NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION
First Claim
1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
- receiving, at a first host machine, security reports relating to one or more host machines in the network, each security report summarizes network traffic at a respective host machine indicative of a possible intrusion attempt at a respective host machine and/or context data local to a host machine;
correlating, at the first host machine, the security reports;
associating, at the first host machine, a level of security concern when a correlation exceeds a threshold; and
when the level of security concern indicates a network intrusion attempt, generating a second security report indicating a suspected network intrusion attempt.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken.
-
Citations
20 Claims
-
1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
-
receiving, at a first host machine, security reports relating to one or more host machines in the network, each security report summarizes network traffic at a respective host machine indicative of a possible intrusion attempt at a respective host machine and/or context data local to a host machine; correlating, at the first host machine, the security reports; associating, at the first host machine, a level of security concern when a correlation exceeds a threshold; and when the level of security concern indicates a network intrusion attempt, generating a second security report indicating a suspected network intrusion attempt. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting a security threat to a network comprising a plurality of host machines, the system comprising:
a first processor and a memory, the first processor executing instructions that; receives security reports relating to one or more host machines in the network, each security report summarizes network traffic at a respective host machine indicative of a possible intrusion attempt at a respective host machine and/or context data local to a host machine; correlates the security reports; associates a level of security concern when a correlation exceeds a threshold; and when the level of security concern indicates a network intrusion attempt, generates a second security report indicating a suspected network intrusion attempt. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
16. At least one computer-readable storage memory encoded with a plurality of computer-executable instructions that, when executed, perform a method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
-
receiving, at a first host machine, security reports relating to one or more host machines in the network, each security report summarizes network traffic at a respective host machine indicative of a possible intrusion attempt at a respective host machine and/or context data local to a host machine; correlating, at the first host machine, the security reports; associating, at the first host machine, a level of security concern when a correlation exceeds a threshold; and when the level of security concern indicates a network intrusion attempt, generating a second security report indicating a suspected network intrusion attempt. - View Dependent Claims (17, 18, 19, 20)
-
Specification