Computer security intrusion detection system for remote, on-demand users

US 7,954,160 B2
Filed: 09/16/2009
Issued: 05/31/2011
Est. Priority Date: 03/14/2005
Status: Expired due to Fees

First Claim

Patent Images

1. In a remote, on-demand computing service environment in which one or more data processing hosts are made available to a remote on-demand user that does not have physical custody and control over said host(s), an intrusion detection system, comprising:

means for monitoring resources defined by said on-demand user for intrusion events defined by said on-demand user;

said monitoring being performed by one or more intrusion detection agents that are run by said one or more data processing hosts, each intrusion detection agent being associated with a single one of said data processing hosts, and each of said data processing hosts that is being monitored running at least one of said intrusion detection agents;

said user-defined resources including hardware resources, non-network system software resources, non-network, local login system access resources and network access resources;

said user-defined intrusion events including hardware events, non-network system software events, non-network, local login system access events and network access events;

means for implementing responses to said intrusion events according to event-action rules defined by said on-demand user;

said user-defined event-action rules including notifying said on-demand user of said user-defined intrusion events; and

said intrusion detection system being operable to receive a specification of said resources, said intrusion events and said event-action rules from said on-demand user as security criteria to an on-demand service provider implementing said on-demand computing environment.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system, and a related method and computer program product, for implementing intrusion detection in a remote, on-demand computing service environment in which one or more data processing hosts are made available to a remote on-demand user that does not have physical custody and control over the host(s). Intrusion detection entails monitoring resources defined by the on-demand user (or a third party security provider) for intrusion events that are also defined by the on-demand user (or security provider), and implementing responses according to event-action rules that are further defined by the on-demand user (or security provider). An intrusion detection system agent is associated with each of the data processing hosts, and is adapted to monitor the intrusion events and report intrusion activity. If there are plural intrusion detection system agents, they can be individually programmed to monitor and report on agent-specific sets of the intrusion events. An intrusion detection system controller is associated with one of the data processing hosts. It is adapted to manage and monitor the intrusion detection system agent(s), process agent reports of intrusion activity, and communicate intrusion-related information to the on-demand user (or security provider). The responses to intrusion events can be implemented by the intrusion detection system controller in combination with the intrusion detection system agents, or by any such entity alone.

Citations

20 Claims

1. In a remote, on-demand computing service environment in which one or more data processing hosts are made available to a remote on-demand user that does not have physical custody and control over said host(s), an intrusion detection system, comprising:
- means for monitoring resources defined by said on-demand user for intrusion events defined by said on-demand user;
  
  said monitoring being performed by one or more intrusion detection agents that are run by said one or more data processing hosts, each intrusion detection agent being associated with a single one of said data processing hosts, and each of said data processing hosts that is being monitored running at least one of said intrusion detection agents;
  
  said user-defined resources including hardware resources, non-network system software resources, non-network, local login system access resources and network access resources;
  
  said user-defined intrusion events including hardware events, non-network system software events, non-network, local login system access events and network access events;
  
  means for implementing responses to said intrusion events according to event-action rules defined by said on-demand user;
  
  said user-defined event-action rules including notifying said on-demand user of said user-defined intrusion events; and
  
  said intrusion detection system being operable to receive a specification of said resources, said intrusion events and said event-action rules from said on-demand user as security criteria to an on-demand service provider implementing said on-demand computing environment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A system in accordance with claim 1 wherein there are plural intrusion detection system agents that are individually programmed to monitor agent-specific sets of user-defined intrusion events occurring on their associated data processing hosts.
  - 3. A system in accordance with claim 1 wherein said intrusion detection system agent(s) is/are adapted to perform event-action rule processing and implement said responses according to said event-action rules defined by said on-demand user.
  - 4. A system in accordance with claim 1 wherein said intrusion detection system comprises an intrusion detection system controller associated with one of said data processing hosts, said intrusion detection system controller being adapted to manage and monitor said intrusion detection system agent(s), process reports of intrusion activity provided by said intrusion detection system agent(s), and communicate intrusion-related information to said on-demand user or other authorized entity.
  - 5. A system in accordance with claim 4 wherein said intrusion detection system controller is adapted to perform event-action rule processing and implement said responses according to said event-action rules defined by said on-demand user, either directly or using said intrusion detection system agent(s).
  - 6. A system in accordance with claim 1 wherein said security criteria are received by said on-demand service provider via an interface provided by said intrusion detection system.

