Method and system for reducing the false alarm rate of network intrusion detection systems
First Claim
1. A computerized method for reducing the false alarm rate of network intrusion detection systems, comprising:
- receiving, from a network intrusion detection sensor, one or more data packets associated with an alarm indicative of a potential attack on a target host;
identifying characteristics of the alarm from the data packets, including at least an attack type and an operating system fingerprint of the target host;
identifying the operating system type from the operating system fingerprint;
comparing the attack type to the operating system type; and
indicating whether the target host is vulnerable to the attack based on the comparison.
1 Assignment
0 Petitions
Accused Products
Abstract
According to one embodiment of the invention, a computerized method for reducing the false alarm rate of network intrusion detection systems includes receiving, from a network intrusion detection sensor, one or more data packets associated with an alarm indicative of a potential attack on a target host and identifying characteristics of the alarm from the data packets. The characteristics include at least an attack type and an operating system fingerprint of the target host. The method further includes identifying the operating system type from the operating system fingerprint, comparing the attack type to the operating system type, and indicating whether the target host is vulnerable to the attack based on the comparison.
53 Citations
21 Claims
-
1. A computerized method for reducing the false alarm rate of network intrusion detection systems, comprising:
-
receiving, from a network intrusion detection sensor, one or more data packets associated with an alarm indicative of a potential attack on a target host; identifying characteristics of the alarm from the data packets, including at least an attack type and an operating system fingerprint of the target host; identifying the operating system type from the operating system fingerprint; comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for reducing the false alarm rate of network intrusion detection systems, comprising:
-
a network intrusion detection system operable to transmit one or more data packets associated with an alarm indicative of a potential attack on a target host; a software program embodied in a computer readable medium, the software program, when executed by a processor, operable to; receive the one or more data packets; identify characteristics of the alarm from the data packets, including at least an attack type and an operating system fingerprint of the target host; identify the operating system type from the operating system fingerprint; compare the attack type to the operating system type; and indicate whether the target host is vulnerable to the attack based on the comparison. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for reducing the false alarm rate of network intrusion detection systems, comprising:
-
means for receiving, from a network intrusion detection sensor, one or more data packets associated with an alarm indicative of a potential attack on a target host; means for identifying characteristics of the alarm from the data packets, including at least an attack type and an operating system fingerprint of the target host; means for identifying the operating system type from the operating system fingerprint; means for comparing the attack type to the operating system type; and means for indicating whether the target host is vulnerable to the attack based on the comparison. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification