Floating intrusion detection platforms

US 7,565,692 B1
Filed: 05/30/2000
Issued: 07/21/2009
Est. Priority Date: 05/30/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for implementing an intrusion detection system in a network, comprising:

receiving a request from a central server at a software agent program installed on one of a plurality of remote computers to initiate an intrusion detection service, wherein the request is issued by the central server in response to a notification of a network intrusion, wherein the intrusion detection software includes a stop condition indicating when to stop executing the intrusion detection software, wherein the stop condition includes a condition that no intrusion has been detected for a period of time;

installing intrusion detection software on said remote computer via said software agent program in response to the request from the central server; and

executing said intrusion detection software on said remote computer via said software agent program.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a “floating” intrusion detection system that can use any computer on the network as an intrusion detection platform. A software agent program called a “socket” is installed on each computer that is to be available to be an intrusion detection platform. A central server contains intrusion detection software as well as a database containing knowledge based rules and profiles for detecting intrusions. The central server can contact any computer that has a socket installed and direct that computer to become an intrusion detection platform. The selected computer then downloads, installs, and runs the intrusion detection software thus becoming an intrusion detection platform. Once the need has passed the central server can direct some of the platforms to stop running the software and return to their normal state.

37 Citations

View as Search Results

37 Claims

1. A method for implementing an intrusion detection system in a network, comprising:
- receiving a request from a central server at a software agent program installed on one of a plurality of remote computers to initiate an intrusion detection service, wherein the request is issued by the central server in response to a notification of a network intrusion, wherein the intrusion detection software includes a stop condition indicating when to stop executing the intrusion detection software, wherein the stop condition includes a condition that no intrusion has been detected for a period of time;
  
  installing intrusion detection software on said remote computer via said software agent program in response to the request from the central server; and
  
  executing said intrusion detection software on said remote computer via said software agent program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 further comprising:
    - receiving from the central server a request to terminate intrusion detection services at said software agent program.
  - 3. The method of claim 2 further comprising:
    - monitoring for fulfillment of a stop condition; and
      
      ceasing the execution of the intrusion detection software when the stop condition is fulfilled.
  - 4. The method of claim 3 wherein said stop condition is based on network traffic conditions.
  - 5. The method of claim 3 wherein said stop condition is an expiration time.
  - 6. The method of claim 2, further comprising monitoring for fulfillment of a stop condition at each of the plurality of remote computers executing intrusion detection software.
  - 7. The method of claim 6, wherein the stop condition for each of the plurality of computers is based on a time during which each of the plurality of computers has been executing instruction detection software.
  - 8. The method of claim 1 further comprising the step of:
    - selecting said remote computers from a plurality of eligible computers.
  - 9. The method of claim 8 wherein said selecting step is accomplished based on a network map.
  - 10. The method of claim 8 wherein said selecting step is accomplished based on a knowledge base.
  - 11. The method of claim 8 wherein said request is verified using a cryptographic authentication scheme.
  - 12. The method of claim 1 wherein said request is verified using a cryptographic authentication scheme.
  - 13. The method of claim 1 wherein said request includes a stop condition indicating when to stop executing the intrusion detection software.
  - 14. The method of claim 13 wherein said stop condition is an expiration time.
  - 15. The method of claim 13 wherein said stop condition is based on network traffic conditions.
  - 16. The method of claim 13, wherein the stop condition applies to all eligible computers.
  - 17. The method of claim 1, wherein intrusion detection services are initiated at a plurality of remote computers selected based on a number of intrusion detection platforms that are currently active.
  - 18. The method of claim 1, wherein intrusion detection services are initiated at a plurality of remote computers selected based on predetermined numbers of maximum and minimum limits on a number of intrusion detection platforms.

