Graphical user interface for an enterprise intrusion detection system

US 7,293,238 B1
Filed: 04/04/2003
Issued: 11/06/2007
Est. Priority Date: 04/04/2003
Status: Active Grant

First Claim

Patent Images

1. A graphical user interface (GUI) operable to:

receive at least one packet flow, each packet flow originating from a unique node in an intrusion detection system and comprising descriptive information and a plurality of packet headers;

communicate the descriptive information of a first subset of the received packet flows to a user based at least in part on a filtering ruleset;

conceal a second subset of the received packet flows from the user based at least in part on the filtering ruleset;

in response to receiving a first command from the user, communicate the plurality of packet headers for at least one packet flow in the first subset to the user; and

in response to receiving a second command from the user;

automatically determine one or more defined groupings indicated by the second command, the one or more defined groupings comprising at least one of virtual private network (VPN) grouping, firewall grouping, sites, communication types, or trust levels;

automatically organize the communicated information according to the one or more defined groupings; and

automatically display the communicated information to the user according to the organization.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for interfacing with a user of an enterprise intrusion detection system, the method comprises receiving at least one packet flow, each packet flow originating from a unique node in the intrusion detection system and comprising descriptive information and a plurality of packet headers. The descriptive information of a first subset of the received packet flows is communicated to a user based at least in part on a filtering ruleset. A second subset of the received packet flows is concealed from the user based at least in part on the filtering ruleset. In response to receiving a command from the user, the plurality of packet headers for at least one packet flow in the first subset is communicated to the user.

137 Citations

27 Claims

1. A graphical user interface (GUI) operable to:
- receive at least one packet flow, each packet flow originating from a unique node in an intrusion detection system and comprising descriptive information and a plurality of packet headers;
  
  communicate the descriptive information of a first subset of the received packet flows to a user based at least in part on a filtering ruleset;
  
  conceal a second subset of the received packet flows from the user based at least in part on the filtering ruleset;
  
  in response to receiving a first command from the user, communicate the plurality of packet headers for at least one packet flow in the first subset to the user; and
  
  in response to receiving a second command from the user;
  
  automatically determine one or more defined groupings indicated by the second command, the one or more defined groupings comprising at least one of virtual private network (VPN) grouping, firewall grouping, sites, communication types, or trust levels;
  
  automatically organize the communicated information according to the one or more defined groupings; and
  
  automatically display the communicated information to the user according to the organization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The GUI of claim 1 further operable to:
    - create a hash value of each received packet flow, the hash value based at least in part on the source and destination IP addresses;
      
      store the hash values in a hash table.
  - 3. The GUI of claim 2 further operable to:
    - sort the hash table based on the hash values; and
      
      communicate the first subset of the received packet flows further based on the sorted hash table.
  - 4. The GUI of claim 1, wherein the descriptive information comprises a source IP address, a destination IP address, and a count of packets included in the respective packet flow.
  - 5. The GUI of claim 1 further operable to:
    - receive an alert message associated with one of the received packet flows; and
      
      in response to the associated packet flow being in the first subset, communicate the alert message to the user.
  - 6. The GUI of claim 5, wherein the alert message is in Intrusion Detection Message Exchange Format.
  - 7. The GUI of claim 5 further operable to:
    - receive a static rule from a user, the static rule for use by the intrusion detection system in response to the alert; and
      
      communicate the static rule to at least the node from which the packet flow associated with the alert was received.
  - 8. The GUI of claim 7 further operable to:
    - receive an approval of the static rule; and
      
      wherein the graphical user interface operable to communicate the static rule comprises the graphical user interface operable to communicate the static rule in response to receiving the approval.
  - 9. The GUI of claim 1, wherein the graphical user interface is communicably connected to the intrusion detection system via secure socket layer technology.

