Method and apparatus for an intruder detection reporting and response system

US 6,910,135 B1
Filed: 07/07/1999
Issued: 06/21/2005
Est. Priority Date: 07/07/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method in an intruder detector system having a plurality of clients and an event correlation engine, the method comprising the steps of:

receiving a trap message by the event correlation engine, said trap message indicating that a suspected intruder is accessing a first client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter; and

transmitting a status change from said event correlation engine, said status change informing a second client of the location of said suspected intruder.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is disclosed for improving the security of computer networks by providing a means operating passively on the network for detecting, reporting and responding to intruders. The system is comprised of a plurality of intruder sensor client computers and associated event correlation engines. Resident in the memory of the client computer and operating in the background is a Tactical Internet Device Protection (TIDP) component consisting of a passive intruder detector and a security Management Information Base (MIB). The passive intruder detector component of the TIDP passively monitors operations performed on the client computer and emits a Simple Network Management Protocol (SNMP) trap to an event correlation engine when it identifies a suspected intruder. The event correlation engine, through the use of a behavior model loaded in its memory, determines whether the user'"'"'s activities are innocent or those of a perspective intruder. When the event correlation engine is unable to classify a user based on a single trap message, it can request historical information from the security MIB, a database of the operating history of the client computer including a chronology of the illegal operations performed on the client. Once the event correlation engine determines that an intruder is located at an associated client workstation, it generates a status message and transmits the message to all of its subscribers, informing them of the presence and location of a suspected intruder.

Citations

45 Claims

1. A method in an intruder detector system having a plurality of clients and an event correlation engine, the method comprising the steps of:
- receiving a trap message by the event correlation engine, said trap message indicating that a suspected intruder is accessing a first client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter; and
  
  transmitting a status change from said event correlation engine, said status change informing a second client of the location of said suspected intruder.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, said step of receiving a trap message further comprising the step of extracting the source of the trap message from said trap message.
  - 3. The method of claim 1, said step of receiving a trap message by said event correlation engine further comprising the step of confirming that an operation performed on the first client is indicative of an intruder.
  - 4. The method of claim 3, said confirming step further comprising the steps of:
    - accessing a behavior model database stored on said event correlation engine;
      
      comparing said trap message to at least one of a plurality of behavior model rules stored in said behavior model database; and
      
      declaring that an operation performed on the first client is indicative of an intruder operating on the client when said trap message exceeds a threshold level in said at least one of a plurality of behavior model rules.
  - 5. The method of claim 4, said declaring step further comprising the steps of:
    - determining whether said trap message is at least a second identical occurrence of said trap message; and
      
      concluding that an operation is indicative of an intruder operating on the client when said trap message is at least a second identical occurrence.
  - 6. The method of claim 4, said confirming step further comprising the steps of:
    - transmitting a request for additional information from said event correlation engine to the first client;
      
      retrieving information from a security Management Information Base (MIB) stored on the first client; and
      
      transmitting a response from the first client to said event correlation engine.

7. A method for passively detecting and reporting the presence of an intruder on a computer network comprising an event correlation engine and an intruder sensor operating on a client, said method comprising the steps of:
- monitoring a plurality of operations on the client by the intruder sensor;
  
  determining whether at least one of said plurality of operations indicates that a suspected intruder is accessing the client; and
  
  transmitting a trap message to an event correlation engine, said trap message indicating that said suspected intruder is accessing the client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method of claim 7, said monitoring step further comprising the step of detecting unsuccessful logon attempts to the client.
  - 9. The method of claim 8, said determining step further comprising the step of assessing the presence of an intruder when a number of detected unsuccessful logon attempts exceeds a threshold value.
  - 10. The method of claim 7, said monitoring step further comprising the step of detecting attempted user accesses to protected memory locations.
  - 11. The method of claim 10, said determining step further comprising the step of assessing the presence of an intruder when a number of detected attempted user accesses to protected memory locations exceeds a threshold value.
  - 12. The method of claim 7, said monitoring step further comprising the step of detecting attempted user accesses to restricted applications.
  - 13. The method of claim 12, said determining step further comprising the step of assessing the presence of an intruder when said detected attempted user accesses to protected memory exceeds a threshold value.
  - 14. The method of claim 7, said transmitting step further comprising the step of transmitting said trap message over a wireless network.
  - 15. The method of claim 7, said monitoring step is performed in the background.

