Intrusion event correlation with network discovery information

US 8,046,833 B2
Filed: 11/14/2005
Issued: 10/25/2011
Est. Priority Date: 11/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for automatically and passively determining the characteristics of a network, comprising:

storing policy configuration information in a policy component, wherein the policy configuration information comprises one or more rules associating authorized usage of a device with an associated device address;

passively detecting an intrusion event instead of using active scanning, wherein the intrusion event comprises information including the associated device address;

storing a network map in memory, wherein the network map contains operating system, service, and network topology characteristics detected using passive detection instead of active scanning;

linking the intrusion event information to the network map characteristics by way of the associated device address;

correlating the intrusion event information with device characteristics in the network map in order to determine one or more of the rules in the policy component for a device corresponding to the associated device address in the network map; and

generating a policy violation event when the passively detected intrusion event is detected and is not authorized by the policy component for the device corresponding to the associated device address in the network map, without generating the policy violation event when a same passively detected intrusion event is detected and is authorized by the policy component for the device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy component includes policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations.

169 Citations

26 Claims

1. A method for automatically and passively determining the characteristics of a network, comprising:
- storing policy configuration information in a policy component, wherein the policy configuration information comprises one or more rules associating authorized usage of a device with an associated device address;
  
  passively detecting an intrusion event instead of using active scanning, wherein the intrusion event comprises information including the associated device address;
  
  storing a network map in memory, wherein the network map contains operating system, service, and network topology characteristics detected using passive detection instead of active scanning;
  
  linking the intrusion event information to the network map characteristics by way of the associated device address;
  
  correlating the intrusion event information with device characteristics in the network map in order to determine one or more of the rules in the policy component for a device corresponding to the associated device address in the network map; and
  
  generating a policy violation event when the passively detected intrusion event is detected and is not authorized by the policy component for the device corresponding to the associated device address in the network map, without generating the policy violation event when a same passively detected intrusion event is detected and is authorized by the policy component for the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the device address is an Internet protocol address.
  - 3. The method of claim 1, wherein the device address is a MAC address.
  - 4. The method of claim 1, further comprising initiating a remediation, when a policy violation event is generated.
  - 5. The method of claim 1, further comprising initiating an alert, when a policy violation event is generated.
  - 6. The method of claim 1, further comprising determining that the intrusion event is not a policy violation event.
  - 7. The method of claim 1, wherein one or more packets transmitted on the network are used to identify the intrusion event.
  - 8. The method of claim 1, the passively detected intrusion event being a service that the network map shows is newly used at the associated device address but is not permitted at the associated device address.
  - 9. The method of claim 1, the passively detected intrusion event being a passively detected operating system that does not match an allowable operating system for the associated device address.
  - 10. The method of claim 1, further comprising qualifying a criticality of the passively detected intrusion event based on a relationship of an operating system differently detected at the associated device address to the passively detected intrusion event.

11. A system for automatically and passively determining the characteristics of a network, comprising:
- a network map storage device, wherein the network map storage device contains device addresses, operating system, service and network topology information detected using passive detection instead of active scanning;
  
  a policy component, operably in communications with the network map storage device, wherein the policy component receives an intrusion event detected using the passive detection instead of active scanning, and enforces one or more network configuration rules associating authorized usage of a device with a device address, wherein the policy component accesses the operating system, the service, and the network topology information in the network map storage device using the device address associated with the intrusion event to determine whether information associated with the intrusion event matches network map information as part of evaluating one or more rules; and
  
  a response component, that generates a policy violation event when the passively detected intrusion event is detected and is not authorized by the policy component for a device corresponding to the associated device address in the network map, without generating the policy violation event when a same passively detected intrusion event is detected and is authorized by the policy component for the device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, further comprising an intrusion detection device, wherein the intrusion detection device detects the intrusion event.
  - 13. The system of claim 11, wherein the device address is an Internet protocol address.
  - 14. The system of claim 11, wherein the device address is a MAC address.
  - 15. The system of claim 11, wherein an alert is generated by the response component, when the policy violation event is generated.
  - 16. The system of claim 11, the passively detected intrusion event being a service that the network map shows is newly used at the associated device address but is not permitted at the associated device address.
  - 17. The system of claim 11, the passively detected intrusion event being a passively detected operating system that does not match an allowable operating system for the associated device address.
  - 18. The system of claim 11, further comprising a qualification component that qualifies a criticality of the passively detected intrusion event differently based on a relationship of an operating system detected at the associated device address to the passively detected intrusion event.

19. A system for automatically and passively determining the characteristics of a network, comprising:
- a means for storing a network map, wherein the network map storage device contains device addresses, operating system, service, and network topology information detected using passive detection instead of active scanning;
  
  a means for storing a policy component, operably in communications with the network map storing means, wherein the policy component storing means receives an intrusion event detected using the passive detection instead of active scanning, and enforces one or more network configuration rules associating authorized usage of a device with a device address;
  
  wherein the policy component storing means accesses information in the network map storing means using the device address associated with the intrusion event to determine whether information associated with the intrusion event matches the operating system, the service, and the network topology information as part of evaluating one or more rules;
  
  a response component that generates a policy violation event when the passively detected intrusion event is detected and is not authorized by the policy component for the operating system, the service, and the network topology information in the network map for the device corresponding to the associated device address in the network map, without generating the policy violation event when a same passively detected intrusion event is detected and is authorized by the policy component for the device.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, further comprising an intrusion detection device, wherein the intrusion detection device detects the intrusion event.
  - 21. The system of claim 19, wherein the device address is an Internet protocol address.
  - 22. The system of claim 19, wherein the device address is a MAC address.
  - 23. The system of claim 19, wherein an alert is generated by the response component, when the policy violation event is generated.
  - 24. The system of claim 19, the passively detected intrusion event being a service that the network map shows is newly used at the associated device address but is not permitted at the associated device address.
  - 25. The system of claim 19, the passively detected intrusion event being a passively detected operating system that does not match an allowable operating system for the associated device address.
  - 26. The system of claim 19, further comprising a qualification component that qualifies a criticality of the passively detected intrusion event differently based on a relationship of an operating system detected at the associated device address to the passively detected intrusion event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Rittermann, Brian P., Gustafson, Eric
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
McNally; Michael S

Application Number

US11/272,035
Publication Number

US 20080244741A1
Time in Patent Office

2,171 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/20 for managing network securi...

Intrusion event correlation with network discovery information

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

169 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Intrusion event correlation with network discovery information

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others