing, via at least one processor, at least the first security report from the second host machine and network traffic at the first host machine to determine whether a network intrusion attempt is suspected;
if it is determined that the network intrusion attempt is suspected, generating a second security report indicating that the network intrusion attempt is suspected by the first host machine; and
processing a plurality of security reports to determine whether a network intrusion attempt is detected, the plurality of security reports being generated by multiple host machines of the plurality of host machines, the plurality of security reports comprising the second security report.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.
-
Citations
20 Claims
-
1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
-
receiving, at a first host machine of the plurality of host machines, a first security report from a second host machine of the plurality of host machines, wherein the first security report summarizes network activity at the second host machine; processing, via at least one processor, at least the first security report from the second host machine and network traffic at the first host machine to determine whether a network intrusion attempt is suspected; if it is determined that the network intrusion attempt is suspected, generating a second security report indicating that the network intrusion attempt is suspected by the first host machine; and processing a plurality of security reports to determine whether a network intrusion attempt is detected, the plurality of security reports being generated by multiple host machines of the plurality of host machines, the plurality of security reports comprising the second security report. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting a security threat to a network comprising a plurality of host machines, the system comprising:
-
a first threat monitoring agent operatively connected to a first host machine of the plurality of host machines, the first threat monitoring agent being configured to; process data from the first host machine to generate a first security report identifying a possible security threat to the network, and send the first security report to at least a second host machine of the plurality of host machines; a second threat monitoring agent operatively connected to the second host machine, the second threat monitoring agent being configured to; receive the first security report from the first threat monitoring agent, process at least the first security report from the first threat monitoring agent and data from the second host machine to determine whether the security threat to the network is suspected, and if it is determined that the security threat to the network is suspected, generate a second security report indicating that the security threat to the network is suspected by the second host machine; and a threat detecting agent configured to process a plurality of security reports to determine whether a security threat to the network is detected, the plurality of security reports being obtained from multiple ones of the plurality of host machines, and the plurality of security reports comprising the second security report. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. At least one computer-readable storage medium encoded with a plurality of computer-executable instructions that, when executed, perform a method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
-
processing network traffic at a first host machine of the plurality of host machines to identify network traffic indicative of a possible network intrusion attempt; generating a first security report containing security data indicating the identified network traffic; correlating at least the identified network traffic with network traffic indicated in first security reports received from others of the plurality of host machines; based on a result of the correlating, generating a second security report indicating that a network intrusion attempt is suspected; and processing at least second security reports generated by multiple ones of the plurality of host machines to determine whether a network intrusion attempt is detected. - View Dependent Claims (17, 18, 19, 20)
-
Specification