Method and system for intrusion detection in a computer network
First Claim
1. A computer-implemented process for generating an advisory about an intrusion event in a computer network, comprising the steps of:
- a. monitoring data packets carried by the computer network for a possible intrusion event;
b. detecting an intrusion event;
c. determining whether the detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack and a detectable target vulnerability;
d. if the detected intrusion event is a qualified intrusion event, then identifying a network target and evaluating whether the network target is vulnerable to the detected intrusion event;
e. assigning the detected intrusion event with a ranking based on the vulnerability of the network target, wherein the advisory has the assigned ranking associated with a low priority attack event if the scan fails to identify a vulnerability of the scanned network target to the detected intrusion event; and
f. issuing the advisory having the assigned ranking.
2 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system for detecting intrusion events in a computer network and assessing the vulnerability of the network components to the detected events. The intrusion detection system comprises a scanner, one or more sensors and a security console for operation within a networked computing environment. A sensor of the inventive intrusion detection system can monitor the networked computing environment for possible intrusion events representing an unauthorized access or use of the network resources. In response to detecting an intrusion event, the sensor can generate a scan request for handling by a scanner. This request initiates a scan of the target computer by the scanner to determine the vulnerability of the target to the attack. Based on this vulnerability analysis, the inventive intrusion detection system can evaluate the severity of the detected intrusion event and issue an alert having a priority corresponding to the severity of the intrusion.
422 Citations
17 Claims
-
1. A computer-implemented process for generating an advisory about an intrusion event in a computer network, comprising the steps of:
-
a. monitoring data packets carried by the computer network for a possible intrusion event; b. detecting an intrusion event; c. determining whether the detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack and a detectable target vulnerability; d. if the detected intrusion event is a qualified intrusion event, then identifying a network target and evaluating whether the network target is vulnerable to the detected intrusion event; e. assigning the detected intrusion event with a ranking based on the vulnerability of the network target, wherein the advisory has the assigned ranking associated with a low priority attack event if the scan fails to identify a vulnerability of the scanned network target to the detected intrusion event; and f. issuing the advisory having the assigned ranking. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented process for generating an advisory about an intrusion event of a computer network comprising a plurality of network resources, comprising the steps of:
-
a. issuing a scan request in response to determining that a detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack; b. responsive to the scan request, completing a scan focused on at least one of the network resources that is the subject of the attack to assess the vulnerability of each scanned network resource to the attack, c. generating the advisory comprising information representing a correlation of information about the detected intrusion event and the corresponding vulnerability of each scanned network resource and issuing the advisory having a priority ranking associated with a low priority attack event if the scan fails to identify a vulnerability of the scanned network resource to the detected possible intrusion event. - View Dependent Claims (9)
-
-
10. A computer-implemented process for generating an advisory about an intrusion event of a computer network comprising a plurality of network resources, comprising the steps of:
-
a. issuing a scan request in response to determining that a detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack; b. responsive to the scan request, completing a scan focused on at least one of the network resources that is the subject of the attack to assess the vulnerability of each scanned network resource to the attack, c. generating the advisory comprising information representing a correlation of information about the detected intrusion event and the corresponding vulnerability of each scanned network resource and issuing the advisory having a priority ranking associated with a high priority attack event if the scan identifies a vulnerability of the scanned network resource to the detected possible intrusion event. - View Dependent Claims (11)
-
-
12. A computer-implemented process for generating an advisory about an intrusion event in a computer network, comprising the steps of:
-
a. monitoring data packets carried by the computer network for a possible intrusion event; b. detecting an intrusion event; c. determining whether the detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack and a detectable target vulnerability; d. if the detected intrusion event is a qualified intrusion event, then identifying a network target and evaluating whether the network target is vulnerable to the detected intrusion event; e. assigning the detected intrusion event with a ranking based on the vulnerability of the network target, wherein the advisory has the assigned ranking associated with a high priority attack event if the scan fails to identify a vulnerability of the scanned network target to the detected intrusion event; and f. issuing the advisory having the assigned ranking. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification