Computer network intrusion detection system and method
First Claim
1. A method of identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes at least one managed device and a security event log, said method comprising:
- detecting, by the at least one managed device, an incoming TCP/IP connection by the attacker device to the network;
after said detecting, extracting from a TCP/IP stack of at least one managed device TCP/IP information relating to the attacker device;
after said extracting, ascertaining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers;
after said ascertaining, performing a process, wherein said performing the process comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the incoming NetBIOS TCP/IP connection, retrieving event log information from the security event log, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and
generating a report comprising report information that includes the extracted TCP/IP information and the retrieved event log information; and
storing the report in a central violation database of the network.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes a managed device and a security event log. The managed device detects an incoming TCP/IP connection by the attacker device to the network. TCP/IP information relating to the attacker device is extracted from a TCP/IP stack of the managed device. It is ascertained that a port number of the incoming TCP/IP connection is identical to a predefined port number. A performed process includes determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device. Event log information, which is associated with the detected incoming TCP/IP connection, is retrieved from the security event log. A generated report is generated and stored in a database of the network. The report includes the extracted TCP/IP information and the retrieved event log information.
-
Citations
21 Claims
-
1. A method of identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes at least one managed device and a security event log, said method comprising:
-
detecting, by the at least one managed device, an incoming TCP/IP connection by the attacker device to the network; after said detecting, extracting from a TCP/IP stack of at least one managed device TCP/IP information relating to the attacker device; after said extracting, ascertaining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers; after said ascertaining, performing a process, wherein said performing the process comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the incoming NetBIOS TCP/IP connection, retrieving event log information from the security event log, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and generating a report comprising report information that includes the extracted TCP/IP information and the retrieved event log information; and storing the report in a central violation database of the network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising at least one managed device configured for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network, said network including the at least one managed device and a security event log, said at least one managed device configured to perform a method, said method comprising:
-
detecting, by the at least one managed device, an incoming TCP/IP connection by the attacker device to the network; after said detecting, extracting from a TCP/IP stack of the at least one managed device TCP/IP information relating to the attacker device; after said extracting, ascertaining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers; after said ascertaining, performing a process, wherein said performing the process comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the incoming NetBIOS TCP/IP connection, retrieving event log information from the security event log, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and generating a report comprising report information that includes the extracted TCP/IP information and the retrieved event log information; and storing the report in a central violation database of the network. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product stored on a hardware storage medium readable by a computer machine, the computer program product tangibly embodying readable program code configured to be executed by the computer machine to perform a method of identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes at least one managed device and a security event log, said method comprising:
-
detecting, by the at least one managed device, an incoming TCP/IP connection by the attacker device to the network; after said detecting, extracting from a TCP/IP stack of the at least one managed device TCP/IP information relating to the attacker device; after said extracting, ascertaining that a port number of the incoming TCP/IP connection is identical to a port number in a set of predefined port numbers; after said ascertaining, performing a process, wherein said performing the process comprises determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the incoming NetBIOS TCP/IP connection, retrieving event log information from the security event log, and determining (i) that a userid of the invalid logon is a local userid defined on a local device of the at least one managed device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid defined on the local device nor is in the list of userids used by viruses; and generating a report comprising report information that includes the extracted TCP/IP information and the retrieved event log information; and storing the report in a central violation database of the network. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification