Systems and methods for distributed network protection

US 7,406,713 B2
Filed: 08/10/2001
Issued: 07/29/2008
Est. Priority Date: 08/18/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system for protecting a distributed network from unauthorized access, the system comprising:

first and second intrusion detection systems, respectively including;

first and second intrusion detection modules, andfirst and second communications management modules respectively coupled to the first and second intrusion detection modules; and

an intrusion analysis system coupled to the first and second intrusion detection systems, and including;

an intrusion analysis module, andan intrusion reaction coordination module coupled to the intrusion analysis module,wherein the first intrusion detection module detects a respective possible unauthorized access attempt into a distributed network being protected,the second intrusion detection module detects a respective possible unauthorized access attempt within the distributed network being protected,the first and second communications management modules are coupled to the intrusion analysis module and forward to the intrusion analysis module respective information regarding the respective detected possible unauthorized access attempt,the intrusion analysis module determines based on the respective information regarding the respective detected possible unauthorized access attempt whether or not the respective detected possible unauthorized access attempt is authorized,if the intrusion analysis module determines that the respective detected possible unauthorized access attempt is authorized, the intrusion analysis module respectively forwards, via the first and second communications management modules, respective information to the first and second intrusion detection modules that the respective possible unauthorized access attempt is authorized, andif the intrusion analysis module determines that the respective detected possible unauthorized access attempt is not authorized, the intrusion analysis module determines, via the intrusion reaction coordination module, appropriate actions, including (i) forwarding respective information regarding the respective detected unauthorized access attempt into the distributed network being protected to a monitoring center external to the distributed network being protected, and processing respective information from the monitoring center regarding the respective detected unauthorized access attempt into the distributed network being protected, (ii) forwarding respective information regarding the respective detected unauthorized access attempt within the distributed network being protected for handling internally within the distributed network being protected, and processing respective information for internally handling the respective detected unauthorized access attempt within the distributed network being protected, and (iii) forwarding respective information regarding the respective detected unauthorized access attempt within the distributed network being protected to the monitoring center external to the distributed network being protected, and processing respective information from the monitoring center regarding the respective detected unauthorized access attempt within the distributed network being protected,wherein the intrusion analysis system in cooperation with the first and second intrusion detection systems enable communications between the monitoring center and an entity attempting the respective unauthorized access attempt without the entity being made aware that the entity attempting the respective unauthorized access attempt is communicating with the monitoring center,wherein the monitoring center sends information to the analysis system and intended for the entity attempting the unauthorized access attempt, the analysis system substitutes origin information of the monitoring center from the received information with origin information of a target of the respective unauthorized access attempt and forwards the substituted information to the entity attempting the respective unauthorized access attempt, whereby it appears to the entity attempting the respective unauthorized access attempt that communications are continuing with the target of the respective unauthorized access attempt, andwherein the intrusion analysis system in cooperation with the first intrusion detection system engages the entity attempting the respective unauthorized access attempt to determine the location or origin of the entity attempting the respective unauthorized access attempt.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Through the use of an intermediate party, a first party is given the ability to communicate with a second party, with the communication appearing as if it originated with the intermediate party. Specifically, in a protected network system, the protected network is capable of acting as a conduit through which an entity, such as law enforcement, can communicate with an entity attempting an unauthorized access attempt unbeknownst to the entity attempting the unauthorized access attempt. This allows, for example, the detection and identification of the entity attempting the unauthorized access attempt.

37 Citations

View as Search Results

55 Claims

1. A system for protecting a distributed network from unauthorized access, the system comprising:
- first and second intrusion detection systems, respectively including;
  
  first and second intrusion detection modules, andfirst and second communications management modules respectively coupled to the first and second intrusion detection modules; and
  
  an intrusion analysis system coupled to the first and second intrusion detection systems, and including;
  
  an intrusion analysis module, andan intrusion reaction coordination module coupled to the intrusion analysis module,wherein the first intrusion detection module detects a respective possible unauthorized access attempt into a distributed network being protected,the second intrusion detection module detects a respective possible unauthorized access attempt within the distributed network being protected,the first and second communications management modules are coupled to the intrusion analysis module and forward to the intrusion analysis module respective information regarding the respective detected possible unauthorized access attempt,the intrusion analysis module determines based on the respective information regarding the respective detected possible unauthorized access attempt whether or not the respective detected possible unauthorized access attempt is authorized,if the intrusion analysis module determines that the respective detected possible unauthorized access attempt is authorized, the intrusion analysis module respectively forwards, via the first and second communications management modules, respective information to the first and second intrusion detection modules that the respective possible unauthorized access attempt is authorized, andif the intrusion analysis module determines that the respective detected possible unauthorized access attempt is not authorized, the intrusion analysis module determines, via the intrusion reaction coordination module, appropriate actions, including (i) forwarding respective information regarding the respective detected unauthorized access attempt into the distributed network being protected to a monitoring center external to the distributed network being protected, and processing respective information from the monitoring center regarding the respective detected unauthorized access attempt into the distributed network being protected, (ii) forwarding respective information regarding the respective detected unauthorized access attempt within the distributed network being protected for handling internally within the distributed network being protected, and processing respective information for internally handling the respective detected unauthorized access attempt within the distributed network being protected, and (iii) forwarding respective information regarding the respective detected unauthorized access attempt within the distributed network being protected to the monitoring center external to the distributed network being protected, and processing respective information from the monitoring center regarding the respective detected unauthorized access attempt within the distributed network being protected,wherein the intrusion analysis system in cooperation with the first and second intrusion detection systems enable communications between the monitoring center and an entity attempting the respective unauthorized access attempt without the entity being made aware that the entity attempting the respective unauthorized access attempt is communicating with the monitoring center,wherein the monitoring center sends information to the analysis system and intended for the entity attempting the unauthorized access attempt, the analysis system substitutes origin information of the monitoring center from the received information with origin information of a target of the respective unauthorized access attempt and forwards the substituted information to the entity attempting the respective unauthorized access attempt, whereby it appears to the entity attempting the respective unauthorized access attempt that communications are continuing with the target of the respective unauthorized access attempt, andwherein the intrusion analysis system in cooperation with the first intrusion detection system engages the entity attempting the respective unauthorized access attempt to determine the location or origin of the entity attempting the respective unauthorized access attempt.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The system of claim 1, wherein the intrusion analysis system communicates with monitoring center via a secure tunnel.
  - 3. The system of claim 1, wherein the respective communications from the monitoring center to the entity attempting the respective unauthorized access attempt are modified, via the intrusion analysis system and the respective first and second intrusion detection systems, to appear as if the communications originate from the distributed network being protected.
  - 4. The system of claim 1, wherein the intrusion analysis system logs respective information regarding communications with the entity attempting the respective unauthorized access attempt.
  - 5. The system of claim 1, wherein the first and second intrusion detection modules respectively detect whether or not the respective possible unauthorized access attempt into or within the distributed network being protected is internal or external to the network being protected.
  - 6. The system of claim 1, wherein if second intrusion detection module detects that the possible respective unauthorized access attempt is internal to the network being protected, the second intrusion detection module forwards via the second communications management module respective information regarding the possible internal unauthorized access attempt to the intrusion analysis module, and the intrusion analysis module evaluates the received information and if the intrusion analysis module determines that the possible internal unauthorized access attempt is not authorized, the intrusion analysis module determines whether or not a retaliatory action should be taken, including handling the unauthorized access attempt internally or providing information to the monitoring center regarding the unauthorized access attempt.
  - 7. The system of claim 1, wherein the monitoring center comprises a law enforcement entity.
  - 8. The system of claim 1, further comprising a database,wherein the intrusion analysis module employs the database, including respective information regarding previous respective unauthorized access attempts, to determine whether or not the respective detected possible unauthorized access attempt is authorized.
  - 9. The system of claim 8, wherein the database includes respective profiles of information related to one or more entities associated with the respective previous unauthorized access attempts, including origin information regarding the respective previous unauthorized access attempts.
