COMPUTER NETWORK INTRUSION DETECTION

US 20120297489A1
Filed: 06/05/2012
Published: 11/22/2012
Est. Priority Date: 06/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method of identifying an attacker device attempting an intrusion into a Transmission Control Protocol / Internet Protocol (TCP/IP) protocol based network, said method comprising:

detecting, by at least one managed device of the network, an incoming TCP/IP connection by the attacker device to the network.r said detecting the incoming TCP/IP connection, performing a process that comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and

after said performing the process, storing the retrieved event log information in a central violation database of the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system of identifying an attacker device attempting an intrusion into a network. At least one managed device of the network detects an incoming TCP/IP connection by the attacker device to the network. It is determined that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid nor is in the list of userids. The retrieved event log information is stored in a central violation database.

253 Citations

20 Claims

1. A method of identifying an attacker device attempting an intrusion into a Transmission Control Protocol / Internet Protocol (TCP/IP) protocol based network, said method comprising:
- detecting, by at least one managed device of the network, an incoming TCP/IP connection by the attacker device to the network.r said detecting the incoming TCP/IP connection, performing a process that comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and
  
  after said performing the process, storing the retrieved event log information in a central violation database of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, said method comprising after said performing the process:
    - generating a report comprising the event log information; and
      
      storing the report in the central violation database of the network.
  - 3. The method of claim 2, said method further comprising:
    - after said detecting the incoming TCP/IP connection and before said performing the process, extracting from a TCP/IP stack of at least one managed device TCP/IP information relating to the attacker device, wherein the report comprises the extracted TCP/IP information.
  - 4. The method of claim 2, wherein said performing the process comprises determining a warning level associated with the invalid logon, and wherein the report comprises the warning level.
  - 5. The method of claim 4, wherein the report comprises the userid of the invalid logon, and wherein said determining the warning level comprises:
    - determining that the userid of the invalid logon is the local userid defined on the local device, resulting in determining that the warning level is a low warning level;
      
      determining that the userid of the invalid logon is not the local userid defined on the local device and is not in the list of userids used by viruses, resulting in determining that the warning level is a medium warning level;
      
      ordetermining that the userid of the invalid logon is in the list of userids used by viruses, resulting in determining that the warning level is a high warning level.
  - 6. The method of claim 2, wherein the report comprises a host name of the network, an IP address of the at least one managed device, a local subnet of the network, a host name of the attacker device, an IP address of the attacker device, a TCP port of the attacker device, a port number of the incoming TCP/IP connection, a MAC address of the attacker device, a userid of the invalid logon, a warning level associated with the invalid logon, a date and time of the incoming TCP/IP connection, and a network switch through which the incoming TCP/IP connection was established.
  - 7. The method of claim 1, said method further comprising:
    - after said detecting the incoming TCP/IP connection and before said performing the process, determining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers.
  - 8. The method of claim 2, wherein said performing the process comprises determining a MAC address of the attacker device, and wherein the report comprises the determined MAC address.
  - 9. The method of claim 2, wherein the method further comprises determining a host name of the network, and wherein the report comprises the determined host name of the network.
  - 10. The method of claim 2, wherein the report comprises a city, building, and floor in which the attacker device is located.

11. A system comprising at least one managed device configured for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network, said at least one managed device configured to perform a method, said method comprising:
- detecting, by at the least one managed device of the network, an incoming TCP/IP connection by the attacker device to the network;
  
  after said detecting the incoming TCP/IP connection, performing a process that comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and
  
  after said performing the process, storing the retrieved event log information in a central violation database of the network.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, said method comprising after said performing the process:
    - generating a report comprising the event log information; and
      
      storing the report in the central violation database of the network.
  - 13. The system of claim 12, said method further comprising:
    - after said detecting the incoming TCP/IP connection and before said performing the process, extracting from a TCP/IP stack of at least one managed device TCP/IP information relating to the attacker device, wherein the report comprises the extracted TCP/IP information.
  - 14. The system of claim 12, wherein said performing the process comprises determining a warning level associated with the invalid logon, and wherein the report comprises the warning level.
  - 15. The system of claim 14, wherein the report comprises the userid of the invalid logon, and wherein said determining the warning level comprises:
    - determining that the userid of the invalid logon is the local userid defined on the local device, resulting in determining that the warning level is a low warning level;
      
      determining that the userid of the invalid logon is not the local userid defined on the local device and is not in the list of userids used by viruses, resulting in determining that the warning level is a medium warning level;
      
      ordetermining that the userid of the invalid logon is in the list of userids used by viruses, resulting in determining that the warning level is a high warning level.

16. A computer program product stored on a hardware storage medium readable by a computer machine, the computer program product tangibly embodying readable program code configured to be executed by the computer machine to perform a method of identifying an attacker device attempting an intrusion into a TCP/IP protocol based network, said method comprising:
- detecting, by at least one managed device of the network, an incoming TCP/IP connection by the attacker device to the network;
  
  after said detecting the incoming TCP/IP connection, performing a process that comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and
  
  after said performing the process, storing the retrieved event log information in a central violation database of the network.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16, said method comprising after said performing the process:
    - generating a report comprising the event log information; and
      
      storing the report in the central violation database of the network.
  - 18. The computer program product of claim 17, said method further comprising:
    - after said detecting the incoming TCP/IP connection and before said performing the process, extracting from a TCP/IP stack of at least one managed device TCP/IP information relating to the attacker device, wherein the report comprises the extracted TCP/IP information.
  - 19. The computer program product of claim 17, wherein said performing the process comprises determining a warning level associated with the invalid logon, and wherein the report comprises the warning level.
  - 20. The computer program product of claim 19, wherein the report comprises the userid of the invalid logon, and wherein said determining the warning level comprises:
    - determining that the userid of the invalid logon is the local userid defined on the local device, resulting in determining that the warning level is a low warning level;
      
      determining that the userid of the invalid logon is not the local userid defined on the local device and is not in the list of userids used by viruses, resulting in determining that the warning level is a medium warning level;
      
      ordetermining that the userid of the invalid logon is in the list of userids used by viruses, resulting in determining that the warning level is a high warning level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
DEQUEVY, Jean-Jacques

Granted Patent

US 8,631,496 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 2101/663   Transport layer addresses, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

COMPUTER NETWORK INTRUSION DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

253 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER NETWORK INTRUSION DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

253 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links