System, method and computer program product for automatic response to computer system misuse using active response modules
First Claim
1. A method for automatically responding to an instance of computer misuse, comprising the steps of:
- (1) selecting an active response module (ARM) from a plurality of available ARMs;
(2) linking said ARM to a computer misuse;
(3) invoking said ARM in response to an instance of said computer misuse;
(4) receiving, by said ARM, data pertinent to said instance of said computer misuse; and
(5) performing actions, by said ARM, using said data to thereby respond to said instance of said computer misuse.
11 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for automatic response to computer system misuse using active response modules (ARMs). ARMs are tools that allow static intrusion detection system applications the ability to dynamically increase security levels by allowing real-time responses to detected instances of computer misuse. Several classes of ARMs exist which allow them to interface with several types of network elements found within a computing environment (e.g., firewalls, web servers, Kerberos severs, certificate authorities, etc.). The ARMs, once defined, are deployed in a “plug and play” manner into an existing intrusion detection system within a computing environment. A user (e.g., system administrator) may then configure the ARMs by linking them to specific computer misuses. Upon receipt of an instance of the computer misuse from the intrusion detection system, each ARM linked to the misuse collects pertinent data from the intrusion detection system and invokes a response specified by the ARM class and the collected pertinent data.
354 Citations
13 Claims
-
1. A method for automatically responding to an instance of computer misuse, comprising the steps of:
-
(1) selecting an active response module (ARM) from a plurality of available ARMs;
(2) linking said ARM to a computer misuse;
(3) invoking said ARM in response to an instance of said computer misuse;
(4) receiving, by said ARM, data pertinent to said instance of said computer misuse; and
(5) performing actions, by said ARM, using said data to thereby respond to said instance of said computer misuse. - View Dependent Claims (2, 3)
Firewall ARMs;
Kerberos ARMs;
Certificate Authority ARMs;
Web Server ARMs;
Environmental Security Management ARMs;
Fix-it ARM; and
Standard ARMs.
-
-
4. A system for use with an intrusion detection system that allows automatic responses to an instance of computer misuse, comprising:
-
first means for providing a user with a list of a plurality of ARMs;
second means for allowing said user to configure each of said plurality of ARMs; and
third means for allowing said user to link at least one of said plurality of ARMs to a computer misuse. - View Dependent Claims (5, 6, 7)
an arguments component;
an actions component comprising;
a vendor validation component;
a secure execution component; and
a vendor response component; and
an applications program interface component.
-
-
6. The system of claim 5, further comprising:
a toolkit to allow said user to build an additional ARM to include in said list of said plurality of ARMs.
-
7. The system of claim 4, wherein each of said plurality of ARMs belongs to one of the following classes of ARMs:
-
Firewall ARMs;
Kerberos ARMs;
Certificate Authority ARMs;
Web Server ARMs;
Environmental Security Management ARMs;
Fix-it ARM; and
Standard ARMs.
-
-
8. A system, comprising:
-
a data processing element;
an intrusion detection system;
a plurality of pre-defined ARMs each having means for instructing said data processing element to perform an action in response to a command from said intrusion detection system;
means for activating a subset of said plurality of pre-defined ARMs for a misuse;
wherein said intrusion detection system comprises;
means for detecting said misuse;
means for identifying said subset activated for said misuse; and
means for invoking said subset to thereby respond to said misuse. - View Dependent Claims (9, 10)
Firewall ARMs;
Kerberos ARMs;
Certificate Authority ARMs;
Web Server ARMs;
Environmental Security Management ARMs;
Fix-it ARM; and
Standard ARMs.
-
-
10. The system of claim 8, further comprising:
means for defining an additional ARM, wherein said additional ARM also has means for instructing said data processing element to perform an action in response to a command from said intrusion detection system.
-
11. A Fix-it active response module (ARM), for use with an intrusion detection system, which allows automatic response to detected instances of computer misuse, comprising:
-
first means for allowing a user to specify a sensitive directory;
second means for updating a cache by copying data located within said sensitive directory to said cache;
third means for allowing said user to specify the frequency for updating said cache by said second means;
fourth means for allowing said user to toggle one or more of the following fix-it options;
(i) Restore;
(ii) Save_Bad; and
(iii) Delete_Corrupt;
fifth means, responsive to said Restore fix-it option, for copying said data from said cache to said sensitive directory based on an instance of detected misuse by the intrusion detection system;
sixth means, responsive to said Save_Bad fix-it option, for copying a corrupted version of said data from said sensitive directory based on said instance of detected misuse by the intrusion detection system; and
seventh means, responsive to said Delete_Corrupt fix-it option, for deleting said corrupted version of said data from said sensitive directory based on said instance of detected misuse by the intrusion detection system.
-
-
12. A computer program product comprising a computer usable medium having computer readable program code means embodied in said medium for causing an application program to execute on a computer that provides a fix-it active response module (ARM), for use with an intrusion detection system, which allows automatic response to detected instances of file related computer misuse, said computer readable program code means comprising:
-
a first computer readable program code means for causing the computer to allow a user to specify a sensitive directory;
a second computer readable program code means for causing the computer to update a cache by copying data located within said sensitive directory to said cache;
a third computer readable program code means for causing the computer to allow a user to specify the frequency for updating said cache by said second means;
a fourth computer readable program code means for causing the computer to allow said user to toggle one or more of the following fix-it options;
(i) Restore;
(ii) Save_Bad; and
(iii) Delete13Corrupt;
a fifth computer readable program code means for causing the computer to respond to said Restore fix-it option and copy said data from said cache to said sensitive directory based on an instance of detected misuse by the intrusion detection system;
a sixth computer readable program code means for causing the computer to respond to said Save_Bad fix-it option and copy a corrupted version of said data from said sensitive directory based on said instance of detected misuse by the intrusion detection system; and
a seventh computer readable program code means for causing the computer to respond to said Delete_Corrupt fix-it option and delete said corrupted version of said data from said sensitive directory based on said instance of detected misuse by the intrusion detection system.
-
-
13. A computer program product comprising a computer usable medium having computer readable program code means embodied in said medium for causing an application program to execute on a computer that provides a system for use with an intrusion detection system that allows automatic responses to an instance of computer misuse, said computer readable program code means comprising:
-
a first computer readable program code means for causing the computer to provide a user with a list of a plurality of ARMs;
a second third computer readable program code means for causing the computer to allow said user to configure each of said plurality of ARMs; and
a third computer readable program code means for causing the computer to allow said user to link at least one of said plurality of ARMs to a computer misuse.
-
Specification