Method and system for reducing the false alarm rate of network intrusion detection systems

US 7,886,357 B2
Filed: 03/28/2003
Issued: 02/08/2011
Est. Priority Date: 03/29/2002
Status: Active Grant

First Claim

Patent Images

1. A method for reducing the false alarm rate of network intrusion detection systems, comprising:

receiving an alarm indicating a network intrusion may have occurred;

identifying characteristics of the alarm, including at least an attack type, a source address, a target address, an alarm severity, and an alarm description;

accessing a storage location;

determining whether an operating system fingerprint for a target host associated with the target address already exists in the storage location;

if the operating system fingerprint for the target host does not exist, then;

querying the target host for the operating system fingerprint;

receiving the operating system fingerprint that includes the operating system type from the target host;

comparing the attack type to the operating system type; and

indicating whether the target host is vulnerable to the attack based on the comparison;

if the operating system fingerprint for the target host does exist, then;

determining if a cache entry time for the target address is valid; and

if the cache entry time is invalid, then;

querying the target host for the operating system fingerprint;

receiving the operating system fingerprint that includes the operating system type from the target host;

comparing the attack type to the operating system type; and

indicating whether the target host is vulnerable to the attack based on the comparison;

if the cache entry time is valid, then;

comparing the attack type to the operating system type; and

indicating whether the target host is vulnerable to the attack based on the comparison.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment of the invention, a method for reducing the false alarm rate of network intrusion detection systems includes receiving an alarm indicating a network intrusion may have occurred, identifying characteristics of the alarm, including at least an attack type and a target address, querying a target host associated with the target address for an operating system fingerprint, receiving the operating system fingerprint that includes the operating system type from the target host, comparing the attack type to the operating system type, and indicating whether the target host is vulnerable to the attack based on the comparison.

Citations

12 Claims

1. A method for reducing the false alarm rate of network intrusion detection systems, comprising:
- receiving an alarm indicating a network intrusion may have occurred;
  
  identifying characteristics of the alarm, including at least an attack type, a source address, a target address, an alarm severity, and an alarm description;
  
  accessing a storage location;
  
  determining whether an operating system fingerprint for a target host associated with the target address already exists in the storage location;
  
  if the operating system fingerprint for the target host does not exist, then;
  
  querying the target host for the operating system fingerprint;
  
  receiving the operating system fingerprint that includes the operating system type from the target host;
  
  comparing the attack type to the operating system type; and
  
  indicating whether the target host is vulnerable to the attack based on the comparison;
  
  if the operating system fingerprint for the target host does exist, then;
  
  determining if a cache entry time for the target address is valid; and
  
  if the cache entry time is invalid, then;
  
  querying the target host for the operating system fingerprint;
  
  receiving the operating system fingerprint that includes the operating system type from the target host;
  
  comparing the attack type to the operating system type; and
  
  indicating whether the target host is vulnerable to the attack based on the comparison;
  
  if the cache entry time is valid, then;
  
  comparing the attack type to the operating system type; and
  
  indicating whether the target host is vulnerable to the attack based on the comparison.
- View Dependent Claims (2, 4)
- - 2. The method of claim 1, further comprising storing the operating system fingerprint of the target host in the storage location for a time period.
  - 4. The method of claim 1, further comprising:
    - monitoring a dynamic configuration protocol server;
      
      detecting that a lease expire has occurred for an existing target host;
      
      accessing the storage location; and
      
      purging the existing operating system fingerprint for the existing target host from the storage location.

3. The method of claim , further comprising:
- monitoring a dynamic configuration protocol server;
  
  detecting that a lease issue has occurred for a new target host;
  
  querying the new target host for a new operating system fingerprint;
  
  receiving the new operating system fingerprint from the new target host; and
  
  storing the new operating system fingerprint of the new target host in the storage location for a length of time.

5. A computer-readable non-transitory storage medium embodying software this is operable when executed by a computer system to:
- receive an alarm indicating a network intrusion may have occurred;
  
  identify characteristics of the alarm, including at least an attack type, a source address, a target address, an alarm severity, and an alarm description;
  
  access a storage location;
  
  determine whether an operating system fingerprint for a target host associated with the target address already exists in the storage location;
  
  if the operating system fingerprint for the target host does not exist, then;
  
  query the target host for the operating system fingerprint;
  
  receive the operating system fingerprint that includes the operating system type from the target host;
  
  compare the attack type to the operating system type; and
  
  indicate whether the target host is vulnerable to the attack based on the comparison;
  
  if the operating system fingerprint for the target host does exist, then;
  
  determine if a cache entry time for the target address is valid; and
  
  if the cache entry time is invalid, then;
  
  query the target host for the operating system fingerprint;
  
  receive the operating system fingerprint that includes the operating system type from the target host;
  
  compare the attack type to the operating system type; and
  
  indicate whether the target host is vulnerable to the attack based on the comparison;
  
  if the cache entry time is valid, then;
  
  compare the attack type to the operating system type; and
  
  indicate whether the target host is vulnerable to the attack based on the comparison.
- View Dependent Claims (6, 7, 8)
- - 6. The medium of claim 5, wherein the software is further operable to store the operating system fingerprint of the target host in the storage location for a time period.
  - 7. The medium of claim 5, wherein the software is further operable to:
    - monitor a dynamic configuration protocol server;
      
      detect that a lease issue has occurred for a new target host;
      
      query the new target host for a new operating system fingerprint;
      
      receive the new operating system fingerprint from the new target host; and
      
      store the new operating system fingerprint of the new target host in the storage location for a length of time.
  - 8. The medium of claim 6, wherein the software is further operable to:
    - monitor a dynamic configuration protocol server;
      
      detect that a lease expire has occurred for an existing target host;
      
      access the storage location; and
      
      purge the existing operating system fingerprint for the existing target host from the storage location.

9. An apparatus comprising:
- a communication interface;
  
  memory containing instructions for execution by a processor; and
  
  the processor, operable when executing the instructions to;
  
  receive an alarm indicating a network intrusion may have occurred;
  
  identify characteristics of the alarm, including at least an attack type, a source address, a target address, an alarm severity, and an alarm description;
  
  access a storage location;
  
  determine whether an operating system fingerprint for a target host associated with the target address already exists in the storage location;
  
  if the operating system fingerprint for the target host does not exist, then;
  
  query the target host for the operating system fingerprint;
  
  receive the operating system fingerprint that includes the operating system type from the target host;
  
  compare the attack type to the operating system type; and
  
  indicate whether the target host is vulnerable to the attack based on the comparison;
  
  if the operating system fingerprint for the target host does exist, then;
  
  determine if a cache entry time for the target address is valid; and
  
  if the cache entry time is invalid, then;
  
  query the target host for the operating system fingerprint;
  
  receive the operating system fingerprint that includes the operating system type from the target host;
  
  compare the attack type to the operating system type; and
  
  indicate whether the target host is vulnerable to the attack based on the comparison;
  
  if the cache entry time is valid, then;
  
  compare the attack type to the operating system type; and
  
  indicate whether the target host is vulnerable to the attack based on the comparison.
- View Dependent Claims (10, 11, 12)
- - 10. The apparatus of claim 9, wherein the processor is further operable to store the operating system fingerprint of the target host in the storage location for a time period.
  - 11. The apparatus of claim 9, wherein the processor is further operable to:
    - monitor a dynamic configuration protocol server;
      
      detect that a lease issue has occurred for a new target host;
      
      query the new target host for a new operating system fingerprint;
      
      receive the new operating system fingerprint from the new target host; and
      
      store the new operating system fingerprint of the new target host in the storage location for a length of time.
  - 12. The apparatus of claim 9, wherein the processor is further operable to:
    - monitor a dynamic configuration protocol server;
      
      detect that a lease expire has occurred for an existing target host;
      
      access the storage location; and
      
      purge the existing operating system fingerprint for the existing target host from the storage location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rhodes, Aaron L., Rowland, Craig H.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GEE, JASON KAI YIN

Application Number

US10/402,649
Publication Number

US 20030212910A1
Time in Patent Office

2,874 Days
Field of Search

726/22, 726/23, 713/224
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 43/00   Arrangements for monitoring...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Method and system for reducing the false alarm rate of network intrusion detection systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for reducing the false alarm rate of network intrusion detection systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links