Network surveillance system

US 5,991,881 A
Filed: 11/08/1996
Issued: 11/23/1999
Est. Priority Date: 11/08/1996
Status: Expired due to Term

First Claim

Patent Images

1. A Network Surveillance System, connected into a data network for transmission of selectively addressed data to respective data processors connected into the data network, said data processors having respective addresses corresponding to the selectively addressed data for selective receipt of the data and processing of the data by said respective data processors comprising:

(a) a network observation means connected into said data network for receiving all of said selectively addressed data transmitted by said data network to said respective data processors;

(b) said network observation means including intrusion detection means connected to said network observation means for examining said received data for an attempted intrusion into said network;

(c) said intrusion detection means including means for providing an event indication, in response to said examining means detecting an attempted intrusion;

(d) alert/notification means responsive to said event indication for providing a message alert of said attempted intrusion;

(e) evidence logging means responsive to said event indication for making a record of said attempted intrusion;

(f) incident analyzing and reporting means responsive to said event indication for providing an identifying indication of said attempted intrusion.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This is a system and method for network surveillance and detection of attempted intrusions, or intrusions, into the network and into computers connected to the network. The System functions are: (A) intrusion detection monitoring, (B) real-time alert, (C) logging of potential unauthorized activity, and (D) incident progress analysis and reporting. Upon detection of any attempts to intrude, the System will initiate a log of all activity between the computer elements involved and send an alert to a monitoring console. When a log is initiated, the network continues to be monitored by a primary surveillance system. A secondary monitoring process is started which interrogates the activity log in real-time and sends additional alerts reporting the progress of the suspected intruder.

874 Citations

34 Claims

1. A Network Surveillance System, connected into a data network for transmission of selectively addressed data to respective data processors connected into the data network, said data processors having respective addresses corresponding to the selectively addressed data for selective receipt of the data and processing of the data by said respective data processors comprising:
- (a) a network observation means connected into said data network for receiving all of said selectively addressed data transmitted by said data network to said respective data processors;
  
  (b) said network observation means including intrusion detection means connected to said network observation means for examining said received data for an attempted intrusion into said network;
  
  (c) said intrusion detection means including means for providing an event indication, in response to said examining means detecting an attempted intrusion;
  
  (d) alert/notification means responsive to said event indication for providing a message alert of said attempted intrusion;
  
  (e) evidence logging means responsive to said event indication for making a record of said attempted intrusion;
  
  (f) incident analyzing and reporting means responsive to said event indication for providing an identifying indication of said attempted intrusion.

2. A Network Surveillance System, connected into a data network for transmission of selectively addressed data to respective data processors connected into the data network, said data processors having respective addresses corresponding to the selectively addressed data for selective receipt of the data and processing of the data by said respective data processors comprising:
- (a) intrusion detection means connected into the data network for receiving all of said data transmitted through the network and for examining said received data for an attempted intrusion into said network and, responsive to detecting an attempted intrusion, providing an event indication; and
  
  (b) incident analyzing and reporting means including identifying means responsive to a said event indication, for providing an identifying indication of said attempted intrusion.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 3. The system of claim 2, wherein said intrusion detection means provides an event indication of subsequent attempted intrusions and said identifying means includes means for identifying said subsequent attempted intrusions related to said identifying indication.
  - 4. The network surveillance system of claim 2 wherein said means for providing an identifying indication includes means for identifying a data processor related to said attempted intrusion.
  - 5. The network surveillance system of claim 2 wherein said incident analyzing and reporting means includes logging means responsive to said event indication for making a record of said attempted intrusion and for making a record of said subsequent attempted intrusions.
  - 6. The network surveillance system of claim 3 including logging means responsive to said event indication for logging said subsequent attempted intrusions.
  - 7. The network surveillance system of claim 4 including a logging means responsive to said incident analyzer means for recording data from or to said data processor.
  - 8. The network surveillance system of claim 2 including event logging means for creating a log of said event indication.
  - 9. The network surveillance system of claim 3 including means for providing separate respective event indications for said attempted intrusion and said subsequent attempted intrusions.
  - 10. The network surveillance system of claim 6 wherein said step of logging means includes means for creating a separate log file for recording subsequent attempted intrusions related to said identifying event indication.
  - 11. The network surveillance system of claim 10 wherein said separate log file includes means for recording an indication of the date, time, or data related to said attempted intrusion or respective subsequent attempted intrusions, or an indication of a data processor related to said attempted intrusion or respective subsequent attempted intrusions.

12. In a data processing network system having data processors connected to a network for transmitting or receiving data over said network, a network surveillance system for detecting attempted intrusions into the network or into any of the data processors on the network comprising:
- a. intrusion detection means connected into a data network for receiving all data transmitted through said network to said data processors and providing an event indication of an attempted intrusion from a data processor;
  
  b. incident analyzing and reporting means for receiving said event indication, and for providing an identifying indication of said data processor, andc. means, responsive to said identifying indication for identifying subsequent attempted intrusions by said data processor.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The network surveillance system of claim 12 wherein said intrusion detection means includes means for analyzing said data from said network for specified characteristics and for developing a data base of said specified characteristics of said data.
  - 14. The network surveillance system of claim 13 wherein said intrusion detection means includes means for comparing said data from the network with said data base for and providing said indication of an attempted intrusion in response to said comparison.
  - 15. The system of claim 14 wherein said network surveillance system includes means for establishing a set of normal data in said data base and said means for comparing includes means for comparing said data received from said data network with said normal data in said data base.
  - 16. The system of claim 14 wherein said intrusion detection means including means for providing said event indication in response to said intrusion detection means comparing said data on said network with said set of normal data in said data base.

17. A method for network surveillance of a data network transmitting selectively addressed data to respective data processors connected into the data network and with said data processors having respective addresses corresponding to the selectively addressed data for selective receipt of the data and processing of the data by said respective data processors, comprising the steps of:
- (a) network observation of all of said selectively addressed data transmitted by said data network to said respective data processors;
  
  (b) examination of all of said selectively addressed data for detecting an attempted intrusion into said network and, responsive to an attempted intrusion, producing an event indication of an attempted intrusion into said network;
  
  (c) responsive to said step of providing an event indication, the step of alert/notification for providing a message alert of said attempted intrusion;
  
  (d) responsive to said step of providing an event indication, the step of evidence logging for making a record of said event indication;
  
  (f) responsive to said step of providing an event indication the step of incident analyzing and reporting, for providing an identifying indication of said event.

18. A method for network surveillance of a data network for transmitting selectively addressed data to respective data processors connected into the data network, said data processors having respective addresses corresponding to the selectively addressed data for selective receipt of the data and processing of the data by said respective data processors, comprising the steps of:
- (a) receiving all of said selectively addressed data transmitted by said data network to said respective data processors;
  
  (b) examining said all of said selectively addressed data for an attempted intrusion into said network and, responsive to an attempted intrusion, providing an event indication of an attempted intrusion into said network; and
  
  (c) incident analyzing and reporting said attempted intrusion, responsive to said event indication.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The method of claim 18, wherein said step of intrusion detection includes the step of providing an event indication of subsequent attempted intrusions and said step of providing an identifying indication includes the step of identifying said subsequent attempted intrusions related to said identifying indication.
  - 20. The method of claim 18 wherein said step of providing an identifying indication includes the step of identifying a data processor related to said attempted intrusion.
  - 21. The network surveillance method of claim 18 wherein said steps of incident analyzing and reporting includes the step of logging responsive to said step of event indication for making a record of said event indication and for making a record of said subsequent attempted intrusions related to said identifying indication.
  - 22. The network surveillance method of claim 19 including the step of logging said subsequent attempted intrusions related to said identifying indication.
  - 23. The network surveillance method of claim 20 including the step of logging responsive to said step of incident analyzing and reporting for recording data from or to said data processor related to said attempted intrusion.
  - 24. The network surveillance method of claim 18 including the step of event logging for creating a log of said identifying indications of said events.
  - 25. The network surveillance method of claim 19 including the step of providing separate respective event indications, for said attempted intrusions.
  - 26. The network surveillance method of claim 22 wherein said step of logging includes the step of creating a separate log file for recording said attempted intrusion and said subsequent attempted intrusions.
  - 27. The network surveillance method of claim 26 wherein said step of creating a separate log file includes the step of recording an indication of the date, time, or data related to said attempted intrusion or respective subsequent attempted intrusions, or of a data processor related to said attempted intrusion or said subsequent attempted intrusions.

28. A method for network surveillance of a data network for transmitting selectively addressed data to respective data processors connected into the data network, said data processors having respective addresses corresponding to the selectively addressed data for selective receipt of the data and processing of the data by said respective data processors comprising the steps of:
- (a) receiving all data transmitted through said data network to said data processors connected into said data network;
  
  (b) examining all said data transmitted through said data network for an attempted intrusion;
  
  (c) providing an event indication of said attempted intrusion from a source data processor;
  
  (d) incident analyzing and reporting responsive to a said step of event indication, for providing an identifying indication of said source data processor; and
  
  (e) responsive to said step identifying said source data processor, the step of identifying subsequent attempted intrusions from said source data processor.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The network surveillance method of claim 28 wherein said step of intrusion detection includes the step of analyzing said data from said network for specified characteristics and for developing a data base of said specified characteristics of said data.
  - 30. The network surveillance method of claim 29 wherein said step of intrusion detection includes the step of comparing said data from the network with said data base for and providing said indication of an attempted intrusion.
  - 31. The network surveillance method of claim 30 including the step of establishing a set of normal data in said data base and said step of comparing includes the step of comparing said data received from said data network with said normal data in said data base.
  - 32. The network surveillance system of claim 31 wherein said step of intrusion detection includes the step of providing said event indication in response to said intrusion detection means comparing said data on said network with said set of normal data in said data base.

33. A Network Surveillance System, connected into a data network for transmission of selectively addressed data to respective data processors connected into the data network said data processors having respective addresses corresponding to the selectively addressed data for selective receipt of the data and processing of the data by said respective data processors, comprising:
- (a) intrusion detection means connected into a data network for receiving all data transmitted through said data network to data processors connected to said data network;
  
  (b) said intrusion detection means including means for examining said data for an attempted intrusion and for providing an event indication of said attempted intrusion;
  
  (c) incident analyzing and reporting means including identifying means responsive to a said event indication, for providing an identifying indication of said attempted intrusion;
  
  (d) and wherein said identifying indication is provided without transmitting any data indicative of the identity of said Network Surveillance System, to said data network.

34. A method for network surveillance of a data network for transmitting selectively addressed data to respective data processors connected into the data network, said data processors having respective addresses corresponding to the selectively addressed data for selective receipt of the data and processing of the data by said respective data processors comprising the steps of:
- (a) intrusion detection for examining said received data for an attempted intrusion into said network and, responsive to an attempted intrusion, providing an event indication of an attempted intrusion into said network;
  
  (b) incident analyzing for providing an identifying indication of said event responsive to said step of event indication;
  
  (c) and wherein said step of providing an identifying indication provides said identifying indication without transmitting any identifying data of the Network Surveillance System.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Harris Corporation (L3Harris Technologies, Inc.)
Inventors
Harrison, John Reed, Conklin, David Allen
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Iqbal, Nadeem

Application Number

US08/744,848
Time in Patent Office

1,110 Days
Field of Search

395/186, 395/187.01, 395/188.01, 395/182.02, 395/183.19, 707/9, 711/163, 711/164, 370/242, 370/252, 370/259, 380/4, 380/49, 714/201, 714/200, 714/202, 714/2, 714/4, 364/286.4, 364/286.5, 382/118, 382/119
US Class Current

726/22
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Network surveillance system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

874 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Network surveillance system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

874 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links