Intrusion event correlation with network discovery information
First Claim
1. A method for automatically and passively determining the characteristics of a network, comprising:
- storing policy configuration information in a policy component, wherein the policy configuration information comprises one or more rules associating authorized usage of a device with an associated device address;
passively detecting an intrusion event instead of using active scanning, wherein the intrusion event comprises information including the associated device address;
storing a network map in memory, wherein the network map contains operating system, service, and network topology characteristics detected using passive detection instead of active scanning;
linking the intrusion event information to the network map characteristics by way of the associated device address;
correlating the intrusion event information with device characteristics in the network map in order to determine one or more of the rules in the policy component for a device corresponding to the associated device address in the network map; and
generating a policy violation event when the passively detected intrusion event is detected and is not authorized by the policy component for the device corresponding to the associated device address in the network map, without generating the policy violation event when a same passively detected intrusion event is detected and is authorized by the policy component for the device.
3 Assignments
0 Petitions
Accused Products
Abstract
A policy component includes policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations.
169 Citations
26 Claims
-
1. A method for automatically and passively determining the characteristics of a network, comprising:
-
storing policy configuration information in a policy component, wherein the policy configuration information comprises one or more rules associating authorized usage of a device with an associated device address; passively detecting an intrusion event instead of using active scanning, wherein the intrusion event comprises information including the associated device address; storing a network map in memory, wherein the network map contains operating system, service, and network topology characteristics detected using passive detection instead of active scanning; linking the intrusion event information to the network map characteristics by way of the associated device address; correlating the intrusion event information with device characteristics in the network map in order to determine one or more of the rules in the policy component for a device corresponding to the associated device address in the network map; and generating a policy violation event when the passively detected intrusion event is detected and is not authorized by the policy component for the device corresponding to the associated device address in the network map, without generating the policy violation event when a same passively detected intrusion event is detected and is authorized by the policy component for the device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for automatically and passively determining the characteristics of a network, comprising:
-
a network map storage device, wherein the network map storage device contains device addresses, operating system, service and network topology information detected using passive detection instead of active scanning; a policy component, operably in communications with the network map storage device, wherein the policy component receives an intrusion event detected using the passive detection instead of active scanning, and enforces one or more network configuration rules associating authorized usage of a device with a device address, wherein the policy component accesses the operating system, the service, and the network topology information in the network map storage device using the device address associated with the intrusion event to determine whether information associated with the intrusion event matches network map information as part of evaluating one or more rules; and a response component, that generates a policy violation event when the passively detected intrusion event is detected and is not authorized by the policy component for a device corresponding to the associated device address in the network map, without generating the policy violation event when a same passively detected intrusion event is detected and is authorized by the policy component for the device. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for automatically and passively determining the characteristics of a network, comprising:
-
a means for storing a network map, wherein the network map storage device contains device addresses, operating system, service, and network topology information detected using passive detection instead of active scanning; a means for storing a policy component, operably in communications with the network map storing means, wherein the policy component storing means receives an intrusion event detected using the passive detection instead of active scanning, and enforces one or more network configuration rules associating authorized usage of a device with a device address; wherein the policy component storing means accesses information in the network map storing means using the device address associated with the intrusion event to determine whether information associated with the intrusion event matches the operating system, the service, and the network topology information as part of evaluating one or more rules; a response component that generates a policy violation event when the passively detected intrusion event is detected and is not authorized by the policy component for the operating system, the service, and the network topology information in the network map for the device corresponding to the associated device address in the network map, without generating the policy violation event when a same passively detected intrusion event is detected and is authorized by the policy component for the device. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification