INTRUSION DETECTION TO PREVENT IMPERSONATION ATTACKS IN COMPUTER NETWORKS
First Claim
1. A data processing method comprising:
- a central computer receiving telemetry data from a plurality of intrusion sensors;
the central computer storing authentication records in a hosts database, wherein each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer;
the central computer receiving a suspect record that was sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer;
the central computer determining whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record; and
the central computer generating an intrusion alert when no matching record is found.
1 Assignment
0 Petitions
Accused Products
Abstract
In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.
8 Citations
20 Claims
-
1. A data processing method comprising:
-
a central computer receiving telemetry data from a plurality of intrusion sensors; the central computer storing authentication records in a hosts database, wherein each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer; the central computer receiving a suspect record that was sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer; the central computer determining whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record; and the central computer generating an intrusion alert when no matching record is found. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A device comprising:
-
a hosts database configured to store authentication records, wherein each authentication record is based on telemetry data from a plurality of intrusion sensors and comprises a thumbprint of a public key certificate and a host identifier of a sender computer; a processor connected to the hosts database and programmed to; receive telemetry data from a plurality of intrusion sensors; receive a suspect record sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer; determine whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record; generate an intrusion alert when no matching record is found. - View Dependent Claims (18)
-
-
19. A plurality of non-transitory computer-readable storage media storing instructions which, when executed by a plurality of processors, cause:
-
receiving telemetry data from a plurality of intrusion sensors; storing authentication records in a hosts database, wherein each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer; receiving a suspect record that was sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer; determining whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record; generating an intrusion alert when no matching record is found. - View Dependent Claims (20)
-
Specification