  - 10. The system of claim 8, wherein the intrusion analysis module is configured to query the database to determine whether or not the respective possible unauthorized access attempt is an error in communications, including a bit error.
  - 11. The system of claim 1, wherein the intrusion analysis module is configured to determine based on respective historical profiles, and respective previous unauthorized access attempts whether or not the detected respective possible unauthorized access attempt is authorized.
  - 12. The system of claim 1, wherein the intrusion reaction coordination module determines the respective appropriate actions based on a number of respective previous unauthorized access attempts, and a nature of the respective unauthorized access attempt, including destructiveness of packets received during the respective unauthorized access attempt.
  - 13. The system of claim 1, wherein the intrusion reaction coordination module, to determine the respective appropriate actions, analyzes the respective information received by the first and second intrusion detection modules, respective historical information regarding respective unauthorized access attempts, respective source and destination ports of respective unauthorized access attempts, respective IP address information of respective unauthorized access attempts, and respective information received from a central repository that catalogs respective information related to respective unauthorized access attempts from one or more other protected networks.
  - 14. The system of claim 13, wherein the intrusion detection analysis is based on at least one of a look-up table, a neural network analysis, and a predetermined event sequence.
  - 15. The system of claim 1, wherein if the intrusion reaction coordination module determines that a responsive or retaliatory action is not required, the intrusion reaction coordination module respectively instructs the first and second intrusion detection modules to block communications from an entity attempting the respective unauthorized access attempt.
  - 16. The system of claim 1, wherein if the intrusion reaction coordination module determines that a responsive or retaliatory action is not required, the intrusion reaction coordination module respectively instructs the first and second intrusion detection modules to block communications from an entity that matches one or more characteristics of the respective unauthorized access attempt.
  - 17. The system of claim 8, wherein the intrusion reaction coordination module logs respective information regarding an entity attempting the respective unauthorized access attempt to the database for use in a future unauthorized access attempt by the entity.
  - 18. The system of claim 1, wherein the intrusion analysis module is configured to store information regarding an address to which the respective unauthorized access attempt was directed for use by the intrusion reaction coordination module to determine the respective appropriate actions.
  - 19. The system of claim 8, wherein upon receipt of a respective communication from the monitoring center, the first and second intrusion detection systems in cooperation with the intrusion analysis system analyze the respective communication, determine address information of a source of the respective communication from the monitoring center, and remove the address information from the respective communication from the monitoring center leaving the remaining information for further analysis.
  - 20. The system of claim 19, wherein the address information of the source of the communication from the monitoring center is stored in the database, and the intrusion analysis module is configured to use the address information to communicate information to the monitoring center, including information regarding a response to a password request by an entity attempting the unauthorized access attempt.
  - 21. The system of claim 1, wherein the first and second intrusion detection systems in cooperation with the intrusion analysis system conceal an identity of the monitoring center, communicate respective information with the monitoring center, and screen respective underlying content in the communicated information, including removing sensitive information from the communicated information.
  - 22. The system of claim 21, wherein the first and second intrusion detection systems in cooperation with the intrusion analysis system employ a policy file to regulate the screening and removing of the sensitive information, including removing all content or core information, removing content having certain words, and removing content originating from a predetermined location.
  - 23. The system of claim 1, wherein the first and second intrusion detection systems and the intrusion analysis system cooperate with the monitoring center to aid in detecting a source of the respective unauthorized access attempt.
  - 24. The system of claim 23, wherein the first and second intrusion detection systems in cooperation with the intrusion analysis system receive from the monitoring center respective information regarding unauthorized accesses or access attempts into or within distributed networks.
  - 25. The system of claim 24, wherein the first and second intrusion detection systems in cooperation with the intrusion analysis system analyze the respective information regarding unauthorized accesses or access attempts into or within the distributed networks received from the monitoring center to determine if the respective received information matches a profile or has characteristics corresponding to one or more respective known unauthorized access attempts.
  - 26. The system of claim 25, wherein, upon detection of an unauthorized access attempt, the first and second intrusion detection systems in cooperation with the intrusion analysis system forward information regarding the respective unauthorized access attempt to the monitoring center for inclusion in a central database that maintains the information regarding the respective unauthorized accesses or access attempts into or within the distributed networks.
  - 27. The system of claim 1, wherein the system is implemented with one or more hardware and or software components.

