Method for cooperative intrusion prevention through collaborative inference
First Claim
Patent Images
1. An intrusion prevention method executing in an enterprise network, the method comprising:
- providing a media server, the media server operable to direct communication contacts between two or more communication devices, wherein the media server comprises a processor, a memory, and an application behavior anomaly detector, wherein;
the application behavior anomaly detector receiving application level information from a communication application, wherein the communication application executes a communications-related task;
the application behavior anomaly detector selecting at least one event, at the application layer, from the application level information, the selected event being at least one of an error, exception, policy violation, and handling rate;
the application behavior anomaly detector detecting a potential attack;
the application behavior anomaly detector sending application-level attack information to an enterprise behavioral anomaly system;
providing an enterprise behavioral anomaly system in communication with the media server, which comprises a processor and memory, executing an interface, anomaly source location engine, and an anomaly prevention engine, wherein;
the interface receiving the application-level attack information;
the anomaly source location engine locating, with the application-level attack information, an access-level source for the potential attack;
when the application-level attack information is indicative of the intrusion, locating at least one of an entry point and an address of a source of the intrusion; and
when the application-level attack information is indicative of an intrusion, the anomaly prevention engine implementing an appropriate response to the intrusion, wherein implementing the appropriate response comprises blocking or neutralizing a particular transport address.
23 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to an intrusion detection/prevention system that uses application layer event information to identify potential intrusions and notifies remote trusted peers in other enterprise networks of potential intrusions emanating therefrom.
134 Citations
18 Claims
-
1. An intrusion prevention method executing in an enterprise network, the method comprising:
-
providing a media server, the media server operable to direct communication contacts between two or more communication devices, wherein the media server comprises a processor, a memory, and an application behavior anomaly detector, wherein; the application behavior anomaly detector receiving application level information from a communication application, wherein the communication application executes a communications-related task; the application behavior anomaly detector selecting at least one event, at the application layer, from the application level information, the selected event being at least one of an error, exception, policy violation, and handling rate; the application behavior anomaly detector detecting a potential attack; the application behavior anomaly detector sending application-level attack information to an enterprise behavioral anomaly system; providing an enterprise behavioral anomaly system in communication with the media server, which comprises a processor and memory, executing an interface, anomaly source location engine, and an anomaly prevention engine, wherein; the interface receiving the application-level attack information; the anomaly source location engine locating, with the application-level attack information, an access-level source for the potential attack; when the application-level attack information is indicative of the intrusion, locating at least one of an entry point and an address of a source of the intrusion; and when the application-level attack information is indicative of an intrusion, the anomaly prevention engine implementing an appropriate response to the intrusion, wherein implementing the appropriate response comprises blocking or neutralizing a particular transport address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An enterprise network, comprising:
-
a plurality of communication applications operable to execute communications-related tasks; a media server operable to direct communication contacts between two or more communication devices, the media server comprising; a memory; a processor in communication with the memory, the processor operable to execute; an application behavior anomaly detecting agent operable to; select at least one event at the application layer, the selected at least one event being at least one of an error, exception, policy violation, and handling rate identified by one or more of the plurality of communication applications; when a selected application layer event is indicative of potential anomalous behavior, provide metadata about the selected application layer event to an enterprise behavioral anomaly system; the enterprise behavioral anomaly system in communication with the media server, the enterprise behavioral system comprising; a second memory; a second processor in communication with the second memory, the second processor operable to; examine the metadata to determine whether the metadata corresponds to an intrusion; combine the metadata with second information about a second event, wherein the metadata and the second information are associated with a similar intrusion; when the selected application layer is indicative of the intrusion, locating at least one of an entry point and an address of a source of the intrusion; and determine an appropriate response to the similar intrusion; and implement the appropriate response to the intrusion, wherein operation to implement the appropriate response to the intrusion comprises blocking or neutralizing a particular transport address. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An enterprise network, comprising:
-
a plurality of communication applications operable to execute communications-related tasks; a media server operable to direct communication contacts between two or more communication devices, the media server comprising; a memory; a processor in communication with the memory, the processor operable to execute; an application behavior anomaly detecting agent operable to; select at least one event at the application layer, the selected at least one event being at least one of an error, exception, policy violation, and handling rate identified by one or more of the plurality of communication applications; when a selected application layer event is indicative of potential anomalous behavior, provide metadata about the selected application layer event to an enterprise behavioral anomaly system; the enterprise behavioral anomaly system in communication with the media server, the enterprise behavioral system comprising; a second memory; a second processor in communication with the second memory, the second processor operable to; examine the metadata to determine whether the metadata corresponds to an intrusion; when the selected application layer is indicative of the intrusion, locating at least one of an entry point and an address of a source of the intrusion; and determine an appropriate response to the intrusion; providing two or more trusted peers with information about the intrusion; and implement the appropriate response to the intrusion, wherein operation to implement the appropriate response to the intrusion comprises blocking or neutralizing a particular transport address. - View Dependent Claims (18)
-
Specification