Method and apparatus for providing network and computer system security

US 7,934,254 B2
Filed: 09/27/2006
Issued: 04/26/2011
Est. Priority Date: 12/09/1998
Status: Active Grant

First Claim

Patent Images

1. A computer program product for triggering responses based on computer data transmissions received at a computer network node, the computer program product comprising:

a computer-readable, tangible storage device;

first program instructions to determine type, destination, and origin of data contained in the computer data transmissions;

second program instructions to modify variable for triggering responses based on the type, destination, and origin of the data contained in the computer data transmissions originating from one or more suspect computer nodes comprising workstations;

third program instructions to trigger a first response in response to said modified variable equaling or exceeding a first predetermined threshold level; and

fourth program instructions to trigger a second response in response to said modified variable equaling or exceeding a second predetermined threshold level,wherein the first, second, third, and fourth program instructions are stored on the computer-readable, tangible storage device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved network intrusion detection and response system and method is disclosed for detecting and preventing misuse of network resources. More particularly, the system and method dynamically self-adjusts to changes in network activity using a plurality of alert levels wherein each successively higher alert level triggers a corresponding heightened security response from the networked computer being misused. These heightened alert levels are integrated on both the system (individual node) and the network level. The disclosed intrusion detection and response system is also implemented at low cost using currently-existing hardware and software (i.e., network computers).

312 Citations

35 Claims

1. A computer program product for triggering responses based on computer data transmissions received at a computer network node, the computer program product comprising:
- a computer-readable, tangible storage device;
  
  first program instructions to determine type, destination, and origin of data contained in the computer data transmissions;
  
  second program instructions to modify variable for triggering responses based on the type, destination, and origin of the data contained in the computer data transmissions originating from one or more suspect computer nodes comprising workstations;
  
  third program instructions to trigger a first response in response to said modified variable equaling or exceeding a first predetermined threshold level; and
  
  fourth program instructions to trigger a second response in response to said modified variable equaling or exceeding a second predetermined threshold level,wherein the first, second, third, and fourth program instructions are stored on the computer-readable, tangible storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 28)
- - 2. The computer program product of claim 1, further comprising fifth program instructions to trigger additional responses in response to said modified variable equaling or exceeding one or more additional threshold levels, and wherein the fifth program instructions are stored on the computer-readable, tangible storage device.
  - 3. The computer program product of claim 1, wherein one of said triggered responses comprises a passive scan of one or more of said suspect computer nodes.
  - 4. The computer program product of claim 3, wherein said passive scan includes recording said computer data transmissions in a log file.
  - 5. The computer program product of claim 1, wherein one of said triggered responses comprises an active scan of one or more of said suspect computer nodes.
  - 6. The computer program product of claim 5, wherein said active scan comprises retrieving information about said one or more of said suspect computer nodes including the network address of said one or more of said suspect computer nodes.
  - 7. The computer program product of claim 5, wherein said active scan comprises determining the network route taken by data originating from said one or more of said suspect computer nodes.
  - 8. The computer program product of claim 1, wherein one of said triggered responses comprises said computer network node requiring increased authentication from any other computer network node before providing access to said computer network node'"'"'s resources.
  - 9. The computer program product of claim 8, wherein said increased authentication comprises said computer network node forcing two or more logins before providing access to said computer network node'"'"'s resources.
  - 10. The computer program product of claim 1, wherein one of said triggered responses comprises blocking incoming computer data transmissions.
  - 11. The computer program product of claim 1, wherein said modified variable responds differently over time to particular types of computer data transmissions.
  - 12. The computer program product of claim 11, wherein said modified variable continuously increases in response to the continuous receipt of a particular type of computer data transmission until the modified variable reaches a predetermined value.
  - 13. The computer program product of claim 12, wherein said particular type of computer data transmission comprises an invalid login attempt.
  - 14. The computer program product of claim 11, wherein said modified variable initially increases in response to the continuous receipt of a particular type of computer data transmission and subsequently decreases in response to the continued receipt of said particular type of computer data transmission.
  - 15. The computer program product of claim 14, wherein said particular type of computer data transmission comprises a computer data transmission which retrieves information about said suspect computer network node.
  - 16. The computer program product of claim 1, wherein the type, destination, and origin of data of said computer data transmissions are determined on a network packet level.
  - 17. The computer program product of claim 16, wherein said computer data transmissions are filtered by said computer network node on a network packet level.
  - 18. The computer program product of claim 1, wherein the second program instructions to modify the variable comprises:
    - fifth program instructions to determine whether the type, destination, and origin of the data matches a type, destination, and origin of previously received data originating from the one or more suspect computer nodes; and
      
      sixth program instructions to increase the variable in response to the type, destination, and origin of the data matching the type, destination, and origin of the previously received data,wherein the fifth and sixth program instructions are stored on the computer-readable, tangible storage device.
  - 19. The computer program product of claim 1, further comprising fifth program instructions for setting the variable at a default level prior to the variable being modified, wherein the fifth program instructions are stored on the computer-readable, tangible storage device.
  - 28. The computer program product of claim 1, wherein the second program instructions to modify the first variable comprises:
    - fifth program instructions to determine whether the type and origin of the data contained in the computer data transmissions originating from the first suspect computer node matches a type and origin of previously received data originating from the first suspect computer node; and
      
      sixth program instructions to increase the first variable in response to the type and origin of the data matching the type and origin of the previously received data,wherein the fifth and sixth program instructions are stored on the computer-readable, tangible storage device.

20. A computer program product for triggering a response based on computer data transmissions comprising non-voice based data received at a computer network node, the computer program product comprising:
- a computer-readable, tangible storage device;
  
  first program instructions to determine type and origin of data contained in the computer data transmissions;
  
  second program instructions to modify a first variable for triggering one or more responses based on the type and origin of the data contained in computer data transmissions originating from a first suspect computer node comprising a first workstation;
  
  third program instructions to modify a second variable for triggering one or more responses based on the type and origin of the data contained in computer data transmissions originating from a second suspect computer node comprising a second workstation different than the first workstation; and
  
  fourth program instructions to trigger a response in response to either of said modified first or second variables equaling or exceeding a predetermined threshold level,wherein the first, second, third, and fourth program instructions are stored on the computer-readable, tangible storage device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 29, 30)
- - 21. The computer program product of claim 20, further comprising fifth program instructions to trigger additional responses in response to either of said modified first or second variables equaling or exceeding additional predetermined threshold values, and wherein the fifth program instructions are stored on the computer-readable storage device.
  - 22. The computer program product of claim 20, further comprising fifth program instructions to modify third variable for triggering a response to each one of said first and second suspect computer nodes based on said computer data transmissions originating from each of said first and second suspect computer nodes, and wherein the fifth program instructions are stored on the computer-readable storage device.
  - 23. The computer program product of claim 22, further comprising sixth program instructions to trigger a response towards each one of said first and second suspect computer nodes in response to said modified third variable equaling or exceeding another predetermined threshold value, and wherein the sixth program instructions are stored on the computer-readable storage device.
  - 24. The computer program product of claim 22, wherein said modified third variable is more responsive to new types of computer data transmissions than to computer data transmissions previously received at said computer network node.
  - 25. The computer program product of claim 24, further comprising seventh program instructions to initially increase said modified third variable in response to the computer data transmissions originating from a particular suspect computer node and subsequently decrease said modified third variable upon continued receipt of said computer data transmissions from said particular suspect computer node, and wherein the seventh program instructions are stored on the computer-readable storage device.
  - 26. The computer program product of claim 20, further comprising fifth program instructions to communicate each of said modified first and second variables to a network database residing on a computer server node, and wherein the fifth program instructions are stored on the computer-readable storage device.
  - 27. The computer program product of claim 22, further comprising sixth program instructions to communicate said modified third variable to a network database residing on a computer server node, and wherein the sixth program instructions are stored on the computer-readable storage device.
  - 29. The computer program product of claim 20, wherein the third program instructions to modify the second variable comprises:
    - fifth program instructions to determine whether the type and origin of the data contained in the computer data transmissions originating from the second suspect computer node matches a type and origin of previously received data originating from the second suspect computer node; and
      
      sixth program instructions to increase the second variable in response to the type and origin of the data matching the type and origin of the previously received data,wherein the fifth and sixth program instructions are stored on the computer-readable, tangible storage device.
  - 30. The computer program product of claim 20, further comprising fifth program instructions for setting the first variable and the second variable at a default level prior to the first and second variables being modified, wherein the fifth program instructions are stored on the computer-readable storage device.

31. A computer system for triggering a network response, the computer system comprising:
- a CPU, a computer-readable memory, and a computer-readable, tangible storage device;
  
  first program instructions to store a plurality of first variables for a plurality of computer network nodes comprising workstations;
  
  second program instructions to modify a second variable based on the value of each of said plurality of first variables; and
  
  third program instructions to trigger a network response said second variable equaling or exceeding a predetermined threshold level, wherein the network response comprises notifying each of the plurality of computer network nodes that they should each increase their suspect-specific alert variable towards a particular suspect computer network node and initiating an active scan of the particular suspect computer network node,wherein the first, second, and third program instructions are stored on the computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The computer system of claim 31, wherein said network response includes the act of initiating a passive scan of the particular suspect computer network node.
  - 33. The computer system of claim 31, wherein said network response includes the act of blocking all communication between said suspect computer network node and said plurality of computer network nodes.
  - 34. The computer system of claim 31, wherein the second program instructions to modify the second variable comprises:
    - fourth program instructions to increase the second variable in response to one or more of the plurality of first variables increasing; and
      
      fifth program instructions to decrease the second variable in response to one or more of the plurality of first variable decreasing,wherein the fourth and fifth program instructions are stored on the computer-readable, tangible storage device.
  - 35. The computer program system of claim 31, further comprising fourth program instructions for setting the second variable at a default level prior to the second variable being modified, wherein the fourth program instructions are stored on the computer-readable, tangible storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Graham, Robert David
Primary Examiner(s)
Arani; Taghi T
Assistant Examiner(s)
Mehrmanesh; Amir

Application Number

US11/535,975
Publication Number

US 20070022090A1
Time in Patent Office

1,672 Days
Field of Search

726/22, 713/193
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Method and apparatus for providing network and computer system security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

312 Citations

35 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for providing network and computer system security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

312 Citations

35 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others