28. A method for protecting a distributed network from unauthorized access for use in a system including first and second intrusion detection systems respectively having first and second intrusion detection modules, and first and second communications management modules coupled to the first and second intrusion detection modules, and intrusion analysis system coupled to the first and second intrusion detection systems, and including an intrusion analysis module, and an intrusion reaction coordination module coupled to the intrusion analysis module, the method comprising:
- detecting, by the first intrusion detection module, a respective possible unauthorized access attempt into a distributed network being protected;
  
  detecting, by the second intrusion detection module, a respective possible unauthorized access attempt within the distributed network being protected;
  
  forwarding, by the first and second communications management modules, respective information regarding the respective detected possible unauthorized access attempt to the intrusion analysis module;
  
  determining, by the intrusion analysis module, based on the respective information regarding the respective detected possible unauthorized access attempt whether or not the respective detected possible unauthorized access attempt is authorized;
  
  if the intrusion analysis module determines that the respective detected possible unauthorized access attempt is authorized, respectively forwarding, by the intrusion analysis module, via the first and second communications management, respective information to the first and second intrusion detection modules that the respective possible unauthorized access attempt is authorized, andif the intrusion analysis module determines that the respective detected possible unauthorized access attempt is not authorized, determining, by the intrusion analysis module, via the intrusion reaction coordination module, appropriate actions, including (i) forwarding respective information regarding the respective detected unauthorized access attempt into the distributed network being protected to a monitoring center extemal to the distributed network being protected, and processing respective information from the monitoring center regarding the respective detected unauthorized access attempt into the distributed network being protected, (ii) forwarding respective information regarding the respective detected unauthorized access attempt within the distributed network being protected for handling internally within the distributed network being protected, and processing respective information for internally handling the respective detected unauthorized access attempt within the distributed network being protected, and (iii) forwarding respective information regarding the respective detected unauthorized access attempt within the distributed network being protected to the monitoring center external to the distributed network being protected. and processing respective information from the monitoring center regarding the respective detected unauthorized access attempt within the distributed network being protected,wherein the intrusion analysis system in cooperation with the first and second intrusion detection systems enable communications between the monitoring center and an entity attempting the respective unauthorized access attempt without the entity being made aware that the entity attempting the respective unauthorized access attempt is communicating with the monitoring center,wherein the monitoring center sends information to the analysis system and intended for the entity attempting the unauthorized access attempt, the analysis system substitutes origin information of the monitoring center from the received information with origin information of a target of the respective unauthorized access attempt and forwards the substituted information to the entity attempting the respective unauthorized access attempt, whereby it appears to the entity attempting the respective unauthorized access attempt that communications are continuing with the target of the respective unauthorized access attempt, andwherein the intrusion analysis system in cooperation with the first intrusion detection system engages the entity attempting the respective unauthorized access attempt to determine the location or origin of the entity attempting the respective unauthorized access attempt.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 29. The method of claim 28, wherein the intrusion analysis system communicates with monitoring center via a secure tunnel.
  - 30. The method of claim 28, wherein the respective communications from the monitoring center to the entity attempting the respective unauthorized access attempt are modified, via the intrusion analysis system and the respective first and second intrusion detection systems, to appear as if the communications originate from the distributed network being protected.
  - 31. The method of claim 28, wherein the intrusion analysis system logs respective information regarding communications with the entity attempting the respective unauthorized access attempt.
  - 32. The method of claim 28, wherein the first and second intrusion detection modules respectively detect whether or not the respective possible unauthorized access attempt into or within the distributed network being protected is internal or external to the network being protected.
  - 33. The method of claim 28, wherein if second intrusion detection module detects that the possible respective unauthorized access attempt is internal to the network being protected, the second intrusion detection module forwards via the second communications management module respective information regarding the possible internal unauthorized access attempt to the intrusion analysis module, and the intrusion analysis module evaluates the received information and if the intrusion analysis module determines that the possible internal unauthorized access attempt is not authorized, the intrusion analysis module determines whether or not a retaliatory action should be taken, including handling the unauthorized access attempt internally or providing information to the monitoring center regarding the unauthorized access attempt.
  - 34. The method of claim 28, wherein the monitoring center comprises a law enforcement entity.
  - 35. The method of claim 28, the system further comprising a database,wherein the intrusion analysis module employs the database, including respective information regarding previous respective unauthorized access attempts, to determine whether or not the respective detected possible unauthorized access attempt is authorized.
  - 36. The method of claim 35, wherein the database includes respective profiles of information related to one or more entities associated with the respective previous unauthorized access attempts, including origin information regarding the respective previous unauthorized access attempts.
  - 37. The method of claim 35, wherein the intrusion analysis module is configured to query the database to determine whether or not the respective possible unauthorized access attempt is an error in communications, including a bit error.
