Intrusion detection method and system
First Claim
1. An intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps of:
- creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities;
creating assurance references that correspond to said defined preconditions and a targeted perimeter;
capturing data related to the targeted system;
comparing said captured data with attack signatures to generate at least one security alert when said captured data and at least one attack signature match;
capturing assurance metrics data from monitoring of the targeted perimeter;
comparing said assurance metrics data with assurance references to generate assurance information when said assurance metrics data and at least one assurance reference match;
retrieving the preconditions of said generated at least one security alert;
checking when assurance information that corresponds to said preconditions has been retrieved;
generating a verified security alarm when said generated at least one security alert and associated retrieved precondition match with at least one corresponding assurance information;
filtering said generated at least one security alert when no match has been found between said associated retrieved preconditions and said at least one corresponding assurance information; and
emitting a non verified security alert when no preconditions have been retrieved for said generated at least one security alert and/or no assurance reference corresponding to said preconditions has been defined.
3 Assignments
0 Petitions
Accused Products
Abstract
A technique is provided for detecting unauthorized use or abnormal activities of a targeted system of a network. The technique includes a comparison of captured data that relates to a targeted system with attack signatures to generate a security alert when the captured data and an attack signature match, a comparison of assurance metrics data from a monitored targeted perimeter with assurance references to generate assurance information when the assurance metrics data and an assurance reference match, a generation of a verified security alarm when the security alert and associated preconditions match a corresponding assurance information, a filtering of the security alert when no match has been found between the associated retrieved preconditions and the corresponding assurance information, and an emitting of a non verified security alert when no preconditions have been retrieved for the security alert and/or no assurance reference corresponding to the preconditions has been defined.
-
Citations
5 Claims
-
1. An intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps of:
-
creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities; creating assurance references that correspond to said defined preconditions and a targeted perimeter; capturing data related to the targeted system; comparing said captured data with attack signatures to generate at least one security alert when said captured data and at least one attack signature match; capturing assurance metrics data from monitoring of the targeted perimeter; comparing said assurance metrics data with assurance references to generate assurance information when said assurance metrics data and at least one assurance reference match; retrieving the preconditions of said generated at least one security alert; checking when assurance information that corresponds to said preconditions has been retrieved; generating a verified security alarm when said generated at least one security alert and associated retrieved precondition match with at least one corresponding assurance information; filtering said generated at least one security alert when no match has been found between said associated retrieved preconditions and said at least one corresponding assurance information; and emitting a non verified security alert when no preconditions have been retrieved for said generated at least one security alert and/or no assurance reference corresponding to said preconditions has been defined. - View Dependent Claims (2, 3, 4)
-
-
5. A non-transitory computer-readable medium storing computer executable instructions for performing steps, comprising:
-
creating assurance references that correspond to defined preconditions and a targeted perimeter; comparing captured data that relates to a targeted system with attack signatures to generate at least one security alert when said captured data and at least one attack signature match; capturing assurance metrics data from monitoring of the targeted perimeter; comparing assurance metrics data from a monitored targeted perimeter with assurance references to generate assurance information when said assurance metrics data and at least one assurance reference match; generating a verified security alarm when said generated at least one security alert and associated retrieved preconditions match at least one corresponding assurance information; filtering said generated at least one security alert when no match has been found between said associated retrieved preconditions and said at least one corresponding assurance information; and emitting a non verified security alert when no preconditions have been retrieved for said generated at least one security alert and/or no assurance reference corresponding to said preconditions has been defined.
-
Specification