Method and system for intrusion detection in a computer network

US 7,574,740 B1
Filed: 04/28/2000
Issued: 08/11/2009
Est. Priority Date: 04/28/2000
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented process for generating an advisory about an intrusion event in a computer network, comprising the steps of:

a. monitoring data packets carried by the computer network for a possible intrusion event;

b. detecting an intrusion event;

c. determining whether the detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack and a detectable target vulnerability;

d. if the detected intrusion event is a qualified intrusion event, then identifying a network target and evaluating whether the network target is vulnerable to the detected intrusion event;

e. assigning the detected intrusion event with a ranking based on the vulnerability of the network target, wherein the advisory has the assigned ranking associated with a low priority attack event if the scan fails to identify a vulnerability of the scanned network target to the detected intrusion event; and

f. issuing the advisory having the assigned ranking.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system for detecting intrusion events in a computer network and assessing the vulnerability of the network components to the detected events. The intrusion detection system comprises a scanner, one or more sensors and a security console for operation within a networked computing environment. A sensor of the inventive intrusion detection system can monitor the networked computing environment for possible intrusion events representing an unauthorized access or use of the network resources. In response to detecting an intrusion event, the sensor can generate a scan request for handling by a scanner. This request initiates a scan of the target computer by the scanner to determine the vulnerability of the target to the attack. Based on this vulnerability analysis, the inventive intrusion detection system can evaluate the severity of the detected intrusion event and issue an alert having a priority corresponding to the severity of the intrusion.

422 Citations

17 Claims

1. A computer-implemented process for generating an advisory about an intrusion event in a computer network, comprising the steps of:
- a. monitoring data packets carried by the computer network for a possible intrusion event;
  
  b. detecting an intrusion event;
  
  c. determining whether the detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack and a detectable target vulnerability;
  
  d. if the detected intrusion event is a qualified intrusion event, then identifying a network target and evaluating whether the network target is vulnerable to the detected intrusion event;
  
  e. assigning the detected intrusion event with a ranking based on the vulnerability of the network target, wherein the advisory has the assigned ranking associated with a low priority attack event if the scan fails to identify a vulnerability of the scanned network target to the detected intrusion event; and
  
  f. issuing the advisory having the assigned ranking.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented process of claim 1, wherein the data packets are monitored by a sensor coupled to the computer network.
  - 3. The computer-implemented process of claim 2 further comprising the step of issuing a command to configure a security policy for the sensor associated with the scanned portion of the computer network in response to completing the evaluation of the vulnerability of the network resource to the detected intrusion event.
  - 4. The computer-implemented process of claim 1, wherein a scanner identifies the network target and evaluates whether the network target is vulnerable to the detected intrusion event.
  - 5. The computer-implemented process of claim 1, wherein the advisory defines the action to be taken in response to presentation of the advisory.
  - 6. The computer-implemented process of claim 1, wherein the advisory has the assigned ranking associated with a high priority attack event if the scan fails to identify a vulnerability of the scanned network target to the detected intrusion event.
  - 7. The computer-implemented process of claim 1 further comprising the step of issuing a command to configure exploits for a sensor associated with the scanned network resource in response to completing an assessment of the vulnerability of the network resource to the detected intrusion event, thereby configuring a security policy for the sensor without manual intervention.

8. A computer-implemented process for generating an advisory about an intrusion event of a computer network comprising a plurality of network resources, comprising the steps of:
- a. issuing a scan request in response to determining that a detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack;
  
  b. responsive to the scan request, completing a scan focused on at least one of the network resources that is the subject of the attack to assess the vulnerability of each scanned network resource to the attack,c. generating the advisory comprising information representing a correlation of information about the detected intrusion event and the corresponding vulnerability of each scanned network resource and issuing the advisory having a priority ranking associated with a low priority attack event if the scan fails to identify a vulnerability of the scanned network resource to the detected possible intrusion event.
- View Dependent Claims (9)
- - 9. The computer-implemented process of claim 8, wherein the step of generating the advisory comprises issuing the advisory having a priority ranking associated with a high priority attack event if the scan identifies a vulnerability of the scanned network resource to the detected possible intrusion event.

10. A computer-implemented process for generating an advisory about an intrusion event of a computer network comprising a plurality of network resources, comprising the steps of:
- a. issuing a scan request in response to determining that a detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack;
  
  b. responsive to the scan request, completing a scan focused on at least one of the network resources that is the subject of the attack to assess the vulnerability of each scanned network resource to the attack,c. generating the advisory comprising information representing a correlation of information about the detected intrusion event and the corresponding vulnerability of each scanned network resource and issuing the advisory having a priority ranking associated with a high priority attack event if the scan identifies a vulnerability of the scanned network resource to the detected possible intrusion event.
- View Dependent Claims (11)
- - 11. The computer-implemented process of claim 10, wherein the step of generating the advisory comprises issuing the advisory having a priority ranking associated with a low priority attack event if the scan fails to identify a vulnerability of the scanned network resource to the detected possible intrusion event.

12. A computer-implemented process for generating an advisory about an intrusion event in a computer network, comprising the steps of:
- a. monitoring data packets carried by the computer network for a possible intrusion event;
  
  b. detecting an intrusion event;
  
  c. determining whether the detected intrusion event represents a qualified intrusion event having a known characteristic associated with a recognized attack and a detectable target vulnerability;
  
  d. if the detected intrusion event is a qualified intrusion event, then identifying a network target and evaluating whether the network target is vulnerable to the detected intrusion event;
  
  e. assigning the detected intrusion event with a ranking based on the vulnerability of the network target, wherein the advisory has the assigned ranking associated with a high priority attack event if the scan fails to identify a vulnerability of the scanned network target to the detected intrusion event; and
  
  f. issuing the advisory having the assigned ranking.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer-implemented process of claim 12, wherein the data packets are monitored by a sensor coupled to the computer network.
  - 14. The computer-implemented process of claim 13, further comprising the step of issuing a command to configure a security policy for the sensor associated with the scanned portion of the computer network in response to completing the evaluation of the vulnerability of the network resource to the detected intrusion event.
  - 15. The computer-implemented process of claim 12, wherein a scanner identifies the network target and evaluates whether the network target is vulnerable to the detected intrusion event.
  - 16. The computer-implemented process of claim 12, wherein the advisory defines the action to be taken in response to presentation of the advisory.
  - 17. The computer-implemented process of claim 12, further comprising the step of issuing a command to configure exploits for a sensor associated with the scanned network resource in response to completing an assessment of the vulnerability of the network resource to the detected intrusion event, thereby configuring a security policy for the sensor without manual intervention.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kennis, Peter H.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US09/561,588
Time in Patent Office

3,392 Days
Field of Search

713/201, 709/224
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1433 Vulnerability analysis

Method and system for intrusion detection in a computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

422 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for intrusion detection in a computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

422 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links