  - 38. The method of claim 28, wherein the intrusion analysis module is configured to determine based on respective historical profiles, and respective previous unauthorized access attempts whether or not the detected respective possible unauthorized access attempt is authorized.
  - 39. The method of claim 28, The system of claim 31, wherein the intrusion reaction coordination module determines the respective appropriate actions based on a number of respective previous unauthorized access attempts, and a nature of the respective unauthorized access attempt, including destructiveness of packets received during the respective unauthorized access attempt.
  - 40. The method of claim 28, wherein the intrusion reaction coordination module, to determine the respective appropriate actions, analyzes the respective information received by the first and second intrusion detection modules, respective historical information regarding respective unauthorized access attempts, respective source and destination ports of respective unauthorized access attempts, respective IP address information of respective unauthorized access attempts, and respective information received from a central repository that catalogs respective information related to respective unauthorized access attempts from one or more other protected networks.
  - 41. The method of claim 40, wherein the intrusion detection analysis is based on at least one of a look-up table, a neural network analysis, and a predetermined event sequence.
  - 42. The method of claim 28, wherein if the intrusion reaction coordination module determines that a responsive or retaliatory action is not required, the intrusion reaction coordination module respectively instructs the first and second intrusion detection modules to block communications from an entity attempting the respective unauthorized access attempt.
  - 43. The method of claim 28, wherein if the intrusion reaction coordination module determines that a responsive or retaliatory action is not required, the intrusion reaction coordination module respectively instructs the first and second intrusion detection modules to block communications from an entity that matches one or more characteristics of the respective unauthorized access attempt.
  - 44. The method of claim 35, wherein the intrusion reaction coordination module logs respective information regarding an entity attempting the respective unauthorized access attempt to the database for use in a future unauthorized access attempt by the entity.
  - 45. The method of claim 28, wherein the intrusion analysis module is configured to store information regarding an address to which the respective unauthorized access attempt was directed for use by the intrusion reaction coordination module to determine the respective appropriate actions.
  - 46. The method of claim 35, wherein upon receipt of a respective communication from the monitoring center, the first and second intrusion detection systems in cooperation with the intrusion analysis system analyze the respective communication, determine address information of a source of the respective communication from the monitoring center, and remove the address information from the respective communication from the monitoring center leaving the remaining information for further analysis.
  - 47. The method of claim 46, wherein the address information of the source of the communication from the monitoring center is stored in the database, and the intrusion analysis module is configured to use the address information to communicate information to the monitoring center, including information regarding a response to a password request by an entity attempting the unauthorized access attempt.
  - 48. The method of claim 28, wherein the first and second intrusion detection systems in cooperation with the intrusion analysis system conceal an identity of the monitoring center, communicate respective information with the monitoring center, and screen respective underlying content in the communicated information, including removing sensitive information from the communicated information.
  - 49. The method of claim 48, wherein the first and second intrusion detection systems in cooperation with the intrusion analysis system employ a policy file to regulate the screening and removing of the sensitive information, including removing all content or core information, removing content having certain words, and removing content originating from a predetermined location.
  - 50. The method of claim 28, wherein the first and second intrusion detection systems and the intrusion analysis system cooperate with the monitoring center to aid in detecting a source of the respective unauthorized access attempt.
  - 51. The method of claim 50, wherein the first and second intrusion detection systems in cooperation with the intrusion analysis system receive from the monitoring center respective information regarding unauthorized accesses or access attempts into or within distributed networks.
  - 52. The method of claim 51, wherein the first and second intrusion detection systems in cooperation with the intrusion analysis system analyze the respective information regarding unauthorized accesses or access attempts into or within the distributed networks received from the monitoring center to determine if the respective received information matches a profile or has characteristics corresponding to one or more respective known unauthorized access attempts.
  - 53. The method of claim 52, wherein, upon detection of an unauthorized access attempt, the first and second intrusion detection systems in cooperation with the intrusion analysis system forward information regarding the respective unauthorized access attempt to the monitoring center for inclusion in a central database that maintains the information regarding the respective unauthorized accesses or access attempts into or within the distributed networks.
  - 54. The method of claim 28, wherein said method is implemented with one or more hardware and/or software devices configured to perform the steps of the method.
  - 55. The method of claim 28, wherein said method is implemented with one or more computer readable instructions embedded on a computer readable medium and configured to cause one or more computer processors to perform the steps of the method.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Invicta Networks, Inc.
Original Assignee
Invicta Networks, Inc.
Inventors
Sheymov, Victor I, Turner, Roger B
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Popham; Jeffrey D

Application Number

US09/925,503
Publication Number

US 20020023227A1
Time in Patent Office

2,545 Days
Field of Search

713/200, 379/44, 726 22- 23
US Class Current

726/23
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Systems and methods for distributed network protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for distributed network protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links