Intrusion event filtering
First Claim
Patent Images
1. A method of improving intrusion detection in a computing network, comprising steps of:
- defining a plurality of intrusion suspicion levels for use when performing intrusion detection processing on inbound communications destined for a computing device on the computing network;
for each of a plurality of potential intrusion events, defining a set of at least one condition wherein the set describes occurrence of the potential intrusion event;
associating one of the defined intrusion suspicion levels with each of the sets, wherein the associated intrusion suspicion level indicates how suspicious is an inbound communication matching each condition in the set;
defining a plurality of sensitivity levels for filtering the inbound communications as potential intrusion events when performing the intrusion detection processing, each of the defined sensitivity levels usable for a different level of filtering of the inbound communications; and
performing the intrusion detection processing for a particular inbound communication received for the computing device, further comprising steps of;
determining whether each condition in any of the sets is matched for the particular inbound communication; and
if so, filtering the particular inbound communication by using a currently-applicable one of the defined sensitivity levels, in concert with the intrusion suspicion level associated with the set for which each condition is matched, to determine if the particular inbound communication should be treated as an intrusion event.
2 Assignments
0 Petitions
Accused Products
Abstract
Improvements in intrusion detection are disclosed by providing intrusion event filtering and/or generic attack signature processing. These services may be integrated into a system or server that is the potential target of attack, or alternatively may be implemented in a network device. Filtering may be provided using sensitivity levels and suspicion levels. Generic attack signatures describe relatively broad classes of intrusions. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.
-
Citations
41 Claims
-
1. A method of improving intrusion detection in a computing network, comprising steps of:
-
defining a plurality of intrusion suspicion levels for use when performing intrusion detection processing on inbound communications destined for a computing device on the computing network; for each of a plurality of potential intrusion events, defining a set of at least one condition wherein the set describes occurrence of the potential intrusion event; associating one of the defined intrusion suspicion levels with each of the sets, wherein the associated intrusion suspicion level indicates how suspicious is an inbound communication matching each condition in the set; defining a plurality of sensitivity levels for filtering the inbound communications as potential intrusion events when performing the intrusion detection processing, each of the defined sensitivity levels usable for a different level of filtering of the inbound communications; and performing the intrusion detection processing for a particular inbound communication received for the computing device, further comprising steps of; determining whether each condition in any of the sets is matched for the particular inbound communication; and if so, filtering the particular inbound communication by using a currently-applicable one of the defined sensitivity levels, in concert with the intrusion suspicion level associated with the set for which each condition is matched, to determine if the particular inbound communication should be treated as an intrusion event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for improving intrusion detection in a computing network, comprising:
-
a definition of a plurality of intrusion suspicion levels for use when performing intrusion detection processing on inbound communications destined for a computing device on the computing network; for each of a plurality of potential intrusion events, a definition of a set of at least one condition, wherein the set describes occurrence of the potential intrusion event; means for associating one of the defined intrusion suspicion levels with each of the defined sets, wherein the associated intrusion suspicion level indicates how suspicious is an inbound communication matching each condition in the set; a definition of a plurality of sensitivity levels for filtering the inbound communications as potential intrusion events when performing the intrusion detection processing, each of the defined sensitivity levels usable for a different level of filtering of the inbound communications; and means for performing the intrusion detection processing for a particular inbound communication received for the computing device, further comprising; means for filtering the particular inbound communication, if each condition in any of the sets is matched for the particular inbound communication, by using a currently-applicable one of the defined sensitivity levels, in concert with the intrusion suspicion level associated with the set for which each condition is matched, to determine if the particular inbound communication destined for the computing device should be treated as an intrusion event. - View Dependent Claims (30, 31, 32, 33)
-
-
34. A computer program product for improving intrusion detection in a computing network, the computer program product embodied on one or more computer-readable media and comprising:
-
computer-readable code defining a plurality of intrusion suspicion levels for use when performing intrusion detection processing on inbound communications destined for a computing device on the computing network; for each of a plurality of potential intrusion events, computer-readable program code defining a set of at least one condition, wherein the set describes occurrence of the potential intrusion event; computer-readable program code associating one of the defined intrusion suspicion levels with each of the sets, wherein the associated intrusion suspicion level indicates how suspicious is an inbound communication matching each condition in the set; computer-readable program code defining a plurality of sensitivity levels for filtering the inbound communications as potential intrusion events when performing the intrusion detection processing, each of the defined sensitivity levels usable for a different level of filtering of the inbound communications; and computer-readable program code for performing the intrusion detection processing for a particular inbound communication received for the computing device, further comprising; computer-readable program code for filtering the particular inbound communication, if each condition in any of the sets is matched for the particular inbound communication, by using a currently-applicable one of the defined sensitivity levels, in concert with the intrusion suspicion level associated with the set for which each condition is matched, to determine if the particular inbound communication destined for the computing device should be treated as an intrusion event. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41)
-
Specification