7. A method for implementing an intrusion detection system in on-demand computing service environment in which one or more data processing hosts are made available to a remote on-demand user that does not have physical custody and control over said host(s), the method comprising:
- monitoring resources defined by said on-demand user for intrusion events defined by said on-demand user and implementing responses according to event-action rules defined by said on-demand user;
  
  said resources, said intrusion events and said event-action rules being received from said on-demand user as security criteria by an on-demand service provider implementing said on-demand computing environment;
  
  said monitoring being performed by one or more intrusion detection agents that are run by said one or more data processing hosts, each intrusion detection agent being associated with a single one of said data processing hosts, and each of said data processing hosts that is being monitored running at least one of said intrusion detection agents;
  
  said user-defined resources including hardware resources, non-network system software resources, non-network, local login system access resources and network access resources;
  
  said user-defined intrusion events including hardware events, non-network system software events, non-network, local login system access events and network access events; and
  
  said user-defined event-action rules including notifying said on-demand user of said user-defined intrusion events.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. A method in accordance with claim 7 wherein plural intrusion detection agents individually monitor agent-specific sets of user-defined intrusion events occurring on their associated data processing hosts.
  - 9. A method in accordance with claim 7 wherein said intrusion detection agent(s) perform(s) event-action rule processing and implement(s) said responses according to said event-action rules defined by said on-demand user.
  - 10. A method in accordance with claim 7 wherein said agent(s) is/are managed and monitored by an intrusion detection system controller associated with one of said data processing hosts, and which also processes reports of intrusion activity provided by said intrusion detection system agent(s), and communicates intrusion-related information to said on-demand user or other authorized entity.
  - 11. A method in accordance with claim 10 wherein said intrusion detection controller performs event-action rule processing and implements said responses according to said event-action rules defined by said on-demand user, either directly or using said intrusion detection system agent(s).
  - 12. A method in accordance with claim 7 wherein said security criteria are received by said on-demand service provider via an interface provided by said intrusion detection system.

13. A computer program product for implementing an intrusion detection system in on-demand computing service environment in which one or more data processing hosts is made available to a remote on-demand user that does not have physical custody and control over said host(s), comprising:
- one or more data storage media;
  
  means recorded on said data storage media for programming said one or more data processing hosts to operate by;
  
  monitoring resources defined by said on-demand user for intrusion events defined by said on-demand user and to implement responses according to event-action rules defined by said on-demand user;
  
  said resources, said intrusion events and said event-action rules being received from said on-demand user as security criteria by an on-demand service provider implementing said on-demand computing environment;
  
  said monitoring being performed by one or more intrusion detection agents that are run by said one or more data processing hosts, each intrusion detection agent being associated with a single one of said data processing hosts, and each of said data processing hosts that is being monitored running at least one of said intrusion detection agents;
  
  said user-defined resources including hardware resources, non-network system software resources, non-network, local login system access resources and network access resources;
  
  said user-defined intrusion events including hardware events, non-network system software events, non-network, local login system access events and network access events; and
  
  said user-defined event-action rules including notifying said on-demand user of said user-defined intrusion events.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. A product in accordance with claim 13 wherein plural intrusion detection agents individually monitor agent-specific sets of user-defined intrusion events occurring on their associated data processing hosts.
  - 15. A product in accordance with claim 13 wherein said intrusion detection agent(s) perform(s) event-action rule processing and implement(s) said responses according to said event-action rules defined by said on-demand user.
  - 16. A product in accordance with claim 13 wherein said agent(s) is/are managed and monitored by an intrusion detection system controller associated with one of said data processing hosts, and which also processes reports of intrusion activity provided by said intrusion detection system agent(s), and communicates intrusion-related information to said on-demand user or other authorized entity.
  - 17. A product in accordance with claim 15 wherein said intrusion detection controller performs event-action rule processing and implements said responses according to said event-action rules defined by said on-demand user, either directly or using said intrusion detection system agent(s).
  - 18. A product in accordance with claim 13 wherein said security criteria are received by said on-demand service provider via an interface provided by said intrusion detection system.

19. In a remote, on-demand computing service environment in which one or more data processing hosts is made available to a remote on-demand user that does not have physical custody and control over said host(s), an intrusion detection system adapted to monitor resources defined by said on-demand user for intrusion events defined by said on-demand user and to implement responses according to event-action rules defined by said on-demand user, said resources, said intrusion events and said event-action rules being specified by said on-demand user as security criteria to an on-demand service provider implementing said on-demand computing environment:
- said intrusion detection system comprising;
  
  an intrusion detection system agent associated with each of said data processing hosts, said intrusion detection system agent(s) being individually programmed to monitor agent-specific sets of user-defined intrusion events and report intrusion activity to said intrusion detection system controller;
  
  each of said intrusion detection agents being associated with a single one of said data processing hosts, and each of said data processing hosts that is being monitored running at least one of said intrusion detection agents;
  
  an intrusion detection system controller associated with one of said data processing hosts, said intrusion detection system controller being adapted to manage and monitor said intrusion detection system agent(s), process reports of intrusion activity provided by said intrusion detection system agent(s), and communicate intrusion-related information to said on-demand user or other authorized entity;
  
  one or more of said intrusion detection system agent(s) and said intrusion detection system controller being adapted to perform event-action rule processing and implement said responses according to said event-action rules defined by said on-demand user;
  
  said user-defined resources including hardware resources, non-network system software resources, non-network, local login system access resources and network access resources;
  
  said user-defined intrusion events including hardware events, non-network system software events, non-network, local login system access events and network access events; and
  
  said user-defined event-action rules including notifying said on-demand user of said user-defined intrusion events.

20. A computer program product for implementing an intrusion detection system in on-demand computing service environment in which one or more data processing hosts is made available to a remote on-demand user that does not have physical custody and control over said host(s), comprising:
- one or more data storage media;
  
  means recorded on said data storage media for programming said one or more data processing hosts to operate by;
  
  monitoring resources defined by said on-demand user for intrusion events defined by said on-demand user and to implement responses according to event-action rules defined by said on-demand user;
  
  said resources, said intrusion events and said event-action rules being specified by said on-demand user as security criteria to an on-demand service provider implementing said on-demand computing environment;
  
  said monitoring of user-defined events being performed by an intrusion detection system agent associated with each of said data processing hosts, said intrusion detection system agent(s) individually monitoring agent-specific sets of user-defined intrusion events and reporting intrusion activity to said intrusion detection system controller;
  
  each of said intrusion detection agents being associated with a single one of said data processing hosts, and each of said data processing hosts that is being monitored running at least one of said intrusion detection agents;
  
  said agent(s) being managed and monitored by an intrusion detection system controller associated with one of said data processing hosts, and which also processes reports of intrusion activity provided by said intrusion detection system agent(s), and communicates intrusion-related information to said on-demand user or other authorized entity;
  
  one or more of said intrusion detection system agent(s) and said intrusion detection system controller performing event-action rule processing and implementing said responses according to said event-action rules defined by said on-demand user;
  
  said user-defined resources including hardware resources, non-network system software resources, non-network, local login system access resources and network access resources;
  
  said user-defined intrusion events including hardware events, non-network system software events, non-network, local login system access events and network access events; and
  
  said user-defined event-action rules including notifying said on-demand user of said user-defined intrusion events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Keung, Nam, Chitor, Ramesh V., Strauss, Christopher P., Jaji, Sebnem
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
McNally; Michael S

Application Number

US12/560,811
Publication Number

US 20100011440A1
Time in Patent Office

622 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1408 by monitoring network traff...

Computer security intrusion detection system for remote, on-demand users

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer security intrusion detection system for remote, on-demand users

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links