×

Method and system for reducing the false alarm rate of network intrusion detection systems

  • US 7,886,357 B2
  • Filed: 03/28/2003
  • Issued: 02/08/2011
  • Est. Priority Date: 03/29/2002
  • Status: Active Grant
First Claim
Patent Images

1. A method for reducing the false alarm rate of network intrusion detection systems, comprising:

  • receiving an alarm indicating a network intrusion may have occurred;

    identifying characteristics of the alarm, including at least an attack type, a source address, a target address, an alarm severity, and an alarm description;

    accessing a storage location;

    determining whether an operating system fingerprint for a target host associated with the target address already exists in the storage location;

    if the operating system fingerprint for the target host does not exist, then;

    querying the target host for the operating system fingerprint;

    receiving the operating system fingerprint that includes the operating system type from the target host;

    comparing the attack type to the operating system type; and

    indicating whether the target host is vulnerable to the attack based on the comparison;

    if the operating system fingerprint for the target host does exist, then;

    determining if a cache entry time for the target address is valid; and

    if the cache entry time is invalid, then;

    querying the target host for the operating system fingerprint;

    receiving the operating system fingerprint that includes the operating system type from the target host;

    comparing the attack type to the operating system type; and

    indicating whether the target host is vulnerable to the attack based on the comparison;

    if the cache entry time is valid, then;

    comparing the attack type to the operating system type; and

    indicating whether the target host is vulnerable to the attack based on the comparison.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×