Intrusion detection system
First Claim
Patent Images
1. A computer network intrusion detection system comprising:
- a plurality of different log analyzers for different external networks, each log analyzer being configured for detecting attacks upon a firewall in an corresponding one of the different external networks defining an edge detection network;
an edge database log coupled to the different log analyzers logging attacks upon the different external networks;
an intrusion detector coupled to a client network and configured to detect external attacks upon the client network;
an analyzer coupled to said intrusion detector for analyzing each detected attack and determining a characteristic indicative thereof to classify each detected attack as a general attack or a client specific attack based upon logged attacks in the edge database log; and
,a filter coupled to said analyzer for generating an alert based upon characteristics of a plurality of attacks;
a second intrusion detector for detecting external attacks upon a second computer network; and
,a second analyzer coupled to said second intrusion detector for analyzing each detected attack upon the second network and determining a characteristic indicative thereof, wherein said filter is further coupled to said second analyzer and further compares the attack characteristics determined by said analyzer and said second analyzer and generates a specific attack alert in response to a substantial absence of similarity in the comparison.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection system monitors the rate and characteristics of Internet attacks on a computer network and filters attack alerts based upon various rates and frequencies of the attacks. The intrusion detection system monitors attacks on other hosts and determines if the attacks are random or general attacks or attacks directed towards a specific computer network and generates a corresponding signal. The intrusion detections system also tests a computer network'"'"'s vulnerability to attacks detected on the other monitored hosts.
-
Citations
4 Claims
-
1. A computer network intrusion detection system comprising:
-
a plurality of different log analyzers for different external networks, each log analyzer being configured for detecting attacks upon a firewall in an corresponding one of the different external networks defining an edge detection network; an edge database log coupled to the different log analyzers logging attacks upon the different external networks; an intrusion detector coupled to a client network and configured to detect external attacks upon the client network; an analyzer coupled to said intrusion detector for analyzing each detected attack and determining a characteristic indicative thereof to classify each detected attack as a general attack or a client specific attack based upon logged attacks in the edge database log; and
,a filter coupled to said analyzer for generating an alert based upon characteristics of a plurality of attacks; a second intrusion detector for detecting external attacks upon a second computer network; and
,a second analyzer coupled to said second intrusion detector for analyzing each detected attack upon the second network and determining a characteristic indicative thereof, wherein said filter is further coupled to said second analyzer and further compares the attack characteristics determined by said analyzer and said second analyzer and generates a specific attack alert in response to a substantial absence of similarity in the comparison. - View Dependent Claims (2, 3)
-
-
4. A method of generating a network intrusion alert for a first network coupled to a multiple client network system comprising the steps of:
-
logging attacks on multiple different external networks defining an edge detection network; detecting an attack on a client network; classifying the attack as either a general attack or a client specific attack by comparing the attack to attacks logged for the edge detection network; prioritizing handling of the detected attack if the attack is classified as a general attack; generating a first alert in response to an absence of a match between the attack and the attacks logged for the edge detection network, wherein the first alert is indicative of a client specific attack on the first network; and generating a second alert in response to a presence of a match between the attack and the attacks logged for the edge detection network, wherein the second alert is indicative of a general attack on the first network.
-
Specification