Method and apparatus for an intruder detection reporting and response system
First Claim
1. A method in an intruder detector system having a plurality of clients and an event correlation engine, the method comprising the steps of:
- receiving a trap message by the event correlation engine, said trap message indicating that a suspected intruder is accessing a first client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter; and
transmitting a status change from said event correlation engine, said status change informing a second client of the location of said suspected intruder.
12 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus is disclosed for improving the security of computer networks by providing a means operating passively on the network for detecting, reporting and responding to intruders. The system is comprised of a plurality of intruder sensor client computers and associated event correlation engines. Resident in the memory of the client computer and operating in the background is a Tactical Internet Device Protection (TIDP) component consisting of a passive intruder detector and a security Management Information Base (MIB). The passive intruder detector component of the TIDP passively monitors operations performed on the client computer and emits a Simple Network Management Protocol (SNMP) trap to an event correlation engine when it identifies a suspected intruder. The event correlation engine, through the use of a behavior model loaded in its memory, determines whether the user'"'"'s activities are innocent or those of a perspective intruder. When the event correlation engine is unable to classify a user based on a single trap message, it can request historical information from the security MIB, a database of the operating history of the client computer including a chronology of the illegal operations performed on the client. Once the event correlation engine determines that an intruder is located at an associated client workstation, it generates a status message and transmits the message to all of its subscribers, informing them of the presence and location of a suspected intruder.
-
Citations
45 Claims
-
1. A method in an intruder detector system having a plurality of clients and an event correlation engine, the method comprising the steps of:
-
receiving a trap message by the event correlation engine, said trap message indicating that a suspected intruder is accessing a first client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter; and
transmitting a status change from said event correlation engine, said status change informing a second client of the location of said suspected intruder. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for passively detecting and reporting the presence of an intruder on a computer network comprising an event correlation engine and an intruder sensor operating on a client, said method comprising the steps of:
-
monitoring a plurality of operations on the client by the intruder sensor;
determining whether at least one of said plurality of operations indicates that a suspected intruder is accessing the client; and
transmitting a trap message to an event correlation engine, said trap message indicating that said suspected intruder is accessing the client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for passively detecting and reporting the presence of an intruder on a computer network comprising an event correlation engine and a plurality of client computers with intruder sensors, said method comprising the steps of:
-
monitoring a plurality of operations on at least one of said plurality of client computers;
determining whether at least one of said plurality of operations indicates that a suspected intruder is accessing at least one of said plurality of client computers;
transmitting a trap message by the intruder sensor to an event correlation engine, said trap message indicating the presence of said suspected intruder on the client computer and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter;
receiving the trap message by the event correlation engine;
determining whether said suspected intruder is accessing the client computer; and
if said suspected intruder is detected, transmitting a status change from said event correlation engine to said plurality of client computers, said status change informing said plurality of clients of the location of said suspected intruder. - View Dependent Claims (17, 18)
-
-
19. A distributed system for passively detecting and reporting the presence of an intruder, comprising:
-
an event correlation engine with a plurality of associated client computers;
an associated server computer; and
an intruder sensor operating in the background on said client computers that monitors a plurality of operations and transmitting a trap message to the associated server computer whenever said plurality of operations indicates the presence of a suspected intruder on the client, wherein said trap message includes client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter, said server computer including a component for transmitting a status change to said plurality of client computers for informing said plurality of clients of the location of said suspected intruder. - View Dependent Claims (20)
-
-
21. A system for passively detecting and reporting the presence of an intruder on a computer network containing an event correlation engine and a plurality of client computers with intruder sensors, the system comprising:
-
means for monitoring a plurality of operations on at least one of said plurality of client computers;
means for determining whether at least one of said plurality of operations indicates that an intruder is accessing at least one of said plurality of client computers;
means for transmitting a trap message by the intruder sensor to an event correlation engine, said trap message indicating the presence of a suspected intruder on the client computer and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter;
means for receiving the trap message by the event correlation engine;
means for determining that an intruder is accessing the client computer; and
means for transmitting a status change from said event correlation engine to said plurality of client computers, said status change informing said plurality of clients of the location of said intruder.
-
-
22. An intruder sensor software system for detecting and reporting the presence of an intruder on a computer network comprising a plurality of interconnected clients and servers, said software system comprising:
-
an event correlation engine operating on at least one of said servers;
a Tactical Internet Device Protection (TIDP) component operating on a client computer, said TIDP component passively monitoring operations on said client computer and transmitting a trap message to said event correlation engine in the event that an intruder is suspected on the client, wherein said trap message includes client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method in a passive intruder detector system having a plurality of clients and an event correlation engine, the method comprising the steps of:
-
receiving a trap message by the event correlation engine, said trap message indicating that a suspected intruder is accessing a first client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter; and
transmitting a status change from said event correlation engine, said status change informing a second client of the location of said suspected intruder. - View Dependent Claims (32, 33, 34, 35, 36)
-
-
37. A method for passively detecting and reporting the presence of an intruder on a computer network comprising an event correlation engine and an intruder sensor operating on a client, said method comprising the steps of:
-
monitoring a plurality of operations on the client by the intruder sensor;
determining whether at least one of said plurality of operations indicates that a suspected intruder is accessing the client; and
transmitting a trap message to an event correlation engine, said trap message indicating that said suspected intruder is accessing the client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
-
Specification