Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses
First Claim
1. A method, comprising:
- collecting, by an intrusion detection system comprising a processor, logs each of which comprises a plurality of entries;
extracting, by the intrusion detection system, information from the logs;
based upon the information extracted from the logs, updating, by the intrusion detection system, on an entry-by-entry basis, intrusion detection information utilized by an intrusion detection rule;
updating, by the intrusion detection system, a profile utilized by the intrusion detection rule;
comparing, by the intrusion detection system, the profile and the intrusion detection rule against a running state of an on-going session;
tagging, by the intrusion detection system, corresponding log entries of the logs with a threat score;
calculating, by the intrusion detection system, the threat scores from the corresponding log entries to create an aggregated threat score; and
presenting, by the intrusion detection system, the aggregated threat score.
2 Assignments
0 Petitions
Accused Products
Abstract
Concepts and technologies disclosed herein are for monitoring operational activities in networks and detecting potential network intrusions and misuses. According to one aspect disclosed herein, an intrusion detection system can collect logs from an authentication, authorization, and accounting system. The intrusion detection system can extract information from the logs, update intrusion detection information utilized by an intrusion detection rule based upon the information extracted from the logs, update a profile utilized by the intrusion detection rule, compare the profile and the intrusion detection rule against a running state of an on-going session, tag corresponding log entries with a threat score, calculate the threat scores from the corresponding log entries to create an aggregated threat score, and present the aggregated threat score. The intrusion detection system can also present an alarm if the aggregated threat score triggers an alarm condition.
97 Citations
20 Claims
-
1. A method, comprising:
-
collecting, by an intrusion detection system comprising a processor, logs each of which comprises a plurality of entries; extracting, by the intrusion detection system, information from the logs; based upon the information extracted from the logs, updating, by the intrusion detection system, on an entry-by-entry basis, intrusion detection information utilized by an intrusion detection rule; updating, by the intrusion detection system, a profile utilized by the intrusion detection rule; comparing, by the intrusion detection system, the profile and the intrusion detection rule against a running state of an on-going session; tagging, by the intrusion detection system, corresponding log entries of the logs with a threat score; calculating, by the intrusion detection system, the threat scores from the corresponding log entries to create an aggregated threat score; and presenting, by the intrusion detection system, the aggregated threat score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An intrusion detection system, comprising:
-
a processor; and a memory in communication with the processor, the memory comprising instructions that, when executed by the processor, cause the processor to perform operations comprising collecting logs each of which comprises a plurality of entries; extracting information from the logs; based upon the information extracted from the logs, updating, on an entry-by-entry basis, intrusion detection information utilized by an intrusion detection rule; updating a profile utilized by the intrusion detection rule; comparing the profile and the intrusion detection rule against a running state of an on-going session; tagging corresponding log entries of the logs with a threat score; calculating the threat scores from the corresponding log entries to create an aggregated threat score; and presenting the aggregated threat score. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable storage medium comprising computer-executable instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
collecting logs each of which comprises a plurality of entries; extracting information from the logs; based upon the information extracted from the logs, updating, on an entry-by-entry basis, intrusion detection information utilized by an intrusion detection rule; updating a profile utilized by the intrusion detection rule; comparing the profile and the intrusion detection rule against a running state of an on-going session; tagging corresponding log entries of the logs with a threat score; calculating the threat scores from the corresponding log entries to create an aggregated threat score; determining if an alarm condition has been satisfied by the aggregated threat score; and if the alarm condition has been satisfied by the aggregated threat score, presenting an alarm. - View Dependent Claims (20)
-
Specification