Modular system for detecting, filtering and providing notice about attack events associated with network security
First Claim
1. A computer-readable medium having computer-executable instructions for performing intrusion detection of a computer network having at least one host computer coupled thereto, said computer-readable medium being loadable on the at least one host computer, said computer-readable medium comprising:
- an array of event processing means wherein each one of said event processing means runs concurrently without impeding each other'"'"'s performance, said array of event processing means monitoring resources on the at least one host computer or monitoring activity forwarded to the at least one host computer via the computer network and generating event data corresponding to said monitoring;
an event filter engine for filtering all event data from said array of event processing means, said event filter engine either altering the contents of the event data to form filtered event data or discarding the event data, said event filter engine altering the contents of the event data by altering an event data name based on a source network address related to said event data, said event filter engine comprising a plurality of configured modules and wherein said event filter engine passes all event data through said configured modules serially; and
an event alerting engine for generating alerts based on said filtered event data or forwarding said filtered event data to a destination, and wherein said event alerting engine comprises a second plurality of configured modules and wherein each of said second plurality of configured modules receives all of said filtered event data.
13 Assignments
0 Petitions
Accused Products
Abstract
A host-based intrusion detection system (HIDS) sensor that monitors system logs for evidence of malicious or suspicious application activity running in real time and monitors key system files for evidence of tampering. This system detects attacks targeted at the host system on which it is installed and monitors output to the system and audit logs. It is signature-based and identifies and analyzes system and audit messages for signs of system misuse or attack. The system monitors the logs of applications running on the host, including mail servers, web servers and FTP servers. The system also monitors system files and notifies the system administrator when key system and security files have been accessed, modified or even deleted.
173 Citations
24 Claims
-
1. A computer-readable medium having computer-executable instructions for performing intrusion detection of a computer network having at least one host computer coupled thereto, said computer-readable medium being loadable on the at least one host computer, said computer-readable medium comprising:
-
an array of event processing means wherein each one of said event processing means runs concurrently without impeding each other'"'"'s performance, said array of event processing means monitoring resources on the at least one host computer or monitoring activity forwarded to the at least one host computer via the computer network and generating event data corresponding to said monitoring; an event filter engine for filtering all event data from said array of event processing means, said event filter engine either altering the contents of the event data to form filtered event data or discarding the event data, said event filter engine altering the contents of the event data by altering an event data name based on a source network address related to said event data, said event filter engine comprising a plurality of configured modules and wherein said event filter engine passes all event data through said configured modules serially; and an event alerting engine for generating alerts based on said filtered event data or forwarding said filtered event data to a destination, and wherein said event alerting engine comprises a second plurality of configured modules and wherein each of said second plurality of configured modules receives all of said filtered event data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for efficiently managing and reporting intrusion, or attempted intrusion, events of a computer network, said method comprising the steps of:
-
(a) providing an array of event processing means on a host computer, coupled to the computer network, that operate concurrently without impeding each other'"'"'s performance, each of said event processing means detecting a corresponding event related to intrusion, or intrusion attempts, to form event data; (b) passing said event data to a plurality of configured modules on the host computer, in serial fashion, that alter the contents of said event data that is to be reported to form filtered event data or that discard said event data not considered of value to report; and (c) passing all of said filtered event data to a second plurality of configured modules for providing notification of the intrusion or intrusion attempts. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification