Network intrusion detection and analysis system and method
First Claim
1. An intrusion detection and analysis system comprising:
- a data monitoring device comprising a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors;
an intrusion detection device separate from the data monitoring device, the intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device;
application program interfaces configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection; and
memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred;
wherein the application program interfaces allow the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device.
11 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection and analysis system and method are disclosed. The system includes a data monitoring device comprising a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data. The system further includes an intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device. Application program interfaces are provided and configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection. The system also includes memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred.
360 Citations
16 Claims
-
1. An intrusion detection and analysis system comprising:
-
a data monitoring device comprising a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors; an intrusion detection device separate from the data monitoring device, the intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device; application program interfaces configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection; and memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred; wherein the application program interfaces allow the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for performing intrusion detection with an intrusion detection and analysis system comprising a data monitoring device including a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors, and an intrusion detection device separate from the data monitoring device, the intrusion detection device coupled to the data monitoring device and configured to perform intrusion detection on data provided by the data monitoring device;
- the method comprising;
receiving data at the data monitoring device; capturing at least a portion of the packets contained within the data; by allowing the intrusion detection device to call at least one application program interface configured to open applications of the data monitoring device; and performing intrusion detection at the intrusion detection device utilizing at least one of the applications of the data monitoring device; wherein the at least one application program interface allows the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device. - View Dependent Claims (11, 12, 13, 14)
- the method comprising;
-
15. A computer program product for performing intrusion detection with an intrusion detection and analysis system comprising a data monitoring device including a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors, and an intrusion detection device separate from the data monitoring device, the intrusion detection device coupled to the data monitoring device and configured to perform intrusion detection on data provided by the data monitoring device;
- the product comprising;
code that receives data at the data monitoring device; code that captures at least a portion of the packets contained within the data; code that calls at least one application program interface configured to open applications of the data monitoring device; code that performs intrusion detection at the intrusion detection device utilizing at least one of the applications of the data monitoring device; and a computer-readable storage medium for storing the codes; wherein the at least one application program interface allows the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device. - View Dependent Claims (16)
- the product comprising;
Specification