Network intrusion detection and analysis system and method

US 7,493,659 B1
Filed: 03/05/2002
Issued: 02/17/2009
Est. Priority Date: 03/05/2002
Status: Active Grant

First Claim

Patent Images

1. An intrusion detection and analysis system comprising:

a data monitoring device comprising a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors;

an intrusion detection device separate from the data monitoring device, the intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device;

application program interfaces configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection; and

memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred;

wherein the application program interfaces allow the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection and analysis system and method are disclosed. The system includes a data monitoring device comprising a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data. The system further includes an intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device. Application program interfaces are provided and configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection. The system also includes memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred.

360 Citations

16 Claims

1. An intrusion detection and analysis system comprising:
- a data monitoring device comprising a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors;
  
  an intrusion detection device separate from the data monitoring device, the intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device;
  
  application program interfaces configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection; and
  
  memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred;
  
  wherein the application program interfaces allow the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein the reference network information comprises a signature database including signature profiles associated with a known network security violation and wherein the detection engine is operable to compare the data provided by the data monitoring device with the signature profiles to detect network intrusions.
  - 3. The system of claim 2 further comprising a parser operable to parse, generate, and load signatures at the detection engine.
  - 4. The system of claim 1 wherein the reference network information comprises a baseline state of network traffic and wherein the detect engine is operable to compare the data received by the capture engine to the baseline network state and look for anomalies.
  - 5. The system of claim 4 wherein the data monitoring device provides the baseline state of network traffic.
  - 6. The system of claim 1 further comprising a log file configured to at least temporarily store reports generated by the detect engine.
  - 7. The system of claim 6 further comprising an alarm manager operable to generate alarms based on information generated by the log file.
  - 8. The system of claim 1 further comprising a filter configured to filter out packets received at the data monitoring device.
  - 9. The system of claim 1 wherein the capture engine is configured to forward packets and temporarily store packets for later analysis by the data monitoring device.

10. A method for performing intrusion detection with an intrusion detection and analysis system comprising a data monitoring device including a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors, and an intrusion detection device separate from the data monitoring device, the intrusion detection device coupled to the data monitoring device and configured to perform intrusion detection on data provided by the data monitoring device;
- the method comprising;
  
  receiving data at the data monitoring device;
  
  capturing at least a portion of the packets contained within the data;
  
  by allowing the intrusion detection device to call at least one application program interface configured to open applications of the data monitoring device; and
  
  performing intrusion detection at the intrusion detection device utilizing at least one of the applications of the data monitoring device;
  
  wherein the at least one application program interface allows the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10 further comprising filtering the data prior to capturing packets.
  - 12. The method of claim 10 wherein performing intrusion detection comprises performing signature matching.
  - 13. The method of claim 12 wherein the application program interfaces provide parsing of signatures used in signature matching.
  - 14. The method of claim 10 wherein performing intrusion detection comprises detecting anomalies in the received data.

15. A computer program product for performing intrusion detection with an intrusion detection and analysis system comprising a data monitoring device including a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors, and an intrusion detection device separate from the data monitoring device, the intrusion detection device coupled to the data monitoring device and configured to perform intrusion detection on data provided by the data monitoring device;
- the product comprising;
  
  code that receives data at the data monitoring device;
  
  code that captures at least a portion of the packets contained within the data;
  
  code that calls at least one application program interface configured to open applications of the data monitoring device;
  
  code that performs intrusion detection at the intrusion detection device utilizing at least one of the applications of the data monitoring device; and
  
  a computer-readable storage medium for storing the codes;
  
  wherein the at least one application program interface allows the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device.
- View Dependent Claims (16)
- - 16. The computer program product of claim 15 wherein the computer readable storage medium is selected from the group consisting of CD-ROM, floppy disk, tape, flash memory, system memory, and hard drive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Freedman, Jerome, Ivory, Christopher J., Wu, Handong
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Homayounmehr; Farid

Application Number

US10/091,645
Time in Patent Office

2,541 Days
Field of Search

713/200, 713/201, 713/154, 726/1, 726/26
US Class Current

726/26
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1425 Traffic logging, e.g. anoma...

Network intrusion detection and analysis system and method

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

360 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Network intrusion detection and analysis system and method

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

360 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links