Dynamic intrusion detection for computer systems
First Claim
1. A method of operating an intrusion detection system, the method comprising the steps of:
- taking a base action in response to detecting an intrusion;
updating an action counter in response to taking the base action;
comparing the value of the action counter to an action threshold;
updating an action variable when the value of the action counter meets the action threshold;
checking a validity condition for satisfaction dependent upon the action variable; and
invoking a provision associated with the validity condition when the validity condition is satisfied.
5 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system monitors for signature events, which are part of base intrusion sets that include signature event counters, signature thresholds, and base actions. Associated with each base intrusion set is an action set including an action counter, an action threshold, and an action variable. The associated action counter is updated when the base action of the base intrusion set is invoked responsive to the count of associated signature events meeting the associated signature threshold. The action counter is compared with an action threshold. If the action counter meets the threshold, the associated action variable is updated. The action variable is then passed to an analysis engine comprising a set of rules, which analyses the action variable either in isolation or together with other action variables associated with other base intrusion sets. According to the analysis, an element of a base intrusion set or an action set may be changed.
-
Citations
22 Claims
-
1. A method of operating an intrusion detection system, the method comprising the steps of:
-
taking a base action in response to detecting an intrusion;
updating an action counter in response to taking the base action;
comparing the value of the action counter to an action threshold;
updating an action variable when the value of the action counter meets the action threshold;
checking a validity condition for satisfaction dependent upon the action variable; and
invoking a provision associated with the validity condition when the validity condition is satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of operating an intrusion detection system, the method comprising the steps of;
-
taking a base action in response to detecting an intrusion;
updating an action counter in response to taking the base action;
comparing the value of the action counter to an action threshold;
updating an action variable when the value of the action counter meets the action threshold;
checking a validity condition for satisfaction dependent upon the action variable; and
invoking a provision associated with the validity condition when the validity condition is satisfied, wherein the provision changes an element of a base intrusion set, and wherein the element of the base intrusion set is selected form the group consisting of a signature event, a signature event counter, a signature threshold, a base action, and a weight.
-
-
12. A method of operating an intrusion detection system, the method comprising the steps of:
-
detecting a signature event;
updating a signature event counter responsive to detecting the signature event;
comparing the value of the signature event counter to a signature threshold;
updating an action counter when the value of the signature event counter meets the signature threshold;
comparing the value of the action counter to an action threshold;
updating an action variable when the value of the action counter meets the action threshold;
checking a validity condition for satisfaction dependent upon the action variable; and
invoking a provision associated with the validity condition when the validity condition is satisfied. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification