Intrusion detection report correlator and analyzer
First Claim
1. A method of correlating and analyzing reports of detected activity in a computer network, the method comprising:
- receiving and storing intrusion reports from multiple intrusion detectors, each intrusion detector operable to provide a report in a standard canonical format;
clustering the intrusion reports with one or more explanations for associated intrusion reports in a sensor concentrator operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; and
scoring, by a microprocessor, the events one or more explanations for the associated intrusion reports as a function of qualitative probability at an analyzer based on an intrusion reference model that contains information about a protected network, its configuration, installed intrusion detectors, and related security goals, wherein the one or more explanations for the associated intrusion reports are weighed against each other using a calculus based on qualitative probability.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer/computer network security alert management system aggregates information from multiple intrusion detectors. Utilizing reports from multiple intrusion detectors reduces the high false alarm rate experienced by individual detectors while also improving detection of coordinated attacks involving a series of seemingly harmless operations. An internal representation of a protected enclave is utilized, and intrusion detection system (IDS) information is correlated to accurately prioritize alerts. In one embodiment, the system is capable of utilizing data from most existing IDS products, with flexibility to add further IDS products.
33 Citations
25 Claims
-
1. A method of correlating and analyzing reports of detected activity in a computer network, the method comprising:
-
receiving and storing intrusion reports from multiple intrusion detectors, each intrusion detector operable to provide a report in a standard canonical format; clustering the intrusion reports with one or more explanations for associated intrusion reports in a sensor concentrator operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; and scoring, by a microprocessor, the events one or more explanations for the associated intrusion reports as a function of qualitative probability at an analyzer based on an intrusion reference model that contains information about a protected network, its configuration, installed intrusion detectors, and related security goals, wherein the one or more explanations for the associated intrusion reports are weighed against each other using a calculus based on qualitative probability. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An intrusion detection system comprising:
-
means for receiving and storing intrusion reports from multiple intrusion detectors, each intrusion detector operable to translate an intrusion report into standard canonical format; means for clustering the intrusion reports and associating them with one or more explanations for the intrusion reports based, in part, on input from the means for storing, wherein the means for clustering the intrusion reports and associating them with the one or more explanations for the intrusion reports is operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; and means for scoring the one or more explanations for the intrusion report at an analyzer using a calculus based on qualitative probability and based on an intrusion reference model that contains information about a protected network, its configuration, installed intrusion detectors, and related security goals. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A dynamic evidence aggregator for an intrusion detection system, the dynamic evidence aggregator comprising:
-
an input that receives and stores intrusion reports from multiple intrusion detectors, wherein each intrusion detector comprises an intrusion sensor and an associated converter, the converter operable to translate an intrusion report into standard canonical format; a first module that clusters the translated intrusion reports into one or more explanations for the intrusion reports, the first module being operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; and a second module that scores the one or more explanations for the intrusion reports as a function of qualitative probability at an analyzer based on an intrusion reference model, wherein the intrusion reference model contains information about a protected network, its configuration, installed intrusion detectors, and related security goals, and wherein the one or more explanations for the intrusion reports are weighed against each other using a calculus based on qualitative probability. - View Dependent Claims (15)
-
-
16. An intrusion detection system comprising:
-
multiple converters each associated with a respective intrusion sensor, the converters operable to translate an intrusion report from the intrusion sensor into standard canonical format; a database to store the translated intrusion reports from the multiple intrusion sensors; a first module including a sensor concentrator that clusters the intrusion reports into one or more explanations for the intrusion reports, the first module being operable to assign a single intrusion report to more than one explanation, assign a plurality of intrusion reports to a single explanation, and, when no existing explanation supports a plausible cause, hypothesize a new explanation; an intrusion reference model including a network model, a security model, and a plurality of attack models; and a second module including an analyzer that scores the one or more explanations for the intrusion report as a function of qualitative probability based on the intrusion reference model, wherein the one or more explanations for the intrusion report are weighed against each other using a calculus based on qualitative probability. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification