Dynamic system defense for information warfare
First Claim
1. A method for computer network use, comprising:
- receiving audit information from an audited computer on a network, at a security computer;
wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received;
wherein said initiating a countermeasure step includes the step of sending a transferable self-contained set of executable code instructions for implementing the countermeasure from the security computer to the computer on which the determined unauthorized operation occurred.
3 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a method and apparatus which includes a security computer system capable of deploying and monitoring software agents on one or more nodes of a network of computers. The agents on each node include a framework agent and either a misdirection mission or a defensive mission. Upon an intrusion detection mission sending information to the security computer system indicative of an actual or suspected misuse or intrusion, the security computer system can automatically take countermeasures against the suspected or actual intrusion or misuse. Automatic countermeasures include using a defensive countermeasure to increase an auditing level conducted by the intrusion detection mission. A misdirection countermeasure mission is used to misdirect requests of the suspected or actual intruder or misuser. An offensive countermeasure is used to send a chase mission to the suspected or actual intruder. The offensive chase mission can either be automatically dispatched or dispatched with human intervention. The computer system includes a monitor for monitoring by a human system administrator.
-
Citations
21 Claims
-
1. A method for computer network use, comprising:
-
receiving audit information from an audited computer on a network, at a security computer;
wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received;
wherein said initiating a countermeasure step includes the step of sending a transferable self-contained set of executable code instructions for implementing the countermeasure from the security computer to the computer on which the determined unauthorized operation occurred. - View Dependent Claims (2, 3)
-
-
4. A method for computer network use, comprising:
-
receiving audit information from an audited computer on a network, at a security computer;
wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received;
wherein said initiating a countermeasure step includes deploying a transferable self-contained set of executable code instructions at the computer on which a determined unauthorized operation occurred for misdirecting further unauthorized operation to a dummy database on the computer. - View Dependent Claims (5, 6, 7)
-
-
8. A method for computer network use, comprising:
-
receiving audit information from an audited computer on a network, at a security computer;
wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received;
wherein the unauthorized operation is initiated by a computer outside the network; and
wherein said initiating a countermeasure step includes deploying a transferable self-contained set of executable code instructions for implementing the countermeasure at the computer of the intruder.
-
-
9. A method for computer network use, comprising:
-
instantiating defensive and offensive agents at each of one or more computers;
receiving audit information from an audited computer on a network, at a security computer;
wherein the audit information includes an alert that an unauthorized operation has occurred at the audited computer; and
initiating an automatic countermeasure, from the security computer, against the unauthorized operation at the audited computer wherefrom the audit information was received. - View Dependent Claims (10, 11)
-
-
12. A method for computer network use, comprising:
-
receiving information, at a security computer, that an unauthorized operation has occurred at a computer or the network; and
taking a countermeasure, from the security computer, against the intrusion including dispatching a transferable self-contained set of executable instructions to the identified audited computer, and automatically executing the set of executable instructions on the identified audited computer to implement the countermeasure.
-
-
13. A computer network comprising:
-
a security computer including one or more software modules for deploying, controlling and monitoring agents on one or more computers of the computer network;
each of said one or more computers on the computer network including a security operative which includes;
at least one offensive mission for taking countermeasures against an unauthorized operation, and a misdirection mission for misdirecting further unauthorized operations. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A security system comprising:
-
a processor;
a network interface coupling computers on a computer network; and
a memory coupled to said processor storing executable code for taking countermeasures, the memory having stored therein sequences of instructions, which, when executed by said processor, cause said processor to perform the steps of;
receiving information that an unauthorized operation has occurred on a computer on the network;
taking countermeasures against the unauthorized operation including dispatching a transferable self-contained set of executable instructions to the determined computer; and
executing the set of executable instructions on the determined audited computer to implement the countermeasure.
-
-
20. A computer readable medium having agents stored thereon, the agents comprising:
-
at least one defensive agent for monitoring for unauthorized operations on a computer within a computer network and reporting back to a security computer;
at least one misdirection agent for misdirecting requests by an actual or suspected intruder or misuser to a location in a monitored computer where the actual or suspected intruder obtains false information; and
at least one offensive agent for taking countermeasures against an actual or suspected intruder to prevent or suppress further intrusion by the actual or suspected intruder. - View Dependent Claims (21)
automatically initiating countermeasures against an unauthorized operation at the monitored computer.
-
Specification