×

Computer network intrusion detection system and method

  • US 8,272,054 B2
  • Filed: 05/31/2006
  • Issued: 09/18/2012
  • Est. Priority Date: 06/06/2005
  • Status: Expired due to Fees
First Claim
Patent Images

1. A method of identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes at least one managed device and a security event log, said method comprising:

  • detecting, by the at least one managed device, an incoming TCP/IP connection by the attacker device to the network;

    after said detecting, extracting from a TCP/IP stack of at least one managed device TCP/IP information relating to the attacker device;

    after said extracting, ascertaining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers;

    after said ascertaining, performing a process, wherein said performing the process comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the incoming NetBIOS TCP/IP connection, retrieving event log information from the security event log, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and

    generating a report comprising report information that includes the extracted TCP/IP information and the retrieved event log information; and

    storing the report in a central violation database of the network.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×