Intrusion detection report correlator and analyzer

US 8,191,139 B2
Filed: 12/20/2004
Issued: 05/29/2012
Est. Priority Date: 12/18/2003
Status: Active Grant

First Claim

Patent Images

1. A method of correlating and analyzing reports of detected activity in a computer network, the method comprising:

receiving and storing intrusion reports from multiple intrusion detectors, each intrusion detector operable to provide a report in a standard canonical format;

clustering the intrusion reports with one or more explanations for associated intrusion reports in a sensor concentrator operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; and

scoring, by a microprocessor, the events one or more explanations for the associated intrusion reports as a function of qualitative probability at an analyzer based on an intrusion reference model that contains information about a protected network, its configuration, installed intrusion detectors, and related security goals, wherein the one or more explanations for the associated intrusion reports are weighed against each other using a calculus based on qualitative probability.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer/computer network security alert management system aggregates information from multiple intrusion detectors. Utilizing reports from multiple intrusion detectors reduces the high false alarm rate experienced by individual detectors while also improving detection of coordinated attacks involving a series of seemingly harmless operations. An internal representation of a protected enclave is utilized, and intrusion detection system (IDS) information is correlated to accurately prioritize alerts. In one embodiment, the system is capable of utilizing data from most existing IDS products, with flexibility to add further IDS products.

33 Citations

View as Search Results

25 Claims

1. A method of correlating and analyzing reports of detected activity in a computer network, the method comprising:
- receiving and storing intrusion reports from multiple intrusion detectors, each intrusion detector operable to provide a report in a standard canonical format;
  
  clustering the intrusion reports with one or more explanations for associated intrusion reports in a sensor concentrator operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; and
  
  scoring, by a microprocessor, the events one or more explanations for the associated intrusion reports as a function of qualitative probability at an analyzer based on an intrusion reference model that contains information about a protected network, its configuration, installed intrusion detectors, and related security goals, wherein the one or more explanations for the associated intrusion reports are weighed against each other using a calculus based on qualitative probability.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the one or more explanations for the associated intrusion reports are scored based on plausibility and impact.
  - 3. The method of claim 2, wherein the one or more explanations for the associated intrusion reports are scored using a Bayesian estimation network.
  - 4. The method of claim 1 and further comprising providing a viewable real time flow of the one or more explanations for the associated intrusion reports.
  - 5. The method of claim 1 and further comprising providing a graphical user interface for allowing a user to review information for a selected period of time and select important events.
  - 6. The method of claim 5 and further comprising providing filters in the graphical user interface for selecting events to be displayed.
  - 7. The method of claim 5 and further comprising providing a list of the one or more explanations for the associated intrusion reports in the graphical user interface, and providing controls for grouping events by start time, operation involved, hypothesized intent, source IP address, or target host.
  - 8. The method of claim 1, wherein the intrusion reference model further contains a plurality of network-independent attack models that represent different kinds of attacks and probabilities of attacks based on attack characteristics.

9. An intrusion detection system comprising:
- means for receiving and storing intrusion reports from multiple intrusion detectors, each intrusion detector operable to translate an intrusion report into standard canonical format;
  
  means for clustering the intrusion reports and associating them with one or more explanations for the intrusion reports based, in part, on input from the means for storing, wherein the means for clustering the intrusion reports and associating them with the one or more explanations for the intrusion reports is operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; and
  
  means for scoring the one or more explanations for the intrusion report at an analyzer using a calculus based on qualitative probability and based on an intrusion reference model that contains information about a protected network, its configuration, installed intrusion detectors, and related security goals.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The intrusion detection system of claim 9 and further comprising means for displaying a list of event descriptors sorted by time of occurrence, with subsidiary events indented below their parent.
  - 11. The intrusion detection system of claim 10 and further comprising auxiliary links for viewing relevant entries from vulnerability databases.
  - 12. The intrusion detection system of claim 10 and further comprising means for graphically representing the number of reports of interactions between source IP and target IP.
  - 13. The intrusion detection system of claim 9, wherein the intrusion reference model further contains a plurality of network-independent attack models that represent different kinds of attacks and probabilities of attacks based on attack characteristics.

14. A dynamic evidence aggregator for an intrusion detection system, the dynamic evidence aggregator comprising:
- an input that receives and stores intrusion reports from multiple intrusion detectors, wherein each intrusion detector comprises an intrusion sensor and an associated converter, the converter operable to translate an intrusion report into standard canonical format;
  
  a first module that clusters the translated intrusion reports into one or more explanations for the intrusion reports, the first module being operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; and
  
  a second module that scores the one or more explanations for the intrusion reports as a function of qualitative probability at an analyzer based on an intrusion reference model, wherein the intrusion reference model contains information about a protected network, its configuration, installed intrusion detectors, and related security goals, and wherein the one or more explanations for the intrusion reports are weighed against each other using a calculus based on qualitative probability.
- View Dependent Claims (15)
- - 15. The dynamic evidence aggregator of claim 14, wherein the multiple intrusion detectors include at least two different types of intrusion detectors and wherein the intrusion reference model further contains a plurality of network-independent attack models that represent different kinds of attacks and probabilities of attacks based on attack characteristics.

16. An intrusion detection system comprising:
- multiple converters each associated with a respective intrusion sensor, the converters operable to translate an intrusion report from the intrusion sensor into standard canonical format;
  
  a database to store the translated intrusion reports from the multiple intrusion sensors;
  
  a first module including a sensor concentrator that clusters the intrusion reports into one or more explanations for the intrusion reports, the first module being operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation;
  
  an intrusion reference model including a network model, a security model, and a plurality of attack models; and
  
  a second module including an analyzer that scores the one or more explanations for the intrusion report as a function of qualitative probability based on the intrusion reference model, wherein the one or more explanations for the intrusion report are weighed against each other using a calculus based on qualitative probability.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The system of claim 16 wherein the one or more explanations for the intrusion report are scored based on plausibility and impact.
  - 18. The system of claim 17 wherein the one or more explanations for the intrusion report are scored using a Bayesian estimation network.
  - 19. The system of claim 17 and further comprising a graphical user interface.
  - 20. The system of claim 19 wherein the graphical user interface comprises a plurality of panes of information.
  - 21. The system of claim 20 wherein one of the panes comprises a triage table.
  - 22. The system of claim 21 wherein the triage table comprises numbers of events displayed in cells at multiple levels of plausibility and severity, respectively.
  - 23. The system of claim 22 wherein each cell comprises a link to events at a specific level of plausibility and severity.
  - 24. The system of claim 20 wherein one of the panes comprises a set of filters.
  - 25. The intrusion detection system of claim 16, wherein the plurality of attack models comprise a plurality of network-independent attack models that represent different kinds of attacks and probabilities of attacks based on attack characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Heimerdinger, Walter L., Schewe, Jon P.
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
MORAN, RANDAL D

Application Number

US11/017,382
Publication Number

US 20060070128A1
Time in Patent Office

2,717 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Intrusion detection report correlator and analyzer

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection report correlator and analyzer

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links