Dynamic rule generation for an enterprise intrusion detection system
First Claim
Patent Images
1. Non-transitory machine-accessible and readable media comprising software that, when executed by a computer, operates to:
- receive a plurality of packet flows from a plurality of sensors at a plurality of ports between an external network and an internal network;
aggregate the plurality of packet flows into an aggregated packet flow;
dynamically process the aggregated packet flow to detect if one or more packets in the plurality of packet flows represent an attack on the internal network;
automatically generate a response message in response to the attack, the response message operable to identify or impede the attack; and
automatically communicate the response message to a response message file, the plurality of sensors operable to process packets received at the plurality of ports from the external network according to the response message file.
12 Assignments
0 Petitions
Accused Products
Abstract
A method for dynamically generating rules for an enterprise intrusion detection system comprises receiving a packet flow from a sensor. The packet flow is dynamically processed to detect if the packet flow represents an attack on the enterprise system. A response message is automatically generated in response to the attack, the response message comprising a signature to identify the attack. The response message is automatically communicated to a response message file, the response message file comprising at least one response message.
-
Citations
30 Claims
-
1. Non-transitory machine-accessible and readable media comprising software that, when executed by a computer, operates to:
-
receive a plurality of packet flows from a plurality of sensors at a plurality of ports between an external network and an internal network; aggregate the plurality of packet flows into an aggregated packet flow; dynamically process the aggregated packet flow to detect if one or more packets in the plurality of packet flows represent an attack on the internal network; automatically generate a response message in response to the attack, the response message operable to identify or impede the attack; and automatically communicate the response message to a response message file, the plurality of sensors operable to process packets received at the plurality of ports from the external network according to the response message file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving a plurality of packet flows from a plurality of sensors at a plurality of ports between an external network and an internal network; aggregating the plurality of packet flows into an aggregated packet flow; dynamically processing the aggregated packet flow to detect if one or more packets in the plurality of packet flows represent an attack on the internal network; automatically generating a response message in response to the attack, the response message operable to identify or impede the attack; and automatically communicating the response message to a response message file, the plurality of sensors operable to process packets received at the plurality of ports from the external network according to the response message file. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
a plurality of sensors operable to receive data from a plurality of ports between an external network and an internal network, the plurality of sensors operable to process the received data according to a response message file; the response message file; a manager server communicably connected to the plurality of sensors and to the response message file, the manager server operable to; receive a plurality of packet flows from the plurality of sensors; aggregate the plurality of packet flows into an aggregated packet flow; dynamically process the aggregated packet flow to detect if one or more packets in the plurality of packet flows represent an attack on the internal network; automatically generate a response message in response to the attack, the response message operable to identify or impede the attack; and automatically communicate the response message to the response message file. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification