Integrated network intrusion detection
First Claim
1. A method comprising:
- receiving a request for access to network services from an invoked application;
loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively;
integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy;
monitoring network packets for the invoked application based on the designation of the received request;
blocking network packets corresponding to the received request in response to the received request being designated as unauthorized;
analyzing, on an intrusion detection system component, blocked network packets to detect a network intrusion;
determining whether the invoked application is behaving abnormally;
loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and
checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters.
1 Assignment
0 Petitions
Accused Products
Abstract
Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion.
-
Citations
27 Claims
-
1. A method comprising:
-
receiving a request for access to network services from an invoked application; loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively; integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy; monitoring network packets for the invoked application based on the designation of the received request; blocking network packets corresponding to the received request in response to the received request being designated as unauthorized; analyzing, on an intrusion detection system component, blocked network packets to detect a network intrusion; determining whether the invoked application is behaving abnormally; loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory machine-readable medium embodying machine instructions for causing one or more machines to perform operations comprising:
-
receiving a request for access to network services from an invoked application; loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively; integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy; monitoring network packets for the invoked application based on the designation of the received request; blocking network packets corresponding to the received request in response to the received request being designated as unauthorized; analyzing the blocked network packets with an intrusion detection system component to detect a network intrusion; determining whether the invoked application is behaving abnormally; loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A system comprising:
-
a processor; a communication interface coupled with the processor; and a tangible machine-readable medium operatively coupled with the processor and embodying machine instructions for causing the processor to perform operations comprising; receiving a request for access to network services from an invoked application; loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively; integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy; monitoring network packets for the invoked application based on the designation of the received request; blocking network packets corresponding to the received request in response to the received request being designated as unauthorized; analyzing the blocked network packets with an intrusion detection system component to detect a network intrusion; determining whether the invoked application is behaving abnormally; loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A machine-implemented method comprising:
-
receiving, from an invoked application, a request for access to network services; loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively; integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy; monitoring network packets for the invoked application based on the designation of the received request; blocking network packets corresponding to the received request in response to the received request being designated as unauthorized; analyzing the blocked network packets with an intrusion detection system component invoked with the invoked application to detect a network intrusion; determining whether the invoked application is behaving abnormally; loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters. - View Dependent Claims (22, 23, 24)
-
-
25. A non-transitory machine-readable medium embodying machine instructions for causing one or more machines to perform operations comprising:
-
receiving a request for access to network services from an invoked application; loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively; determining whether the received request violates the application-specific network policy; designating received request as authorized or unauthorized as a function of the application-specific network policy; opening a communication channel for network packets corresponding to the received request in response to the received request being designated as authorized; dropping network packets corresponding to the received request in response to the received request being designated as unauthorized; analyzing the dropped network packets with an intrusion detection system component invoked with the invoked application to detect a network intrusion; determining whether the invoked application is behaving abnormally; loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters. - View Dependent Claims (26, 27)
-
Specification