Method and system for responding to a computer intrusion

US 7,941,854 B2
Filed: 12/05/2002
Issued: 05/10/2011
Est. Priority Date: 12/05/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for managing an intrusion on a computer, the method comprising:

visually representing on a computer display a known intrusion path of a known intrusion of hardware of a computer such that the known intrusion path is visually depicted on a display of the computer as a graphical representation of all hardware in a hardware topology of the computer that was previously infected by the known intrusion, wherein the graphical representation of the known intrusion path includes a scripted response that is visually displayed in association with at least one of the hardware displayed in the known intrusion path graphical representation;

visually representing on the computer display a current intrusion path of a current intrusion of the computer such that the current intrusion path is visually depicted on the computer display using a graphical representation of all hardware in the hardware topology of the computer that is currently infected by the current intrusion;

matching the current intrusion to the known intrusion according to at least one common node in the visual graphical representations of the displayed graphical intrusion paths of the known intrusion and the current intrusion; and

responsive to matching the known intrusion and the current intrusion, initiating the scripted response, wherein the scripted response is capable of responding to the current intrusion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for managing an intrusion on a computer by graphically representing an intrusion pattern of a known past intrusion, and then comparing the intrusion pattern of the known intrusion with a current intrusion. The intrusion pattern may either be based on intrusion events, which are the effects of the intrusion or activities that provide a signature of the type of intrusion, or the intrusion pattern may be based on hardware topology that is affected by the intrusion. The intrusion pattern is graphically displayed with scripted responses, which in a preferred embodiment are presented in pop-up windows associated with each node in the intrusion pattern. Alternatively, the response to the intrusion may be automatic, based on a pre-determined percentage of common features in the intrusion pattern of the known past intrusion and the current intrusion.

52 Citations

View as Search Results

38 Claims

1. A method for managing an intrusion on a computer, the method comprising:
- visually representing on a computer display a known intrusion path of a known intrusion of hardware of a computer such that the known intrusion path is visually depicted on a display of the computer as a graphical representation of all hardware in a hardware topology of the computer that was previously infected by the known intrusion, wherein the graphical representation of the known intrusion path includes a scripted response that is visually displayed in association with at least one of the hardware displayed in the known intrusion path graphical representation;
  
  visually representing on the computer display a current intrusion path of a current intrusion of the computer such that the current intrusion path is visually depicted on the computer display using a graphical representation of all hardware in the hardware topology of the computer that is currently infected by the current intrusion;
  
  matching the current intrusion to the known intrusion according to at least one common node in the visual graphical representations of the displayed graphical intrusion paths of the known intrusion and the current intrusion; and
  
  responsive to matching the known intrusion and the current intrusion, initiating the scripted response, wherein the scripted response is capable of responding to the current intrusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 37, 38)
- - 2. The method of claim 1, wherein the intrusion paths are based on intrusion events.
  - 3. The method of claim 1, wherein the hardware infected by the known intrusion are infected computers on a network.
  - 4. The method of claim 1, further comprising:
    - associating a list of suggested scripted responses with each node in the current intrusion path graphical representation, wherein each suggested scripted response is made up of a set of instructions that is different from instructions used in all other suggested scripted responses; and
      
      selecting one of the suggested scripted responses for each node in the current intrusion path graphical representation.
  - 5. The method of claim 4, further comprising;
    - ranking the suggested scripted responses to create ranked suggested scripted responses;
      
      depicting, at each node, the ranked suggested scripted responses along with a corresponding ranking for each of the ranked suggested scripted responses;
      
      selecting a highest ranked suggested scripted response for at least one node in the current intrusion path graphical representation; and
      
      executing the highest ranked suggested scripted response.
  - 6. The method of claim 5, wherein each ranked suggested scripted response addresses a same intrusion, and wherein the highest ranked suggested scripted response has a highest level of historical success for neutralizing the same intrusion when compared to other ranked suggested scripted responses depicted at a node.
  - 7. The method of claim 5, wherein each ranked suggested scripted response is for a different intrusion, and wherein the highest ranked suggested scripted response is for an intrusion that has a highest potential for threatening mission critical data compared to other intrusions that are handled by other ranked suggested scripted responses depicted at a node.
  - 8. The method of claim 1, further comprising:
    - automatically performing the method described in claim 1 according to an expected response time for manually initiating the scripted response, wherein the method is automatically performed if waiting the expected response time to manually initiate the scripted response would result in damage being done to the computer.
  - 9. The method of claim 1, further comprising:
    - automatically performing the method described in claim 1 based on a severity of the current intrusion, wherein the scripted response is at a severity level appropriate to the severity of the current intrusion.
  - 10. The method of claim 1, further comprising:
    - determining how many common nodes are found in the known intrusion path and the current intrusion path;
      
      in response to a quantity of common nodes reaching a predetermined quantity, automatically running scripted responses for all nodes in the current intrusion path; and
      
      in response to the quantity of common nodes being less than the predetermined quantity, prompting a security administrator to manually select a scripted response for each event node in the current intrusion path.
  - 11. The method of claim 1, further comprising:
    - notifying a remote receiver of the current intrusion; and
      
      remotely initiating the scripted response in response to the remote notification of the current intrusion.
  - 37. The method of claim 1, wherein the scripted response heals damage caused to the computer by the current intrusion.
  - 38. The method of claim 1, wherein the scripted response prevents the current intrusion from causing any further damage to the computer.

12. A system for managing an intrusion on a computer, the system comprising:
- a memory subsystem; and
  
  a processor coupled to the memory subsystem, wherein the processor is configured for;
  
  visually representing on a computer display a known intrusion path of a known intrusion of hardware of a computer such that the known intrusion path is visually depicted on the computer display as a graphical representation of all hardware in a hardware topology of the computer that was previously infected by the known intrusion, such that the graphical representation of the known intrusion path includes a scripted response that is visually displayed in association with at least one of the hardware displayed in the known intrusion path graphical representation;
  
  visually representing on the computer display a current intrusion path of a current intrusion of the computer such that the current intrusion path is visually depicted on the computer display using a graphical representation of all hardware in the hardware topology of the computer that is currently infected by the current intrusion;
  
  matching the current intrusion of the computer to the known intrusion according to at least one common node in the visual graphical representations of the displayed graphical intrusion paths of the known intrusion and the current intrusion; and
  
  responsive to matching the known intrusion and the current intrusion, initiating the scripted response, wherein the scripted response is capable of responding to the current intrusion.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 13. The system of claim 12, wherein the intrusion paths are based on intrusion events.
  - 14. The system of claim 12, wherein the known intrusion and the current intrusion are the same, and wherein the scripted response for the current intrusion is based on historical data for the known intrusion.
  - 15. The system of claim 12, wherein the known intrusion and the current intrusion are different, and wherein the scripted response for the current intrusion is based on historical data for the known intrusion.
  - 16. The system of claim 12, wherein the current intrusion is graphed in a current intrusion path graphical representation, wherein the processor is further configured for:
    - associating a list of suggested scripted responses with each node in the current intrusion path graphical representation; and
      
      selecting one of the suggested scripted responses for each node in the current intrusion path graphical representation.
  - 17. The system of claim 16, wherein the processor is further configured for:
    - ranking the suggested scripted responses to create ranked suggested scripted responses; and
      
      selecting a highest ranked suggested scripted response for each node in the current intrusion path graphical representation.
  - 18. The system of claim 17, wherein the processor is further configured for selecting contemporaneously the highest ranked suggested scripted response for all nodes in the current intrusion path graphical representation.
  - 19. The system of claim 17, wherein each ranked suggested scripted response is for a different intrusion, and wherein the highest ranked suggested scripted response is for an intrusion that has a highest level of threatening mission critical data compared to other intrusions that are handled by other ranked suggested scripted responses depicted at a node.
  - 20. The system of claim 12, wherein the processor is further configured for:
    - automatically performing the method described in claim 12 according to an expected response time for manually initiating the scripted response, wherein the method is automatically performed if waiting the expected response time to manually initiate the scripted response would result in damage being done to the computer.
  - 21. The system of claim 12, wherein the processor is further configured for:
    - automatically performing the method described in claim 12 based on a severity of the current intrusion, wherein the scripted response is at a severity level appropriate to the severity of the current intrusion.
  - 22. The system of claim 12, wherein the processor is further configured for:
    - automatically performing the method described in claim 12 based on a type classification of the current intrusion.
  - 23. The system of claim 12, wherein the processor is further configured for:
    - notifying a remote receiver of the current intrusion; and
      
      remotely initiating the scripted response in response to the remote notification of the current intrusion.
  - 24. The system of claim 23, wherein the remote receiver is a wireless device.

25. A non-transitory computer usable medium for managing a virus on a computer, the non-transitory computer usable medium, comprising:
- computer program code for visually representing on a computer display a known intrusion path of a known intrusion of hardware of a computer such that the known intrusion path is visually depicted on a display of the computer as a graphical representation of all hardware in a hardware topology of the computer that was previously infected by the known intrusion, such that the graphical representation of the known intrusion path includes a scripted response that is visually displayed in association with at least one of the hardware displayed in the known intrusion path graphical representation;
  
  computer program code for visually representing on the computer display a current intrusion path of a current intrusion of the computer such that the current intrusion path is visually depicted on the computer display using a graphical representation of all hardware in the hardware topology of the computer that is currently infected by the current intrusion;
  
  computer program code for matching the current intrusion of the computer to the known intrusion according to at least one common node in the visual graphical representations of the displayed graphical intrusion paths of the known intrusion and the current intrusion; and
  
  computer program code for, responsive to the matching of the known intrusion and the current intrusion, initiating the scripted response, which is capable of responding to the current intrusion, wherein the computer usable medium is a computer usable storage medium.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The non-transitory computer usable medium of claim 25, wherein an intrusion pattern is based on intrusion events.
  - 27. The non-transitory computer usable medium of claim 25, wherein the known intrusion and the current intrusion are the same, and wherein the scripted response for the current intrusion is based on historical data for the known intrusion.
  - 28. The non-transitory computer usable medium of claim 25, wherein the known intrusion and the current intrusion are different, and wherein the scripted response for the current intrusion is based on historical data for the known intrusion.
  - 29. The non-transitory computer usable medium of claim 25, wherein the current intrusion is graphed in a current intrusion path graphical representation, the non-transitory computer usable medium further comprising:
    - computer program code for associating a list of suggested scripted responses with each node in the current intrusion path graphical representation, wherein each suggested scripted response is different from all other suggested scripted responses; and
      
      computer program code for selecting one of the suggested scripted responses for each node in the current intrusion path graphical representation.
  - 30. The non-transitory computer usable medium of claim 29, further comprising:
    - computer program code for ranking the suggested scripted responses to create ranked suggested scripted responses;
      
      computer program code for depicting, at each node, the ranked suggested scripted responses; and
      
      computer program code for selecting a highest ranked suggested scripted response for at least one node in the current intrusion path graphical representation.
  - 31. The non-transitory computer usable medium of claim 30, wherein each ranked suggested scripted response addresses a same intrusion, and wherein the highest ranked scripted response has a highest level of historical success for resolving the same intrusion when compared to other ranked suggested scripted responses depicted at a node.
  - 32. The non-transitory computer usable medium of claim 31, wherein each ranked suggested scripted response is for a different intrusion, and wherein the highest ranked suggested scripted response is for an intrusion that has a highest level of threatening mission critical data compared to other intrusions that are handled by other ranked suggested scripted responses depicted at a node.
  - 33. The non-transitory computer usable medium of claim 25, further comprising:
    - computer program code for automatically performing the steps described in claim 25 according to an expected response time for manually initiating the scripted response, wherein the steps are automatically performed if a response time, for a manual response to the current intrusion, is so long that damage is done to the computer before the manual response is executed.
  - 34. The non-transitory computer usable medium of claim 25, further comprising:
    - computer program code for automatically performing the steps described in claim 25 based on a severity of the current intrusion, wherein the scripted response is at a severity level appropriate to the severity of the current intrusion.
  - 35. The non-transitory computer usable medium of claim 25, further comprising:
    - computer program code for determining how many common nodes are found in the known intrusion path and the current intrusion path;
      
      computer program code for, in response to a quantity of common nodes exceeding a predetermined quantity, automatically running scripted responses for all nodes in the current intrusion path; and
      
      computer program code for, in response to the quantity of common nodes being less than the predetermined quantity, prompting a security administrator to manually select a scripted response for each event node in the current intrusion path.
  - 36. The non-transitory computer usable medium of claim 25, further comprising:
    - computer program code for notifying a remote receiver of the current intrusion; and
      
      computer program code for remotely initiating the scripted response in response to the remote notification of the current intrusion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baffes, Paul T., Hsu, Allan, Stading, Tyron Jerrod, Gilfix, Michael, Garrison, John Michael
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US10/313,732
Publication Number

US 20040111637A1
Time in Patent Office

3,078 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Method and system for responding to a computer intrusion

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

38 Claims

Specification

Use Cases

Quick Links

Others

Method and system for responding to a computer intrusion

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

38 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others