16. A method for passively detecting and reporting the presence of an intruder on a computer network comprising an event correlation engine and a plurality of client computers with intruder sensors, said method comprising the steps of:
- monitoring a plurality of operations on at least one of said plurality of client computers;
  
  determining whether at least one of said plurality of operations indicates that a suspected intruder is accessing at least one of said plurality of client computers;
  
  transmitting a trap message by the intruder sensor to an event correlation engine, said trap message indicating the presence of said suspected intruder on the client computer and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter;
  
  receiving the trap message by the event correlation engine;
  
  determining whether said suspected intruder is accessing the client computer; and
  
  if said suspected intruder is detected, transmitting a status change from said event correlation engine to said plurality of client computers, said status change informing said plurality of clients of the location of said suspected intruder.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16 wherein said status change is not transmitted to the suspected intruder.
  - 18. The method of claim 17, said step of transmitting a status change is comprised of the step of transmitting the status change over a wired and a wireless computer network.

19. A distributed system for passively detecting and reporting the presence of an intruder, comprising:
- an event correlation engine with a plurality of associated client computers;
  
  an associated server computer; and
  
  an intruder sensor operating in the background on said client computers that monitors a plurality of operations and transmitting a trap message to the associated server computer whenever said plurality of operations indicates the presence of a suspected intruder on the client, wherein said trap message includes client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter, said server computer including a component for transmitting a status change to said plurality of client computers for informing said plurality of clients of the location of said suspected intruder.
- View Dependent Claims (20)
- - 20. The distributed system of claim 19 wherein said status change is not transmitted to the suspected intruder.

21. A system for passively detecting and reporting the presence of an intruder on a computer network containing an event correlation engine and a plurality of client computers with intruder sensors, the system comprising:
- means for monitoring a plurality of operations on at least one of said plurality of client computers;
  
  means for determining whether at least one of said plurality of operations indicates that an intruder is accessing at least one of said plurality of client computers;
  
  means for transmitting a trap message by the intruder sensor to an event correlation engine, said trap message indicating the presence of a suspected intruder on the client computer and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter;
  
  means for receiving the trap message by the event correlation engine;
  
  means for determining that an intruder is accessing the client computer; and
  
  means for transmitting a status change from said event correlation engine to said plurality of client computers, said status change informing said plurality of clients of the location of said intruder.

22. An intruder sensor software system for detecting and reporting the presence of an intruder on a computer network comprising a plurality of interconnected clients and servers, said software system comprising:
- an event correlation engine operating on at least one of said servers;
  
  a Tactical Internet Device Protection (TIDP) component operating on a client computer, said TIDP component passively monitoring operations on said client computer and transmitting a trap message to said event correlation engine in the event that an intruder is suspected on the client, wherein said trap message includes client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. An intruder sensor software system according to claim 22, said event correlation engine further comprises a behavior model database for confirming the presence of an intruder on said client computer.
  - 24. An intruder sensor software system according to claim 23, said behavior model database further comprises a plurality of rules for determining the presence of an intruder.
  - 25. An intruder sensor software system according to claim 22, said event correlation engine further comprises a means for transmitting a request for additional information to said TIDP component.
  - 26. An intruder sensor software system according to claim 22, said event correlation engine further comprises a Wide Area Information Distribution component for transmitting a status change to said plurality of clients and servers.
  - 27. An intruder sensor software system according to claim 22, said TIDP component further comprises a security MIB for storing additional information that fully describes the operating history of a client computer.
  - 28. An intruder sensor software system according to claim 22, said trap message further comprises an object identifier and a data portion.
  - 29. An intruder sensor software system according to claim 22, said trap message is a SNMP trap message.
  - 30. An intruder sensor software system according to claim 22 wherein each of said clients and servers are comprised of a CORBA interface.

