COMPUTER NETWORK INTRUSION DETECTION
First Claim
1. A method of identifying an attacker device attempting an intrusion into a Transmission Control Protocol / Internet Protocol (TCP/IP) protocol based network, said method comprising:
- detecting, by at least one managed device of the network, an incoming TCP/IP connection by the attacker device to the network.r said detecting the incoming TCP/IP connection, performing a process that comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and
after said performing the process, storing the retrieved event log information in a central violation database of the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system of identifying an attacker device attempting an intrusion into a network. At least one managed device of the network detects an incoming TCP/IP connection by the attacker device to the network. It is determined that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid nor is in the list of userids. The retrieved event log information is stored in a central violation database.
253 Citations
20 Claims
-
1. A method of identifying an attacker device attempting an intrusion into a Transmission Control Protocol / Internet Protocol (TCP/IP) protocol based network, said method comprising:
-
detecting, by at least one managed device of the network, an incoming TCP/IP connection by the attacker device to the network. r said detecting the incoming TCP/IP connection, performing a process that comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and after said performing the process, storing the retrieved event log information in a central violation database of the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising at least one managed device configured for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network, said at least one managed device configured to perform a method, said method comprising:
-
detecting, by at the least one managed device of the network, an incoming TCP/IP connection by the attacker device to the network; after said detecting the incoming TCP/IP connection, performing a process that comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and after said performing the process, storing the retrieved event log information in a central violation database of the network. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer program product stored on a hardware storage medium readable by a computer machine, the computer program product tangibly embodying readable program code configured to be executed by the computer machine to perform a method of identifying an attacker device attempting an intrusion into a TCP/IP protocol based network, said method comprising:
-
detecting, by at least one managed device of the network, an incoming TCP/IP connection by the attacker device to the network; after said detecting the incoming TCP/IP connection, performing a process that comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and after said performing the process, storing the retrieved event log information in a central violation database of the network. - View Dependent Claims (17, 18, 19, 20)
-
Specification