Intrusion event filtering

US 7,222,366 B2
Filed: 01/28/2002
Issued: 05/22/2007
Est. Priority Date: 01/28/2002
Status: Active Grant

First Claim

Patent Images

1. A method of improving intrusion detection in a computing network, comprising steps of:

defining a plurality of intrusion suspicion levels for use when performing intrusion detection processing on inbound communications destined for a computing device on the computing network;

for each of a plurality of potential intrusion events, defining a set of at least one condition wherein the set describes occurrence of the potential intrusion event;

associating one of the defined intrusion suspicion levels with each of the sets, wherein the associated intrusion suspicion level indicates how suspicious is an inbound communication matching each condition in the set;

defining a plurality of sensitivity levels for filtering the inbound communications as potential intrusion events when performing the intrusion detection processing, each of the defined sensitivity levels usable for a different level of filtering of the inbound communications; and

performing the intrusion detection processing for a particular inbound communication received for the computing device, further comprising steps of;

determining whether each condition in any of the sets is matched for the particular inbound communication; and

if so, filtering the particular inbound communication by using a currently-applicable one of the defined sensitivity levels, in concert with the intrusion suspicion level associated with the set for which each condition is matched, to determine if the particular inbound communication should be treated as an intrusion event.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improvements in intrusion detection are disclosed by providing intrusion event filtering and/or generic attack signature processing. These services may be integrated into a system or server that is the potential target of attack, or alternatively may be implemented in a network device. Filtering may be provided using sensitivity levels and suspicion levels. Generic attack signatures describe relatively broad classes of intrusions. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.

Citations

41 Claims

1. A method of improving intrusion detection in a computing network, comprising steps of:
- defining a plurality of intrusion suspicion levels for use when performing intrusion detection processing on inbound communications destined for a computing device on the computing network;
  
  for each of a plurality of potential intrusion events, defining a set of at least one condition wherein the set describes occurrence of the potential intrusion event;
  
  associating one of the defined intrusion suspicion levels with each of the sets, wherein the associated intrusion suspicion level indicates how suspicious is an inbound communication matching each condition in the set;
  
  defining a plurality of sensitivity levels for filtering the inbound communications as potential intrusion events when performing the intrusion detection processing, each of the defined sensitivity levels usable for a different level of filtering of the inbound communications; and
  
  performing the intrusion detection processing for a particular inbound communication received for the computing device, further comprising steps of;
  
  determining whether each condition in any of the sets is matched for the particular inbound communication; and
  
  if so, filtering the particular inbound communication by using a currently-applicable one of the defined sensitivity levels, in concert with the intrusion suspicion level associated with the set for which each condition is matched, to determine if the particular inbound communication should be treated as an intrusion event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method according to claim 1, wherein the determining step further comprises comparing current conditions in the computing device to corresponding conditions defined in at least one of the sets.
  - 3. The method according to claim 2, wherein the current conditions in the computing device comprise contents of the particular inbound communication.
  - 4. The method according to claim 3, wherein the current conditions in the computing device further comprise a protocol state of a protocol stack which processes the particular inbound communication.
  - 5. The method according to claim 1, further comprising the step of taking one or more defensive actions upon determining that the particular inbound communication should be treated as an intrusion event.
  - 6. The method according to claim 5, wherein the defensive actions are determined by consulting intrusion detection policy information.
  - 7. The method according to claim 6, wherein the intrusion detection policy information is stored in a network-accessible repository.
  - 8. The method according to claim 5, wherein the defensive actions are specified as actions in a rule in which the matched set is specified.
  - 9. The method according to claim 5, wherein at least one of the defensive actions comprises discarding the particular inbound communication.
  - 10. The method according to claim 5, wherein at least one of the defensive actions comprises limiting at least one of resources or traffic associated with a connection on which the particular inbound communication is received.
  - 11. The method according to claim 5, wherein at least one of the defensive actions comprises dynamically dropping a deny filter into the computing network to shun subsequent traffic.
  - 12. The method according to claim 5, wherein at least one of the defensive actions comprises reporting the intrusion event to one or more entities.
  - 13. The method according to claim 12, wherein reporting the intrusion event to one or more entities further comprises sending an alert to a management component external from the computing device for which the particular inbound communication is destined.
  - 14. The method according to claim 12, wherein reporting the intrusion event to one or more entities further comprises writing at least one event record to at least one of a system log and a console.
  - 15. The method according to claim 12, wherein reporting the intrusion event to one or more entities further comprises recording inbound communications associated with the intrusion event in at least one of a trace or other repository.
  - 16. The method according to claim 12, wherein reporting the intrusion event to one or more entities further comprises writing statistics records on normal behavior to establish baselines as to what constitutes abnormal behavior for the inbound communications.
  - 17. The method according to claim 1, wherein at least one of the defined sets represents an attack signature.
  - 18. The method according to claim 1, wherein at least one of the defined sets represents a class signature for a class of attacks.
  - 19. The method according to claim 1, wherein each of the defined sets comprises a condition part in an intrusion detection rule, and wherein each of the intrusion detection rules further specifies at least one action to be taken upon determining that the particular inbound communication should be treated as an intrusion event.
  - 20. The method according to claim 1, wherein the performing step operates in the computing device for which the particular inbound communication is destined.
  - 21. The method according to claim 20, wherein the performing step operates within layer-specific intrusion detection logic executing in a protocol stack running on the computing device.
  - 22. The method according to claim 1, wherein the performing step operates in a network device which analyzes communications directed to the computing device for which the particular inbound communication is destined.
  - 23. The method according to claim 1, wherein the filtering step further comprises using the currently-applicable one of the defined sensitivity levels and the intrusion suspicion level associated with the matched set to consult a stored mapping that indicates, for each combination of one of the defined sensitivity levels and one of the defined intrusion suspicion levels, whether an inbound communication corresponding to that combination should be treated as an intrusion event.
  - 24. The method according to claim 1, wherein at least one of the defined sets specifies a current system state of the computing device.
  - 25. The method according to claim 1, wherein at least one of the defined sets specifies at least one threshold reached at the computing device.
  - 26. The method according to claim 1, wherein at least one of the defined sets specifies at least one state transition to be caused, at the computing device, upon receiving the particular inbound communication.
  - 27. The method according to claim 1, wherein the currently-applicable sensitivity level is specified, for the computing device, by a systems administrator.
  - 28. The method according to claim 1, wherein the currently-applicable sensitivity level is specified, for the computing device, by configuration data in a stored repository.

29. A system for improving intrusion detection in a computing network, comprising:
- a definition of a plurality of intrusion suspicion levels for use when performing intrusion detection processing on inbound communications destined for a computing device on the computing network;
  
  for each of a plurality of potential intrusion events, a definition of a set of at least one condition, wherein the set describes occurrence of the potential intrusion event;
  
  means for associating one of the defined intrusion suspicion levels with each of the defined sets, wherein the associated intrusion suspicion level indicates how suspicious is an inbound communication matching each condition in the set;
  
  a definition of a plurality of sensitivity levels for filtering the inbound communications as potential intrusion events when performing the intrusion detection processing, each of the defined sensitivity levels usable for a different level of filtering of the inbound communications; and
  
  means for performing the intrusion detection processing for a particular inbound communication received for the computing device, further comprising;
  
  means for filtering the particular inbound communication, if each condition in any of the sets is matched for the particular inbound communication, by using a currently-applicable one of the defined sensitivity levels, in concert with the intrusion suspicion level associated with the set for which each condition is matched, to determine if the particular inbound communication destined for the computing device should be treated as an intrusion event.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The system according to claim 29, wherein the means for determining further comprises means for comparing current conditions in the computing device to corresponding conditions defined in at least one of the sets.
  - 31. The system according to claim 29, further comprising means for taking one or more defensive actions upon determining that the particular inbound communication should be treated as an intrusion event, wherein the defensive actions are determined by consulting intrusion detection policy information.
  - 32. The system according to claim 29, wherein each of the defined sets comprises a condition part in an intrusion detection rule, and wherein each of the intrusion detection rules further specifies at least one action to be taken upon determining that the particular inbound communication should be treated as an intrusion event.
  - 33. The system according to claim 29, wherein the means for filtering further comprises means for using the currently-applicable one of the defined sensitivity levels and the intrusion suspicion level associated with the matched set to consult a stored mapping that indicates, for each combination of one of the defined sensitivity levels and one of the defined intrusion suspicion levels, whether an inbound communication corresponding to that combination should be treated as an intrusion event.

34. A computer program product for improving intrusion detection in a computing network, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable code defining a plurality of intrusion suspicion levels for use when performing intrusion detection processing on inbound communications destined for a computing device on the computing network;
  
  for each of a plurality of potential intrusion events, computer-readable program code defining a set of at least one condition, wherein the set describes occurrence of the potential intrusion event;
  
  computer-readable program code associating one of the defined intrusion suspicion levels with each of the sets, wherein the associated intrusion suspicion level indicates how suspicious is an inbound communication matching each condition in the set;
  
  computer-readable program code defining a plurality of sensitivity levels for filtering the inbound communications as potential intrusion events when performing the intrusion detection processing, each of the defined sensitivity levels usable for a different level of filtering of the inbound communications; and
  
  computer-readable program code for performing the intrusion detection processing for a particular inbound communication received for the computing device, further comprising;
  
  computer-readable program code for filtering the particular inbound communication, if each condition in any of the sets is matched for the particular inbound communication, by using a currently-applicable one of the defined sensitivity levels, in concert with the intrusion suspicion level associated with the set for which each condition is matched, to determine if the particular inbound communication destined for the computing device should be treated as an intrusion event.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41)
- - 35. The computer program product according to claim 34, wherein the computer-readable program code for determining further comprises computer-readable program code for comparing current conditions in the computing device to corresponding conditions defined in at least one of the sets, the current conditions in the computing device comprising contents of the particular inbound communication.
  - 36. The computer program product according to claim 34, wherein the computer-readable program code for determining further comprises computer-readable program code for comparing current conditions in the computing device to corresponding conditions defined in at least one of the sets, the current conditions in the computing device comprising contents of the particular inbound communication and a protocol state of a protocol stack which processes the particular inbound communication.
  - 37. The computer program product according to claim 34, further comprising computer-readable program code for taking one or more defensive actions upon determining that the particular inbound communication should be treated as an intrusion event, wherein the defensive actions are determined by consulting intrusion detection policy information stored in a policy repository.
  - 38. The computer program product according to claim 34, wherein at least one of the defined sets represents an attack signature, and wherein at least one of the attack signatures is a class signature representing a class of attacks.
  - 39. The computer program product according to claim 34, wherein the computer-readable program code for performing operates in the computing device for which the particular inbound communication is destined.
  - 40. The computer program product according to claim 34, wherein the computer-readable program code for performing operates in a network device which analyzes communications directed to the computing device for which the particular inbound communication is destined.
  - 41. The computer program product according to claim 34, wherein the computer-readable program code for filtering further comprises computer-readable code for using the currently-applicable one of the defined sensitivity levels and the intrusion suspicion level associated with the matched set to consult a stored mapping that indicates, for each combination of one of the defined sensitivity levels and one of the defined intrusion suspicion levels, whether an inbound communication corresponding to that combination should be treated as an intrusion event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Bruton, III, David Aro, Jakubik, Patricia, LiVecchi, Patrick Michael, Overby, Jr., Linwood Hugh
Primary Examiner(s)
DAVIS, ZACHARY A

Application Number

US10/058,689
Publication Number

US 20030145225A1
Time in Patent Office

1,940 Days
Field of Search

726/23, 726/22, 726/25, 726/1, 709/224, 709/225, 709/229
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Intrusion event filtering

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion event filtering

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links