Method and apparatus for providing a policy-driven intrusion detection system

US 6,789,202 B1
Filed: 10/15/1999
Issued: 09/07/2004
Est. Priority Date: 10/15/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for providing policy-driven intrusion detection in a networked computer system, comprising:

receiving a global policy for intrusion detection for the networked computer system, the global policy specifying at least one rule in the form of a global security condition for the networked computer system and a global response to be performed in response to the global security condition;

wherein the global policy is received from a network security coordinator;

wherein the global response can specify different local responses for each of the plurality of local analyzers;

compiling the global policy into a plurality of local policies for a plurality of local regions of the networked computer system, wherein each local policy specifies at least one rule in the form of a local security condition for an associated local region and a local response to be performed in response to the local security condition, wherein the local response can specify one of, terminating an intruding process, and denying an intrusive operation;

wherein the local response can specify different responses for each of the plurality of local sensors;

communicating the plurality of local policies to the plurality of local analyzers that control security for the plurality of local regions, wherein the local analyzers perform an action based on the at least one rule, in accordance with one of the local policies;

compiling a local policy at a local analyzer into a plurality of specifiers for a plurality of local sensors in a local region associated with the local analyzer;

communicating the plurality of specifiers to a plurality of local computer systems in the local region;

allowing the plurality of local computer systems to implement the plurality of local sensors specified by the plurality of specifiers;

wherein each specifier for each local sensor specifies at least one security condition and at least one security response;

receiving security information specifying the local security condition at the local analyzer from at least one local sensor;

sending information specifying the local security condition to a global analyzer, the global analyzer facilitating enforcement of the global policy;

receiving security information at a global analyzer from at least one local analyzer, the security information specifying the global security condition;

using the global policy to determine the global response to the global security condition; and

sending information specifying the global response from the global analyzer to at least one local analyzer;

wherein the global analyzer and the local analyzers each include a communication interface, a policy compiler, an analysis module, a decision module coupled to the analysis module, an attack model coupled to the analysis module, and a description language builder coupled to the policy compiler;

the communication interface including a graphical user interface that facilitates communication;

the policy compiler compiling intrusion detection policies into lower-level intrusion detection policies;

the description language builder converting the lower-level intrusion detection policies into a description in a platform-independent description language that is used for;

specifying a security state for the networked computer system including a normal state, an emergency state, and a recovery state, indicating whether a critical sensor has been attacked, and specifying parameters including a number of password tries that is allowed in a specific time interval;

the analysis module gathering and correlating information reported by the sensors and the local analyzers to infer occurrences of large-scale attacks;

the decision module receiving results generated by the analysis module and carrying out an appropriate response including tuning the local analyzers and the sensors;

the sensors each including a communication interface, a description language module, a design module, a data storage module coupled to the description module, and a security device coupled to the description language module and the design module;

the description language module of the sensors each adapted for;

receiving sensor descriptions, parsing the sensor descriptions, and translating the sensor descriptions into a specific attack signature representation.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a providing policy-driven intrusion detection system for a networked computer system. This system operates by receiving a global policy for intrusion detection for the networked computer system. This global policy specifies rules in the form of a global security condition for the networked computer system and a global response to be performed in response to the global security condition. The system compiles the global policy into local policies for local regions of the networked computer system. Each local policy specifies at least one rule in the form of a local security condition for an associated local region of the networked computer system and a local response to be performed in response to the local security condition. The system communicates the local policies to local analyzers that control security for the local regions. A local analyzer compiles a local policy into specifiers for local sensors in a local region associated with the local analyzer. These specifiers are communicated to the local computer systems in the local region. This allows local computer systems to implement the local sensors.

286 Citations

4 Claims

1. A method for providing policy-driven intrusion detection in a networked computer system, comprising:
- receiving a global policy for intrusion detection for the networked computer system, the global policy specifying at least one rule in the form of a global security condition for the networked computer system and a global response to be performed in response to the global security condition;
  
  wherein the global policy is received from a network security coordinator;
  
  wherein the global response can specify different local responses for each of the plurality of local analyzers;
  
  compiling the global policy into a plurality of local policies for a plurality of local regions of the networked computer system, wherein each local policy specifies at least one rule in the form of a local security condition for an associated local region and a local response to be performed in response to the local security condition, wherein the local response can specify one of, terminating an intruding process, and denying an intrusive operation;
  
  wherein the local response can specify different responses for each of the plurality of local sensors;
  
  communicating the plurality of local policies to the plurality of local analyzers that control security for the plurality of local regions, wherein the local analyzers perform an action based on the at least one rule, in accordance with one of the local policies;
  
  compiling a local policy at a local analyzer into a plurality of specifiers for a plurality of local sensors in a local region associated with the local analyzer;
  
  communicating the plurality of specifiers to a plurality of local computer systems in the local region;
  
  allowing the plurality of local computer systems to implement the plurality of local sensors specified by the plurality of specifiers;
  
  wherein each specifier for each local sensor specifies at least one security condition and at least one security response;
  
  receiving security information specifying the local security condition at the local analyzer from at least one local sensor;
  
  sending information specifying the local security condition to a global analyzer, the global analyzer facilitating enforcement of the global policy;
  
  receiving security information at a global analyzer from at least one local analyzer, the security information specifying the global security condition;
  
  using the global policy to determine the global response to the global security condition; and
  
  sending information specifying the global response from the global analyzer to at least one local analyzer;
  
  wherein the global analyzer and the local analyzers each include a communication interface, a policy compiler, an analysis module, a decision module coupled to the analysis module, an attack model coupled to the analysis module, and a description language builder coupled to the policy compiler;
  
  the communication interface including a graphical user interface that facilitates communication;
  
  the policy compiler compiling intrusion detection policies into lower-level intrusion detection policies;
  
  the description language builder converting the lower-level intrusion detection policies into a description in a platform-independent description language that is used for;
  
  specifying a security state for the networked computer system including a normal state, an emergency state, and a recovery state, indicating whether a critical sensor has been attacked, and specifying parameters including a number of password tries that is allowed in a specific time interval;
  
  the analysis module gathering and correlating information reported by the sensors and the local analyzers to infer occurrences of large-scale attacks;
  
  the decision module receiving results generated by the analysis module and carrying out an appropriate response including tuning the local analyzers and the sensors;
  
  the sensors each including a communication interface, a description language module, a design module, a data storage module coupled to the description module, and a security device coupled to the description language module and the design module;
  
  the description language module of the sensors each adapted for;
  
  receiving sensor descriptions, parsing the sensor descriptions, and translating the sensor descriptions into a specific attack signature representation.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the plurality of local computer systems, includes at least one of, a general purpose computer system, a network gateway, a network router, a firewall and a network analyzer.
  - 3. The method of claim 1, wherein the local response can specify terminating an intruding process, denying an intrusive operation, and filtering accesses to a computer system.
  - 4. The method of claim 1, wherein the plurality of specifiers for the plurality of local sensors are communicated in the platform-independent description language.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Ko, Cheuk W., Rho, Jaisook
Primary Examiner(s)
Barrón, Gilberto
Assistant Examiner(s)
Lanier, Benjamin E.

Application Number

US09/418,626
Time in Patent Office

1,789 Days
Field of Search

713/201, 713/200
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0227   Filtering policies mail mes...

H04L 63/104   Grouping of entities

Method and apparatus for providing a policy-driven intrusion detection system

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

286 Citations

4 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing a policy-driven intrusion detection system

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

286 Citations

4 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links