19. A system for detecting intrusions in a computer network comprising:
- a plurality of computers executing software agents;
  
  a database configured to store at least one rule defining at least one response to a network intrusion; and
  
  an intrusion detection server configured to send a request to install and execute intrusion detection software to software agents at the plurality of the computers when intrusion detection services are needed based on the at least one rule stored in said database, wherein the intrusion detection software includes a stop condition indicating when to stop executing the intrusion detection software, wherein the stop condition includes a condition that no intrusion has been detected for a period of time.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The system of claim 19 wherein said intrusion detection server increases the number of said plurality of computers executing intrusion detection software when a network intrusion is detected.
  - 21. The system of claim 19 wherein said intrusion detection server changes the number of said plurality of computers executing intrusion detection software when the level of network traffic changes.
  - 22. The system of claim 19 wherein said intrusion detection server changes the number of said plurality of computers executing intrusion detection software depending on the time of day.
  - 23. The system of claim 19 wherein said database contains information about the plurality of computers.
  - 24. The system of claim 23 wherein said information includes a map of said computer network.
  - 25. The system of claim 19 wherein said database contains a knowledge base.

26. An article of manufacture comprising a computer-readable medium having stored thereon instructions adapted to be executed by a processor, the instructions which, when executed, define a series of steps to be used to perform network intrusion detection, said steps comprising:
- receiving notification of a network intrusion at a central server;
  
  transmitting an intrusion detection software installation request from the central server to a plurality of remote computers in response to the notification, wherein the request includes a stop condition indicating when to stop executing the intrusion detection software, wherein the stop condition includes a condition that no intrusion has been detected for a period of time; and
  
  installing intrusion detection software on the plurality of remote computers via a software agent program in response to the request.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. The article of manufacture of claim 26, further comprising the step of selecting said remote computers from a plurality of eligible computers based on the notification of a network intrusion.
  - 28. The article of manufacture of claim 27 wherein said selecting step is accomplished based on a network map.
  - 29. The article of manufacture of claim 27 wherein said selecting step is accomplished based on a knowledge base.
  - 30. The article of manufacture of claim 26 wherein said request is verified using a cryptographic authentication scheme.
  - 31. The article of manufacture of claim 26 wherein said stop condition is an expiration time.
  - 32. The article of manufacture of claim 26 wherein said stop condition is based on network traffic conditions.

33. A method for intrusion detection in a network comprising:
- receiving indication of a possible network intrusion;
  
  selecting one of a plurality of computers in the network to become an intrusion detection platform, wherein selecting one of the plurality of computers is based on the indication of a possible network intrusion;
  
  sending a request from a central server to the selected computer to install and execute intrusion detection software, wherein the request is sent in response to the received indication of the possible network intrusion; and
  
  sending a message to the selected computer to cease execution of the intrusion detection software when a stop condition is detected, wherein the stop condition includes a condition that no intrusion has been detected for a period of time.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The method of claim 33 wherein receiving the indication of a possible network intrusion comprises receiving an indication of a part of the network that is a target of the possible network intrusion;
    - andwherein selecting one of the plurality of computers is based on the indication of the target of the possible network intrusion.
  - 35. The method of claim 34 wherein selecting one of the plurality of computers is based on the indication of the target of the possible network intrusion comprises selecting a computer at or near the target of the possible network intrusion.
  - 36. The method of claim 33 wherein selecting one of the plurality of computers is based on the indication of a possible network intrusion includes selecting of the computer based on an unusual pattern of network traffic.
  - 37. The method of claim 33 wherein selecting one of the plurality of computers if is based on the indication of a possible network intrusion includes selecting one of the plurality of computers based on an unusual number of incoming network packets directed at a network segment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Mobility II LLC (AT&T, Inc.)
Original Assignee
AT&T Wireless Services Incorporated (AT&T, Inc.)
Inventors
Maria, Arturo
Primary Examiner(s)
COLIN, CARL G

Application Number

US09/580,689
Time in Patent Office

3,339 Days
Field of Search

714/18, 395/187, 395/650, 713/200, 713/201, 713/190, 713/193, 713/194, 709/224, 709/225, 726/23, 726 22- 25
US Class Current

726/23
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/048   mobile agents

H04L 41/28   Restricting access to netwo...

H04L 43/00   Arrangements for monitoring...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Floating intrusion detection platforms

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Floating intrusion detection platforms

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links