Dynamic intrusion detection for computer systems

US 6,928,549 B2
Filed: 07/09/2001
Issued: 08/09/2005
Est. Priority Date: 07/09/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method of operating an intrusion detection system, the method comprising the steps of:

taking a base action in response to detecting an intrusion;

updating an action counter in response to taking the base action;

comparing the value of the action counter to an action threshold;

updating an action variable when the value of the action counter meets the action threshold;

checking a validity condition for satisfaction dependent upon the action variable; and

invoking a provision associated with the validity condition when the validity condition is satisfied.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system monitors for signature events, which are part of base intrusion sets that include signature event counters, signature thresholds, and base actions. Associated with each base intrusion set is an action set including an action counter, an action threshold, and an action variable. The associated action counter is updated when the base action of the base intrusion set is invoked responsive to the count of associated signature events meeting the associated signature threshold. The action counter is compared with an action threshold. If the action counter meets the threshold, the associated action variable is updated. The action variable is then passed to an analysis engine comprising a set of rules, which analyses the action variable either in isolation or together with other action variables associated with other base intrusion sets. According to the analysis, an element of a base intrusion set or an action set may be changed.

Citations

22 Claims

1. A method of operating an intrusion detection system, the method comprising the steps of:
- taking a base action in response to detecting an intrusion;
  
  updating an action counter in response to taking the base action;
  
  comparing the value of the action counter to an action threshold;
  
  updating an action variable when the value of the action counter meets the action threshold;
  
  checking a validity condition for satisfaction dependent upon the action variable; and
  
  invoking a provision associated with the validity condition when the validity condition is satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the provision changes an element of a base intrusion set.
  - 3. The method of claim 1, wherein the provision changes an element of an action set.
  - 4. The method of claim 3, wherein the element of the action set is an action counter.
  - 5. The method of claim 3, wherein the element of the action set is an action threshold.
  - 6. The method of claim 3, wherein the element of the action set is an action variable.
  - 7. The method of claim 1, wherein the action variable is selected from the group consisting of a binary variable, an integer variable, a floating point variable, a fuzzy logical variable, and a M-ary variable.
  - 8. The method of claim 1, wherein the validity condition includes a mathematical expression or a logical expression.
  - 9. The method of claim 1, wherein said checking step comprises checking the validity condition for satisfaction dependent upon the section variable and upon at least one other action variable.
  - 10. The method of claim 1, further comprising a plurality of rules, wherein a rule of the plurality of rules comprises the validity condition.

11. A method of operating an intrusion detection system, the method comprising the steps of;
- taking a base action in response to detecting an intrusion;
  
  updating an action counter in response to taking the base action;
  
  comparing the value of the action counter to an action threshold;
  
  updating an action variable when the value of the action counter meets the action threshold;
  
  checking a validity condition for satisfaction dependent upon the action variable; and
  
  invoking a provision associated with the validity condition when the validity condition is satisfied, wherein the provision changes an element of a base intrusion set, and wherein the element of the base intrusion set is selected form the group consisting of a signature event, a signature event counter, a signature threshold, a base action, and a weight.

12. A method of operating an intrusion detection system, the method comprising the steps of:
- detecting a signature event;
  
  updating a signature event counter responsive to detecting the signature event;
  
  comparing the value of the signature event counter to a signature threshold;
  
  updating an action counter when the value of the signature event counter meets the signature threshold;
  
  comparing the value of the action counter to an action threshold;
  
  updating an action variable when the value of the action counter meets the action threshold;
  
  checking a validity condition for satisfaction dependent upon the action variable; and
  
  invoking a provision associated with the validity condition when the validity condition is satisfied.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the provision changes an element of a base intrusion set.
  - 14. The method of claim 13, wherein the element of the base intrusion set is a signature event.
  - 15. The method of claim 13, wherein the element of the base intrusion set is a signature event counter.
  - 16. The method of claim 13, wherein the element of the base intrusion set is a signature threshold.
  - 17. The method of claim 13, wherein the element of the base intrusion set is a base action.
  - 18. The method of claim 13, wherein the element of the base intrusion set is a weight.
  - 19. The method of claim 13, wherein the provision changes an element of an action set.
  - 20. The method of claim 19, wherein the element of the action set is an action counter.
  - 21. The method of claim 19, wherein the element of the action set is an action threshold.
  - 22. The method of claim 19, wherein the element of the action set is an action variable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Taasera Licensing LLC (Quest Patent Research Corporation)
Original Assignee
International Business Machines Corporation
Inventors
Lingafelt, Charles Steven, Kim, Nathaniel Wook, Brock, Ashley Anderson
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/901,443
Publication Number

US 20030009693A1
Time in Patent Office

1,492 Days
Field of Search

713/194, 713/189, 713/182, 713/200, 713/201
US Class Current

713/194
CPC Class Codes

G06F 21/554 involving event detection a...

Dynamic intrusion detection for computer systems

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic intrusion detection for computer systems

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links