Multilayered intrusion detection system and method

US 6,775,657 B1
Filed: 12/22/1999
Issued: 08/10/2004
Est. Priority Date: 12/22/1999
Status: Expired due to Term

First Claim

Patent Images

1. An intrusion detection method comprising:

maintaining at least one registry indicating at least one host node capable of performing intrusion detection services, the registry operable to distinguish the host node from any other host node;

monitoring activity on a network;

comparing at least one characteristic of the monitored activity with the registry;

determining based on the comparison whether the monitored activity has the characteristic in common with any of the host nodes in the registry; and

dismissing the monitored activity having at least one characteristic in common with at least one host node in the registry.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multilayered intrusion detection system and method are disclosed. The method includes monitoring activity on a network and maintaining a registry of each host node address associated with a host node operable to perform host-based intrusion detection services. The method further includes comparing a destination address of the monitored network activity with at least one host node address in the registry. If an address of the network activity matches an address of a registered host node, the network activity is dismissed and allowed to proceed unencumbered to the registered host node. The network activity not destined for a registered host node has intrusion detection services performed on it. The network activity dismissed to the host node has intrusion detection services performed on it at the receiving host node.

549 Citations

23 Claims

1. An intrusion detection method comprising:
- maintaining at least one registry indicating at least one host node capable of performing intrusion detection services, the registry operable to distinguish the host node from any other host node;
  
  monitoring activity on a network;
  
  comparing at least one characteristic of the monitored activity with the registry;
  
  determining based on the comparison whether the monitored activity has the characteristic in common with any of the host nodes in the registry; and
  
  dismissing the monitored activity having at least one characteristic in common with at least one host node in the registry.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising comparing at least one destination address of the monitored activity with the registry of host nodes.
  - 3. The method of claim 1 further comprising maintaining an agent on the host node configured to register the host node in the registry.
  - 4. The method of claim 3 further comprising enabling the agent to update services available to the host node.
  - 5. The method of claim 1 further comprising performing intrusion detection services on the dismissed monitored activity received by a host node.
  - 6. The method of claim 1 further comprising performing intrusion detection services on monitored activity not dismissed.
  - 7. The method of claim 6 wherein the intrusion detection services are performed by a network intrusion detection system.
  - 8. The method of claim 1 further comprising monitoring network activity on a tunneling network.

9. An intrusion detection method comprising:
- monitoring activity on a network;
  
  maintaining a registry of each host node address associated with a host node operable to perform host-based intrusion detection services, the each host node address operable to distinguish the host node from another host node;
  
  comparing a destination address of the network activity with at least one host node address in the registry;
  
  determining based on the comparison whether the monitored activity has the destination address in common with any of the host node addresses;
  
  dismissing the network activity having a destination address in common with at least one host node address in the registry to the host node;
  
  performing intrusion detection services on the network activity not dismissed to a registered host node; and
  
  performing intrusion detection services on the dismissed network activity using the host-based intrusion detection service operable on the host node receiving the dismissed network activity.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9 further comprising maintaining at least one agent, by each host node indicated in the registry, operable to perform host node registration.
  - 11. The method of claim 10 further comprising enabling the agent to update characteristics associated with the host node.
  - 12. The method of claim 9 further comprising performing network-based intrusion detection services on the network activity not dismissed to a registered host node.

13. A computer system for use as an intrusion detection system comprising:
- at least one processor;
  
  at least one computer readable medium communicatively coupled to the processor;
  
  a registry stored on the computer readable medium, the registry operable to maintain entries indicative of at least one host node operable to perform intrusion detection services, the registry further operable to distinguish the host node from another host node; and
  
  wherein the computer system is operable to compare a characteristic of network activity to the registry, to determine whether the network activity has the characteristic in common with any of the host nodes in the registry based on the comparison, and to dismiss network activity having a destination address indicative of at least one entry in the registry.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13 further comprising:
15. The system of claim 14 wherein the at least one agent is further operable to update services available to the host node.
16. The system of claim 13 wherein the computer system is further operable to monitor network activity.
17. The system of claim 13 wherein the computer system is further operable to compare a destination address of the network activity with at least one entry in the registry.
18. The system of claim 13 wherein the computer system is further operable to perform network-based intrusion detection services.
19. The system of claim 13 wherein the computer system is further includes:
- at least one sensor; and
  
  at least one director.
20. The system of claim 19 wherein the computer system further includes at least one post office operable to enable communication between at least the sensor and the director.

21. An intrusion detection system comprising:
- at least one host node;
  
  at least one network node communicatively coupled to the host node including at least one processor;
  
  at least one computer readable medium communicatively coupled to the processor;
  
  a registry stored on the computer readable medium, the registry operable to maintain entries indicative of at least one host node operable to perform intrusion detection services, the registry further operable to distinguish the host node from another host node; and
  
  wherein the network node is operable to compare a destination address of network activity to the registry, to determine whether the network activity has the destination address in common with any of the entries in the registry based on the comparison, and to dismiss network activity having a destination address indicative of at least one entry in the registry.

22. An apparatus comprising:
- a computer readable medium comprising at least one program operable, when executed on a processor, to;
  
  maintain at least one registry indicating at least one host node capable of performing intrusion detection services, the registry operable to distinguish the host node from any other host node;
  
  compare at least one characteristic of monitored network activity to at least one characteristic of the registry;
  
  determine based on the comparison whether the monitored activity has the characteristic in common with any of the host nodes in the registry; and
  
  dismiss monitored network activity having at least one characteristic in common with at least one characteristic of the registry.

23. A computer system for use as an intrusion detection system comprising:
- a means for processing data;
  
  a means for storing data, the means for storing data communicatively coupled to the means for processing data;
  
  a means for maintaining entries indicative of at least one host node operable to perform intrusion detection services, the means for maintaining entries stored in the means for storing data, the entries operable to distinguish the host node from any other host node;
  
  a means for determining based on the comparison whether the monitored activity has the characteristic in common with any of the host nodes in the registry; and
  
  a means for dismissing network activity having a destination address indicative of at least one entry in the means for maintaining entries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Baker, Stephen M.
Primary Examiner(s)
Starks, Jr., Wilbert L.
Assistant Examiner(s)
Booker, Kelvin

Application Number

US09/471,508
Time in Patent Office

1,693 Days
Field of Search

706/46, 706/45, 706/50, 713/200, 713/201, 709/224, 709/225, 709/227, 709/238, 709/249
US Class Current

706/45
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Multilayered intrusion detection system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

549 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Multilayered intrusion detection system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

549 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links