Firewall system and method via feedback from broad-scope monitoring for intrusion detection

DC CAFC

US 6,715,084 B2
Filed: 03/26/2002
Issued: 03/30/2004
Est. Priority Date: 03/26/2002
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of alerting at least one device in a networked computer system comprising a plurality of devices to an anomaly, at least one of the plurality of devices having a firewall, comprising:

detecting an anomaly in the networked computer system using network-based intrusion detection techniques comprising analyzing data entering into a plurality of hosts, servers, and computer sites in the networked computer system;

determining which of the plurality of devices are anticipated to be affected by the anomaly by using pattern correlations across the plurality of hosts, servers, and computer sites; and

alerting the devices that are anticipated to be affected by the anomaly.

View all claims

7 Assignments

Timeline View

Assignment View

Litigations

4 Petitions

Accused Products

Abstract

A broad-scope intrusion detection system analyzes traffic coming into multiple hosts or other customers'"'"' computers or sites. This provides additional data for analysis as compared to systems that just analyze the traffic coming into one customer'"'"'s site. Additional detection schemes can be used to recognize patterns that would otherwise be difficult or impossible to recognize with just a single customer detector. Standard signature detection methods can be used. Additionally, new signatures can be used based on broad-scope analysis goals. An anomaly is detected in the computer system, and then it is determined which devices or devices are anticipated to be affected by the anomaly in the future. These anticipated devices are then alerted to the potential for the future anomaly. The anomaly can be an intrusion or an intrusion attempt or reconnaissance activity.

135 Citations

33 Claims

1. A method of alerting at least one device in a networked computer system comprising a plurality of devices to an anomaly, at least one of the plurality of devices having a firewall, comprising:
- detecting an anomaly in the networked computer system using network-based intrusion detection techniques comprising analyzing data entering into a plurality of hosts, servers, and computer sites in the networked computer system;
  
  determining which of the plurality of devices are anticipated to be affected by the anomaly by using pattern correlations across the plurality of hosts, servers, and computer sites; and
  
  alerting the devices that are anticipated to be affected by the anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
3. The method of claim 1, further comprising adjusting the firewall of each of the devices that is anticipated to be affected by the anomaly responsive to the detection of the anomaly.
4. The method of claim 1, wherein the anomaly comprises one of an intrusion and an intrusion attempt.
5. The method of claim 1, wherein detecting the anomaly comprises analyzing a plurality of data packets with respect to predetermined patterns.
6. The method of claim 5, wherein analyzing the data packets comprises analyzing data packets that have been received at at least two of the plurality of devices.
7. The method of claim 1, wherein detecting the anomaly comprises recognition of an intrusion and further comprising generating an automated response to the intrusion.
8. The method of claim 1, further comprising adjusting anomaly detection sensitivity and alarm thresholds based on the detected anomaly.

9. A method of alerting a device in a networked computer system comprising a plurality of devices to an anomaly, comprising:
- detecting an anomaly at a first device in the computer system using network-based intrusion detection technicques comprising analyzing data entering into a plurality of hosts, servers, and computer sites in the networked computer system;
  
  determining a device that is anticipated to be affected by the anomaly by using pattern correlations across the plurality of hosts, servers, and computer sites; and
  
  alerting the device that is anticipated to be affected by the anomaly.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, wherein the plurality of devices are polled in a predetermined sequential order, the first device being polled prior to detecting the anomaly, and the device anticipated to be affected by the anomaly is a device that has not been polled.
  - 11. The method of claim 9, further comprising transmitting an anomaly warning from the first device to a central analysis engine, responsive to detecting the anomaly at the first device, the anomaly warning comprising a unique device identifier.
  - 12. The method of claim 9, wherein the anomaly comprises one of an intrusion and an intrusion attempt.
  - 13. The method of claim 9, wherein detecting the anomaly comprises analyzing a plurality of data packets with respect to predetermined patterns.
  - 14. The method of claim 13, wherein analyzing the data packets comprises analyzing data packets that have been received at at least two of the plurality of devices including the first device.
  - 15. The method of claim 9, wherein alerting the device comprises alerting a firewall associated with the device that the anomaly has been detected.
  - 16. The method of claim 9, wherein alerting the device comprises generating and transmitting an electronic notification to one of the device and an administrator of the device.
  - 17. The method of claim 9, further comprising controlling the device that is anticipated to be affected by the anomaly.
  - 18. The method of claim 9, further comprising adjusting anomaly detection sensitivity and alarm thresholds based on the detected anomaly.

19. An intrusion detection and alerting system for a computer network comprising:
- a plurality of devices coupled to the computer network, each device adapted to at least one of;
  
  (1) sense data and provide the data to a data collection and processing center, and (2) be adjustable; and
  
  the data collection and processing center comprising a computer with a firewall coupled to the computer network, the data collection and processing center monitoring data communicated to at least a portion of the plurality of devices coupled to the network, detecting an anomaly in the network using network-based intrusion detection techniques comprising analyzing data entering into a plurality of hosts, servers, and computer sites in the networked computer system, determining which of the devices are anticipated to be affected by the anomaly by using pattern correlations across the plurality of hosts, servers, and computer sites, and alerting the devices.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The system of claim 19, wherein the data collection and processing center further determines which of the devices have been affected by the anomaly and alerts the devices.
  - 21. The system of claim 19, wherein at least one of the plurality of devices comprises a firewall, and the data collection and processing center further adjusts the firewall of each of the devices that is anticipated to be affected by the anomaly responsive to the detection of the anomaly.
  - 22. The system of claim 19, wherein the anomaly comprises one of an intrusion, an intrusion attempt, and reconnaissance activity.
  - 23. The system of claim 19, wherein the data collection and processing center detects the anomaly by analyzing a plurality of data packets with respect to predetermined patterns.
  - 24. The system of claim 23, wherein the data collection and processing center analyzes data packets that have been received by at least two of the plurality of devices.
  - 25. The system of claim 19, wherein the data collection and processing center adjusts anomaly detection sensitivity and alarm thresholds based on the detected anomaly.

26. A data collection and processing center comprising a computer with a firewall coupled to a computer network, the data collection and processing center monitoring data communicated to the network, and detecting an anomaly in the network using network-based intrusion detection techniques comprising analyzing data entering into a plurality of hosts, servers, and computer sites in the networked computer system.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
- - 27. The data collection and processing center of claim 26, further comprising determining which of a plurality of devices that are connected to the network are anticipated to be affected by the anomaly by using pattern correlations across the plurality of hosts, servers, and computer sites, and alerting the devices.
  - 28. The data collection and processing center of claim 26, wherein the data collection and processing center further determines which of a plurality of devices that are connected to the network have been affected by the anomaly and alerts the devices.
  - 29. The data collection and processing center of claim 26, wherein the data collection and processing center further adjusts a firewall of each of a plurality of devices that is connected to the network that is anticipated to be affected by the anomaly responsive to the detection of the anomaly.
  - 30. The data collection and processing of claim 26, wherein the anomaly comprises one of an intrusion, an intrusion attempt, and reconnaissance activity.
  - 31. The data collection and processing of claim 26, wherein the data collection and processing center detects the anomaly by analyzing a plurality of data packets with respect to predetermined patterns.
  - 32. The data collection and processing of claim 31, wherein the data collection and processing center analyzes data packets that have been received by at least two devices that are connected to the network.
  - 33. The data collection and processing of claim 26, wherein the data collection and processing center adjusts anomaly detection sensitivity and alarm thresholds based on the detected anomaly.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Intellectual Ventures II LLC (Intellectual Ventures LLC)
Original Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Inventors
Aaron, Jeffrey A., Anschutz, Thomas
Primary Examiner(s)
HUA, LY

Application Number

US10/108,078
Publication Number

US 20030188191A1
Time in Patent Office

735 Days
Field of Search

713/200, 713/201
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

Firewall system and method via feedback from broad-scope monitoring for intrusion detection

First Claim

7 Assignments

Litigations

4 Petitions

Accused Products

Abstract

135 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall system and method via feedback from broad-scope monitoring for intrusion detection

First Claim

7 Assignments

Subscription Required

Subscription Required

Litigations

4 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links