Intrusion threat detection

US 8,661,539 B2
Filed: 02/26/2001
Issued: 02/25/2014
Est. Priority Date: 07/10/2000
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring for security information about an access system, comprising the steps of:

detecting an access system event in said access system wherein;

the access system event is associated with a user having an identity profile maintained at said access system, said identity profile includes a plurality of attributes having attribute values; and

the access system event is associated with one or more event types;

storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event;

monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event;

accessing instructions for an event type associated with said access system event, wherein said instructions specify that a value of one or more attributes of said plurality of attributes in said identity profile is to be added to said audit log entry;

accessing said identity profile for said user in response to said instructions;

adding said value of one or more attributes of said plurality of attributes in said identity profile of said user to said audit log entry in accordance with said instructions; and

storing said audit log entry including said one or more attribute values in an application server; and

sending a set of log entries including the audit log entry to a security server.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that can be used to monitor for an attempted intrusion of an access system. The system detects an access system event in the access system and determines whether the access system event is of a type that is being monitored. If the access system event is of a type that is being monitored, the system reports information about the access system event. This information can be used by a rules engine or other process to determine if the access system event was part of an attempted intrusion of the access system.

142 Citations

View as Search Results

43 Claims

1. A method of monitoring for security information about an access system, comprising the steps of:
- detecting an access system event in said access system wherein;
  
  the access system event is associated with a user having an identity profile maintained at said access system, said identity profile includes a plurality of attributes having attribute values; and
  
  the access system event is associated with one or more event types;
  
  storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event;
  
  monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event;
  
  accessing instructions for an event type associated with said access system event, wherein said instructions specify that a value of one or more attributes of said plurality of attributes in said identity profile is to be added to said audit log entry;
  
  accessing said identity profile for said user in response to said instructions;
  
  adding said value of one or more attributes of said plurality of attributes in said identity profile of said user to said audit log entry in accordance with said instructions; and
  
  storing said audit log entry including said one or more attribute values in an application server; and
  
  sending a set of log entries including the audit log entry to a security server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. A method according to claim 1, wherein:
    - said step of detecting includes determining whether said user is attempting to access a resource on a network without appropriate permissions.
  - 3. A method according to claim 1, wherein:
    - said access system event is an authentication failure event.
  - 4. A method according to claim 1, wherein:
    - said access system event is an authentication success event.
  - 5. A method according to claim 1, wherein:
    - said access system event is an authorization failure event.
  - 6. A method according to claim 1, wherein:
    - said access system event is an authorization success event.
  - 7. A method according to claim 1, wherein:
    - said access system includes an access management system and an identity management system.
  - 8. A method according to claim 1, wherein:
    - said step of storing includes storing an identification of a resource, said access system event pertains to said resource.
  - 9. A method according to claim 1, wherein:
    - said step of storing includes storing an identification of an access rule, said access system event utilizes said access rule.
  - 10. A method according to claim 1, wherein:
    - said step of storing includes storing an identification of a time of said access system event.
  - 11. A method according to claim 1, wherein:
    - said step of detecting an access event consists of denying authorization for said user to access a resource.
  - 12. A method according to claim 1, further comprising the step of:
    - accessing said identity profile in an LDAP directory.
  - 13. A method according to claim 1, further comprising the step of:
    - receiving configuration information, said configuration information includes an identification of a type of access system event to monitor.
  - 14. A method according to claim 1, further comprising the step of:
    - receiving configuration information, said configuration information includes an identification of said one or more attributes of said plurality of attributes in said identity profile whose values are to be stored in said audit log entry.
  - 15. A method according to claim 1, further comprising the steps of:
    - receiving a request to access a resource from said user; and
      
      attempting to authenticate said user, said step of detecting includes denying authentication for said user.
  - 16. A method according to claim 15, wherein:
    - said step of attempting to authenticate said user includes accessing said identity profile for said user.
  - 17. A method according to claim 15, wherein:
    - said step of attempting to authenticate said first user includes accessing said identity profile for said user in an LDAP directory.
  - 18. A method according to claim 1, wherein said step of storing includes the steps of:
    - sending said audit log entry to a database server;
      
      grouping said audit log entry with information about other events;
      
      sending said audit log entry and said information about other events to a security server; and
      
      applying a rules engine at said security server to determine whether one or more attempted intrusions have occurred, based on said audit log entry and said information about other events.
  - 19. A method according to claim 1, further comprising:
    - transmitting said audit log entry toward a rules engine for evaluating whether said access system event is related to a potential threat of intrusion.
  - 20. A method according to claim 1, wherein:
    - said step of storing includes determining whether said access system event is related to a potential threat of intrusion and providing an alert if said access system event is related to said potential threat of intrusion.

21. A method of security monitoring, comprising the steps of:
- detecting an access system event in an access system, said access system includes an access management system and an identity management system, said identity management system includes identity profiles for a plurality of users, said identity profiles include attributes and at least a subset of said attributes include attribute values, wherein at least one of said attribute values in an identity profile for a first user is used to determine whether said first user is permitted to access a resource associated with said access system, wherein the access system event is associated with one or more event types;
  
  storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event;
  
  monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event;
  
  storing said audit log entry including said one or more attribute values in an application server; and
  
  sending a set of log entries including the audit log entry to a security server.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. A method according to claim 21, wherein:
    - said step of reporting includes providing information from said identity profile of said first user in response to said access system event, said access system event involves said first user.
  - 23. A method according to claim 22, further comprising the step of:
    - accessing said identity profile in an LDAP directory.
  - 24. A method according to claim 22, further comprising the step of:
    - receiving configuration information, said configuration information includes an identification of identity profile attributes to provide in said step of reporting.
  - 25. A method according to claim 21, wherein:
    - said step of reporting includes the steps of;
      
      sending information about said access system event to a database server,grouping said information about said access system event with information about other events,sending said information about said access system event and said information about other events to a security server; and
      
      said method further comprises applying a rules engine at said security server to determine whether one or more attempted intrusions have occurred based on said information about said access system event and said information about other events.
  - 26. A method according to claim 21, wherein said step of reporting includes the steps of:
    - accessing instructions for said event type associated with said access system event; and
      
      performing said instructions.

27. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- receiving a request from a user for a resource;
  
  determining that said resource is protected by one or more access rules of an access system;
  
  determining whether said user is permitted to access said resource using said one or more access rules and an identity profile for said user maintained at said access system;
  
  logging an indication of whether said user is permitted to access said resource based on said one or more access rules and said identity profile;
  
  monitoring said logging to detect that an access system event has occurred, wherein the access system event is associated with one or more event types;
  
  storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event;
  
  monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event;
  
  storing said audit log entry including said one or more attribute values in an application server; and
  
  sending a set of log entries including the audit log entry to a security server.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
- - 28. One or more processor readable storage devices according to claim 27, wherein:
    - said step of reporting includes reporting information from said identity profile for said user.
  - 29. One or more processor readable storage devices according to claim 28, wherein said step of reporting further includes the step of:
    - accessing said identity profile in an LDAP directory.
  - 30. One or more processor readable storage devices according to claim 28, wherein said method further includes the step of:
    - receiving configuration information, said configuration information includes an identification of identity profile attributes to report.
  - 31. One or more processor readable storage devices according to claim 27, wherein said step of reporting includes the steps of:
    - sending said information about said access system event to a database server;
      
      grouping said information about said access system event with information about other events;
      
      sending said information about said access system event and said information about other events to a security server; and
      
      applying a rules engine at said security server to determine whether one or more attempted intrusions have occurred based on said information about said access system event and said information about other events.
  - 32. One or more processor readable storage devices according to claim 27, wherein said step of reporting includes the steps of:
    - accessing instructions for said event type associated with said access system event; and
      
      performing said instructions.
  - 33. One or more processor readable storage devices according to claim 27, wherein:
    - said one or more access rules includes at least one authentication rule.
  - 34. One or more processor readable storage devices according to claim 27, wherein:
    - said one or more access rules includes at least one authorization rule.
  - 35. One or more processor readable storage devices according to claim 27, wherein:
    - said one or more access rules includes at least one authentication rule and at least one authorization rule.

36. An access system, comprising:
- a communication interface;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said communication interface, said one or more processors programmed to perform a method comprising the steps of;
  
  receiving a request from a user for a resource,determining a policy domain of said resource, said policy domain includes a set of one or more policies,determining whether said resource is associated with a policy in said set of one or more policies,if said resource is associated with a policy in said set of one or more policies, determining whether said user is permitted to access said resource using an access rule associated with said policy with which said resource is associated,if said resource is not associated with a policy in said set of one or more policies,determining whether said user is permitted to access said resource using an access rule that is associated with said policy domain but not a policy in said set of one or more policies,logging an indication of whether said user is permitted to access said resource based on said access rule associated with said policy of which said resource is associated or said access rule that is associated with said policy domain but not a policy of said set of one or more policies,monitoring said logging to detect that an access system event has occurred, wherein the access system event is associated with one or more event types;
  
  storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event;
  
  monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event;
  
  storing said audit log entry including said one or more attribute values in an application server; and
  
  sending a set of log entries including the audit log entry to a security server.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43)
- - 37. An access system according to claim 36, wherein said step of reporting includes the step of:
    - reporting information from an identity profile, said identity profile pertains to said user, said access system event involves said user.
  - 38. An access system according to claim 37, wherein said method further includes the step of:
    - accessing said identity profile in an LDAP directory.
  - 39. An access system according to claim 37, wherein said method further includes the step of:
    - receiving configuration information, said configuration information includes an identification of identity profile attributes to report.
  - 40. An access system according to claim 36, wherein said step of reporting includes the steps of:
    - sending said information about said access system event to a database server;
      
      grouping said information about said access system event with information about other events;
      
      sending said information about said access system event and said information about other events to a security server; and
      
      applying a rules engine at said security server to determine whether one or more attempted intrusions have occurred based on said information about said access system event and said information about other events.
  - 41. An access system according to claim 36, wherein said step of reporting includes the steps of:
    - accessing instructions for said event type associated with said access system event; and
      
      performing said instructions.
  - 42. One or more processor readable storage devices according to claim 36, wherein:
    - said access rule associated with said policy with which said resource is associated includes an authentication rule; and
      
      said access rule that is associated with said policy domain but not a policy in said set includes an authentication rule.
  - 43. One or more processor readable storage devices according to claim 36, wherein:
    - said access rule associated with said policy with which said resource is associated includes an authorization rule; and
      
      said access rule that is associated with said policy domain but not a policy in said set includes an authorization rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Hodges, Jeffrey D.
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US09/793,320
Publication Number

US 20020112185A1
Time in Patent Office

4,747 Days
Field of Search

713/194, 713200-202, 713/165, 713/168, 713/170, 713/188, 726/23, 726/25, 709/224
US Class Current

726/23
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Intrusion threat detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

142 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion threat detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links