Multilayered intrusion detection system and method
First Claim
1. An intrusion detection method comprising:
- maintaining at least one registry indicating at least one host node capable of performing intrusion detection services, the registry operable to distinguish the host node from any other host node;
monitoring activity on a network;
comparing at least one characteristic of the monitored activity with the registry;
determining based on the comparison whether the monitored activity has the characteristic in common with any of the host nodes in the registry; and
dismissing the monitored activity having at least one characteristic in common with at least one host node in the registry.
1 Assignment
0 Petitions
Accused Products
Abstract
A multilayered intrusion detection system and method are disclosed. The method includes monitoring activity on a network and maintaining a registry of each host node address associated with a host node operable to perform host-based intrusion detection services. The method further includes comparing a destination address of the monitored network activity with at least one host node address in the registry. If an address of the network activity matches an address of a registered host node, the network activity is dismissed and allowed to proceed unencumbered to the registered host node. The network activity not destined for a registered host node has intrusion detection services performed on it. The network activity dismissed to the host node has intrusion detection services performed on it at the receiving host node.
549 Citations
23 Claims
-
1. An intrusion detection method comprising:
-
maintaining at least one registry indicating at least one host node capable of performing intrusion detection services, the registry operable to distinguish the host node from any other host node;
monitoring activity on a network;
comparing at least one characteristic of the monitored activity with the registry;
determining based on the comparison whether the monitored activity has the characteristic in common with any of the host nodes in the registry; and
dismissing the monitored activity having at least one characteristic in common with at least one host node in the registry. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An intrusion detection method comprising:
-
monitoring activity on a network;
maintaining a registry of each host node address associated with a host node operable to perform host-based intrusion detection services, the each host node address operable to distinguish the host node from another host node;
comparing a destination address of the network activity with at least one host node address in the registry;
determining based on the comparison whether the monitored activity has the destination address in common with any of the host node addresses;
dismissing the network activity having a destination address in common with at least one host node address in the registry to the host node;
performing intrusion detection services on the network activity not dismissed to a registered host node; and
performing intrusion detection services on the dismissed network activity using the host-based intrusion detection service operable on the host node receiving the dismissed network activity. - View Dependent Claims (10, 11, 12)
-
-
13. A computer system for use as an intrusion detection system comprising:
-
at least one processor;
at least one computer readable medium communicatively coupled to the processor;
a registry stored on the computer readable medium, the registry operable to maintain entries indicative of at least one host node operable to perform intrusion detection services, the registry further operable to distinguish the host node from another host node; and
whereinthe computer system is operable to compare a characteristic of network activity to the registry, to determine whether the network activity has the characteristic in common with any of the host nodes in the registry based on the comparison, and to dismiss network activity having a destination address indicative of at least one entry in the registry. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
at least one host node communicatively coupled to the computer system including at least one processor;
at least one computer readable medium communicatively coupled to the processor;
at least one agent stored on the computer readable medium, operable to register the host node with the registry; and
wherein the at least one host node is operable to perform intrusion detection services.
-
-
15. The system of claim 14 wherein the at least one agent is further operable to update services available to the host node.
-
16. The system of claim 13 wherein the computer system is further operable to monitor network activity.
-
17. The system of claim 13 wherein the computer system is further operable to compare a destination address of the network activity with at least one entry in the registry.
-
18. The system of claim 13 wherein the computer system is further operable to perform network-based intrusion detection services.
-
19. The system of claim 13 wherein the computer system is further includes:
- at least one sensor; and
at least one director.
- at least one sensor; and
-
20. The system of claim 19 wherein the computer system further includes at least one post office operable to enable communication between at least the sensor and the director.
-
21. An intrusion detection system comprising:
-
at least one host node;
at least one network node communicatively coupled to the host node including at least one processor;
at least one computer readable medium communicatively coupled to the processor;
a registry stored on the computer readable medium, the registry operable to maintain entries indicative of at least one host node operable to perform intrusion detection services, the registry further operable to distinguish the host node from another host node; and
whereinthe network node is operable to compare a destination address of network activity to the registry, to determine whether the network activity has the destination address in common with any of the entries in the registry based on the comparison, and to dismiss network activity having a destination address indicative of at least one entry in the registry.
-
-
22. An apparatus comprising:
-
a computer readable medium comprising at least one program operable, when executed on a processor, to;
maintain at least one registry indicating at least one host node capable of performing intrusion detection services, the registry operable to distinguish the host node from any other host node;
compare at least one characteristic of monitored network activity to at least one characteristic of the registry;
determine based on the comparison whether the monitored activity has the characteristic in common with any of the host nodes in the registry; and
dismiss monitored network activity having at least one characteristic in common with at least one characteristic of the registry.
-
-
23. A computer system for use as an intrusion detection system comprising:
-
a means for processing data;
a means for storing data, the means for storing data communicatively coupled to the means for processing data;
a means for maintaining entries indicative of at least one host node operable to perform intrusion detection services, the means for maintaining entries stored in the means for storing data, the entries operable to distinguish the host node from any other host node;
a means for determining based on the comparison whether the monitored activity has the characteristic in common with any of the host nodes in the registry; and
a means for dismissing network activity having a destination address indicative of at least one entry in the means for maintaining entries.
-
Specification