Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems
First Claim
1. A method of responding to a threat to a threatened computer, comprising:
- detecting a first intrusion attempt;
storing information related to the first intrusion attempt in a one-way data structure that is used to hide information about the first intrusion attempt, wherein the one-way data structure is a bloom filter, the storing comprising;
forming a hash of the information relating to the first intrusion attempt using at least one of the SHA-1 and the MD-5 hashing algorithms;
using the hash as an index to the bloom filter; and
setting corresponding bits in the bloom filter based on the index;
detecting a second intrusion attempt;
determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt, the determining comprising checking the one-way data structure to determine whether stored information related to the first intrusion attempt correlates with the second intrusion attempt;
automatically initiating at least one safety process at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt;
indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and
automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
318 Citations
33 Claims
-
1. A method of responding to a threat to a threatened computer, comprising:
-
detecting a first intrusion attempt; storing information related to the first intrusion attempt in a one-way data structure that is used to hide information about the first intrusion attempt, wherein the one-way data structure is a bloom filter, the storing comprising; forming a hash of the information relating to the first intrusion attempt using at least one of the SHA-1 and the MD-5 hashing algorithms; using the hash as an index to the bloom filter; and setting corresponding bits in the bloom filter based on the index; detecting a second intrusion attempt; determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt, the determining comprising checking the one-way data structure to determine whether stored information related to the first intrusion attempt correlates with the second intrusion attempt; automatically initiating at least one safety process at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of responding to a threat to a threatened computer, comprising:
-
receiving information related to a first intrusion attempt that has been stored in a one-way data structure that is used to hide information about the first intrusion attempt, wherein the one-way data structure is a bloom filter, by at least; forming a hash of the information relating to the first intrusion attempt using at least one of the SHA-1 and the MD-5 hashing algorithms; using the hash as an index to the bloom filter; and setting corresponding bits in the bloom filter based on the index; detecting a second intrusion attempt; determining at the threatened computer whether the first intrusion attempt correlates with the second intrusion attempt by checking the one-way data structure to determine whether stored information related to the first intrusion attempt correlates with the second intrusion attempt; automatically initiating at least one safety process by the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; indicating to a collaborating computer via a computer network that a threat is present at the threatened computer if the first intrusion attempt is determined to correlate with the second intrusion attempt; and automatically initiating, before the collaborating computer has been subjected to the threat, at least one safety process at the collaborating computer based at least in part on the indication that the threat is present at the threatened computer. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A method of sharing threat information between at least a first computer and at least a second computer, comprising:
-
detecting a threat to the first computer; indicating to the second computer via a computer network that the threat to the first computer has been detected using a one-way data structure that is used to hide information about the first intrusion attempt, wherein the one-way data structure is a bloom filter, the one-way data structure formed by at least; forming a hash of the information relating to the first intrusion attempt using at least one of the SHA-1 and the MD-5 hashing algorithms; using the hash as an index to the bloom filter; and setting corresponding bits in the bloom filter based on the index; and automatically initiating, before the second computer has been subjected to the threat, at least one safety process at the second computer based at least in part on the indication that the threat is present at the first computer. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
-
30. A system configured to detect intrusion attempts on a threatened computer, comprising:
-
an intrusion detection system that detects a first intrusion attempt and a second intrusion attempt; an alert correlator that; receives information related to the first and second intrusion attempts, wherein the information related to the first intrusion attempt has been stored in a one-way data structure that is used to hide information about the first intrusion attempt, wherein the one-way data structure is a bloom filter, by at least; forming a hash of the information relating to the first intrusion attempt using at least one of the SHA-1 and the MD-5 hashing algorithms; using the hash as an index to the bloom filter; and setting corresponding bits in the bloom filter based on the index, determines whether the first intrusion attempt correlates with the second intrusion attempt using the one-way data structure, and initiates at least one safety process at the threatened computer and generates an indication that a threat is present if the first intrusion attempt is determined to correlate with the second intrusion attempt; and a collaborating computer that receives via a computer network the indication that the threat is present at the alert correlator and that initiates, before the collaborating computer has been subjected to the threat, at least one safety process in response to the indication that the threat is present at the alert correlator. - View Dependent Claims (31, 32, 33)
-
Specification