10. A method comprising:
- receiving at least one packet flow, each packet flow originating from a unique node in an intrusion detection system and comprising descriptive information and a plurality of packet headers;
  
  communicating the descriptive information of a first subset of the received packet flows to a user based at least in part on a filtering ruleset;
  
  concealing a second subset of the received packet flows from the user based at least in part on the filtering ruleset;
  
  in response to receiving a command from the user, communicating the plurality of packet headers for at least one packet flow in the first subset to the user; and
  
  in response to receiving a second command from the user;
  
  automatically determine one or more defined groupings indicated by the second command, the one or more defined groupings comprising at least one of virtual private network (VPN) grouping, firewall grouping, sites, communication types, or trust levels;
  
  automatically organize the communicated information according to the one or more defined groupings; and
  
  automatically display the communicated information to the user according to the organization.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 further comprising:
    - creating a hash value of each received packet flow, the hash value based at least in part on the source and destination IP addresses;
      
      storing the hash values in a hash table.
  - 12. The method of claim 11 further comprising:
    - sorting the hash table based on the hash values; and
      
      communicating the first subset of the received packet flows further based on the sorted hash table.
  - 13. The method of claim 10, wherein the descriptive information comprises a source IP address, a destination IP address, and a count of packets included in the respective packet flow.
  - 14. The method of claim 10 further comprising:
    - receiving an alert message associated with one of the received packet flows; and
      
      in response to the associated packet flow being in the first subset, communicating the alert message to the user.
  - 15. The method of claim 14, wherein the alert message is in Intrusion Detection Message Exchange Format.
  - 16. The method of claim 14 further comprising:
    - receiving a static rule from a user, the static rule for use by the intrusion detection system in response to the alert; and
      
      communicating the static rule to at least the node from which the packet flow associated with the alert was received.
  - 17. The method of claim 16 further comprising:
    - receiving an approval of the static rule; and
      
      wherein communicating the static rule comprises communicating the static rule in response to receiving the approval.
  - 18. The method of claim 10, wherein the graphical user interface is communicably connected to the intrusion detection system via secure socket layer technology.

19. Logic embodied in one or more tangible media for execution and when executed operable to:
- receive at least one packet flow, each packet flow originating from a unique sensor in an intrusion detection system and comprising descriptive information and a plurality of packet headers;
  
  communicate the descriptive information of a first subset of the received packet flows to a user based at least in part on a filtering ruleset;
  
  conceal a second subset of the received packet flows from the user based at least in part on the filtering ruleset;
  
  in response to receiving a command from the user, communicate the plurality of packet headers for at least one packet flow in the first subset to the user; and
  
  in response to receiving a second command from the user;
  
  automatically determine one or more defined groupings indicated by the second command, the one or more defined groupings comprising at least one of virtual private network (VPN) grouping, firewall grouping, sites, communication types, or trust levels;
  
  automatically organize the communicated information according to the one or more defined groupings; and
  
  automatically display the communicated information to the user according to the organization.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The logic of claim 19 further operable to:
    - create a hash value of each received packet flow, the hash value based at least in part on the source and destination IP addresses;
      
      store the hash values in a hash table.
  - 21. The logic of claim 20 further operable to:
    - sort the hash table based on the hash values; and
      
      communicate the first subset of the received packet flows further based on the sorted hash table.
  - 22. The logic of claim 19, wherein the descriptive information comprises a source IP address, a destination IP address, and a count of packets included in the respective packet flow.
  - 23. The logic of claim 19 further operable to:
    - receive an alert message associated with one of the received packet flows; and
      
      in response to the associated packet flow being in the first subset, communicate the alert message to the user.
  - 24. The logic of claim 23, wherein the alert message is in Intrusion Detection Message Exchange Format.
  - 25. The logic of claim 23 further operable to:
    - receive a static rule from a user, the static rule for use by the intrusion detection system in response to the alert; and
      
      communicate the static rule to at least the sensor from which the packet flow associated with the alert was received.
  - 26. The logic of claim 25 further operable to:
    - receive an approval of the static rule; and
      
      wherein the logic operable to communicate the static rule comprises the logic operable to communicate the static rule in response to receiving the approval.
  - 27. The logic of claim 19, wherein the graphical user interface is communicably connected to the intrusion detection system via secure socket layer technology.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Rockwood, Troy Dean, Rixon, Matthew C., Brook, Jon-Michael C., Brooks, Randall S.
Primary Examiner(s)
BAUTISTA, XIOMARA L

Application Number

US10/407,030
Time in Patent Office

1,677 Days
Field of Search

715/700, 715/733, 715/734, 715/736, 715/740, 715/741, 715/764, 715/853, 715/961, 709/217, 709/223, 709/224, 719/315, 719/318
US Class Current

715/736
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1416 Event detection, e.g. attac...

Graphical user interface for an enterprise intrusion detection system

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

137 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Graphical user interface for an enterprise intrusion detection system

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links