31. A method in a passive intruder detector system having a plurality of clients and an event correlation engine, the method comprising the steps of:
- receiving a trap message by the event correlation engine, said trap message indicating that a suspected intruder is accessing a first client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter; and
  
  transmitting a status change from said event correlation engine, said status change informing a second client of the location of said suspected intruder.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. The method of claim 31, said step of receiving a trap message further comprising the step of extracting the source of the trap message from said trap message.
  - 33. The method of claim 31, said step of receiving a trap message by said event correlation engine further comprising the step of confirming that an operation performed on the first client is indicative of an intruder.
  - 34. The method of claim 33, said confirming step further comprising the steps of:
    - accessing a behavior model database stored on said event correlation engine;
      
      comparing said trap message to at least one of a plurality of behavior model rules stored in said behavior model database; and
      
      declaring that an operation performed on the first client is indicative of an intruder operating on the client when said trap message exceeds a threshold level in said at least one of a plurality of behavior model rules.
  - 35. The method of claim 33, said confirming step further comprising the steps of:
    - determining whether said trap message is at least a second identical occurrence of said trap message; and
      
      declaring that an operation is indicative of an intruder operating on the client when said trap message is at least a second identical occurrence.
  - 36. The method of claim 33, said confirming step further comprising the steps of:
    - transmitting a request for additional information from said event correlation engine to the first client;
      
      retrieving information from a security Management Information Base (MIB) stored on the first client; and
      
      transmitting a response from the first client to said event correlation engine.

37. A method for passively detecting and reporting the presence of an intruder on a computer network comprising an event correlation engine and an intruder sensor operating on a client, said method comprising the steps of:
- monitoring a plurality of operations on the client by the intruder sensor;
  
  determining whether at least one of said plurality of operations indicates that a suspected intruder is accessing the client; and
  
  transmitting a trap message to an event correlation engine, said trap message indicating that said suspected intruder is accessing the client and including client identifier information, a time stamp, and an object identifier specifying a transmitted parameter and a data portion including a value of the parameter.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
- - 38. The method of claim 37, said monitoring step further comprising the step of detecting unsuccessful logon attempts to the client.
  - 39. The method of claim 38, said determining step further comprising the step of assessing the presence of an intruder when a number of detected unsuccessful logon attempts exceeds a threshold value.
  - 40. The method of claim 37, said monitoring step further comprising the step ofdetecting attempted user accesses to protected memory locations.
  - 41. The method of claim 40, said determining step further comprising the step of assessing the presence of an intruder when a number of detected attempted user accesses to protected memory locations exceeds a threshold value.
  - 42. The method of claim 37, said monitoring step further comprising the step of detecting attempted user accesses to restricted applications.
  - 43. The method of claim 42, said determining step further comprising the step of assessing the presence of an intruder when said detected attempted user accesses to protected memory exceeds a threshold value.
  - 44. The method of claim 37, said transmitting step further comprising the step of transmitting said trap message over a wireless network.
  - 45. The method of claim 37, said monitoring step is performed in the background.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Level 3 Communications LLC (Lumen Technologies, Inc.), Raytheon BBN Technologies Corp. (Rtx Corporation), Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Original Assignee
Genuity Inc. (Lumen Technologies, Inc.), BBNT Solutions LLC (Rtx Corporation), Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
Grainger, Steven Phillip
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Arani, Taghi T.

Application Number

US09/348,377
Time in Patent Office

2,176 Days
Field of Search

713/200, 713/201, 709/223, 709/224, 709/202
US Class Current

726/23
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Method and apparatus for an intruder detection reporting and response system

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for an intruder detection reporting and response system

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links