Floating intrusion detection platforms
First Claim
1. A method for implementing an intrusion detection system in a network, comprising:
- receiving a request from a central server at a software agent program installed on one of a plurality of remote computers to initiate an intrusion detection service, wherein the request is issued by the central server in response to a notification of a network intrusion, wherein the intrusion detection software includes a stop condition indicating when to stop executing the intrusion detection software, wherein the stop condition includes a condition that no intrusion has been detected for a period of time;
installing intrusion detection software on said remote computer via said software agent program in response to the request from the central server; and
executing said intrusion detection software on said remote computer via said software agent program.
6 Assignments
0 Petitions
Accused Products
Abstract
The present invention is a “floating” intrusion detection system that can use any computer on the network as an intrusion detection platform. A software agent program called a “socket” is installed on each computer that is to be available to be an intrusion detection platform. A central server contains intrusion detection software as well as a database containing knowledge based rules and profiles for detecting intrusions. The central server can contact any computer that has a socket installed and direct that computer to become an intrusion detection platform. The selected computer then downloads, installs, and runs the intrusion detection software thus becoming an intrusion detection platform. Once the need has passed the central server can direct some of the platforms to stop running the software and return to their normal state.
37 Citations
37 Claims
-
1. A method for implementing an intrusion detection system in a network, comprising:
-
receiving a request from a central server at a software agent program installed on one of a plurality of remote computers to initiate an intrusion detection service, wherein the request is issued by the central server in response to a notification of a network intrusion, wherein the intrusion detection software includes a stop condition indicating when to stop executing the intrusion detection software, wherein the stop condition includes a condition that no intrusion has been detected for a period of time; installing intrusion detection software on said remote computer via said software agent program in response to the request from the central server; and executing said intrusion detection software on said remote computer via said software agent program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for detecting intrusions in a computer network comprising:
-
a plurality of computers executing software agents; a database configured to store at least one rule defining at least one response to a network intrusion; and an intrusion detection server configured to send a request to install and execute intrusion detection software to software agents at the plurality of the computers when intrusion detection services are needed based on the at least one rule stored in said database, wherein the intrusion detection software includes a stop condition indicating when to stop executing the intrusion detection software, wherein the stop condition includes a condition that no intrusion has been detected for a period of time. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
-
26. An article of manufacture comprising a computer-readable medium having stored thereon instructions adapted to be executed by a processor, the instructions which, when executed, define a series of steps to be used to perform network intrusion detection, said steps comprising:
-
receiving notification of a network intrusion at a central server; transmitting an intrusion detection software installation request from the central server to a plurality of remote computers in response to the notification, wherein the request includes a stop condition indicating when to stop executing the intrusion detection software, wherein the stop condition includes a condition that no intrusion has been detected for a period of time; and installing intrusion detection software on the plurality of remote computers via a software agent program in response to the request. - View Dependent Claims (27, 28, 29, 30, 31, 32)
-
-
33. A method for intrusion detection in a network comprising:
-
receiving indication of a possible network intrusion; selecting one of a plurality of computers in the network to become an intrusion detection platform, wherein selecting one of the plurality of computers is based on the indication of a possible network intrusion; sending a request from a central server to the selected computer to install and execute intrusion detection software, wherein the request is sent in response to the received indication of the possible network intrusion; and sending a message to the selected computer to cease execution of the intrusion detection software when a stop condition is detected, wherein the stop condition includes a condition that no intrusion has been detected for a period of time. - View Dependent Claims (34, 35, 36, 37)
-
Specification