Integrated network intrusion detection

US 8,752,173 B2
Filed: 12/29/2009
Issued: 06/10/2014
Est. Priority Date: 02/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request for access to network services from an invoked application;

loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively;

integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy;

monitoring network packets for the invoked application based on the designation of the received request;

blocking network packets corresponding to the received request in response to the received request being designated as unauthorized;

analyzing, on an intrusion detection system component, blocked network packets to detect a network intrusion;

determining whether the invoked application is behaving abnormally;

loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and

checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion.

Citations

27 Claims

1. A method comprising:
- receiving a request for access to network services from an invoked application;
  
  loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively;
  
  integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy;
  
  monitoring network packets for the invoked application based on the designation of the received request;
  
  blocking network packets corresponding to the received request in response to the received request being designated as unauthorized;
  
  analyzing, on an intrusion detection system component, blocked network packets to detect a network intrusion;
  
  determining whether the invoked application is behaving abnormally;
  
  loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and
  
  checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - adding the invoked application to a watch list to initiate analysis of network packets both to and from the invoked application.
  - 3. The method of claim 1, further comprising:
    - generating communications to encourage at least one of further network packets to the invoked application or further network packets from the invoked application.
  - 4. The method of claim 3, wherein the further network packets enable information concerning the system and network of a potential intruder to be obtained.
  - 5. The method of claim 1, wherein analyzing the blocked network packets to detect a network intrusion comprises analyzing the blocked network packets to detect an intrusion prelude.
  - 6. The method of claim 5, wherein the intrusion prelude comprises network packets corresponding to one or more of a system scan, a port scan, and operating system fingerprinting.
  - 7. The method of claim 1, wherein the application-specific monitoring parameters comprise application-specific intrusion signatures for the invoked application.
  - 8. The method of claim 1, further comprising copying the blocked network packets to the intrusion detection system component in response to blocking the network packets corresponding to the received request designated as unauthorized;
    - andwherein analyzing the blocked network packets comprises analyzing, by the intrusion detection system component, the copies of the blocked network packets to detect a network intrusion.
  - 9. The method of claim 1, further comprising loading, into a local repository, an updated application-specific network policy for the invoked application from a remote repository.
  - 10. The method of claim 1, wherein loading application-specific monitoring parameters for the invoked application comprises loading application-specific monitoring parameters from a central security server in response to a determination that the invoked application is behaving abnormally.

11. A non-transitory machine-readable medium embodying machine instructions for causing one or more machines to perform operations comprising:
- receiving a request for access to network services from an invoked application;
  
  loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively;
  
  integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy;
  
  monitoring network packets for the invoked application based on the designation of the received request;
  
  blocking network packets corresponding to the received request in response to the received request being designated as unauthorized;
  
  analyzing the blocked network packets with an intrusion detection system component to detect a network intrusion;
  
  determining whether the invoked application is behaving abnormally;
  
  loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and
  
  checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory machine-readable medium of claim 11, further comprising:
    - adding the invoked application to a watch list to initiate analysis of network packets both to and from the invoked application.
  - 13. The non-transitory machine-readable medium of claim 11, wherein analyzing the blocked network packets with the intrusion detection system component to detect a network intrusion comprises analyzing the blocked network packets with the intrusion detection system component to detect an intrusion prelude.
  - 14. The non-transitory machine-readable medium of claim 13, wherein the intrusion prelude comprises network packets corresponding to one or more of a system scan, a port scan, and operating system fingerprinting.
  - 15. The non-transitory machine-readable medium of claim 11, wherein the application-specific monitoring parameters comprise application-specific intrusion signatures for the invoked application.

16. A system comprising:
- a processor;
  
  a communication interface coupled with the processor; and
  
  a tangible machine-readable medium operatively coupled with the processor and embodying machine instructions for causing the processor to perform operations comprising;
  
  receiving a request for access to network services from an invoked application;
  
  loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively;
  
  integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy;
  
  monitoring network packets for the invoked application based on the designation of the received request;
  
  blocking network packets corresponding to the received request in response to the received request being designated as unauthorized;
  
  analyzing the blocked network packets with an intrusion detection system component to detect a network intrusion;
  
  determining whether the invoked application is behaving abnormally;
  
  loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and
  
  checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, further comprising instructions for adding the invoked application to a watch list to initiate analysis of network packets both to and from the invoked application.
  - 18. The system of claim 16, wherein analyzing the blocked network packets with the intrusion detection system component to detect a network intrusion comprises analyzing the blocked network packets with the intrusion detection system component to detect an intrusion prelude.
  - 19. The system of claim 18, wherein the intrusion prelude comprises network packets corresponding to one or more of a system scan, a port scan, and operating system fingerprinting.
  - 20. The system of claim 16, wherein the application-specific monitoring parameters comprise application-specific intrusion signatures for the invoked application.

21. A machine-implemented method comprising:
- receiving, from an invoked application, a request for access to network services;
  
  loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively;
  
  integrating firewall and intrusion detection to check whether the received request violates the application-specific network policy and to designate the received request as authorized or unauthorized as a function of the application-specific network policy;
  
  monitoring network packets for the invoked application based on the designation of the received request;
  
  blocking network packets corresponding to the received request in response to the received request being designated as unauthorized;
  
  analyzing the blocked network packets with an intrusion detection system component invoked with the invoked application to detect a network intrusion;
  
  determining whether the invoked application is behaving abnormally;
  
  loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and
  
  checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters.
- View Dependent Claims (22, 23, 24)
- - 22. The machine-implemented method of claim 21, wherein the intrusion detection system component and the invoked application run within a single execution context.
  - 23. The machine-implemented method of claim 22, wherein monitoring the network packets comprises monitoring outbound network packets.
  - 24. The machine-implemented method of claim 21, wherein the application-specific monitoring parameters comprise application-specific intrusion signatures for the invoked application.

25. A non-transitory machine-readable medium embodying machine instructions for causing one or more machines to perform operations comprising:
- receiving a request for access to network services from an invoked application;
  
  loading an application-specific network policy associated with the invoked application, the application-specific network policy comprising permissive and restrictive rules to designate the received request as authorized or unauthorized, respectively;
  
  determining whether the received request violates the application-specific network policy;
  
  designating received request as authorized or unauthorized as a function of the application-specific network policy;
  
  opening a communication channel for network packets corresponding to the received request in response to the received request being designated as authorized;
  
  dropping network packets corresponding to the received request in response to the received request being designated as unauthorized;
  
  analyzing the dropped network packets with an intrusion detection system component invoked with the invoked application to detect a network intrusion;
  
  determining whether the invoked application is behaving abnormally;
  
  loading application-specific monitoring parameters for the invoked application in response to a determination that the invoked application is behaving abnormally; and
  
  checking network packets both to and from the invoked application based on the loaded application-specific monitoring parameters.
- View Dependent Claims (26, 27)
- - 26. The non-transitory machine-readable medium of claim 25, wherein the intrusion detection system component and the invoked application run within a single execution context.
  - 27. The non-transitory machine-readable medium of claim 25, wherein the application-specific monitoring parameters comprise application-specific intrusion signatures for the invoked application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Yadav, Satyendra
Primary Examiner(s)
Vaughan, Michael R

Application Number

US12/649,018
Publication Number

US 20100122317A1
Time in Patent Office

1,624 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Integrated network intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated network intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links