Network intrusion detection with distributed correlation
First Claim
1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
- receiving, at a first host machine, one or more security reports relating to one or more host machines of the plurality of host machines in the network, the one or more security reports summarizing security data based on network traffic at a respective host machine indicative of a possible intrusion attempt and/or context data local to the respective host machine;
correlating, at the first host machine, the one or more security reports with security data based on network traffic at the first host machine;
associating, at the first host machine, a level of security concern based at least on the correlation exceeding a threshold; and
based at least on the level of security concern indicating a network intrusion attempt, notifying at least one other host machine of the plurality of host machines of the level of security concern.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken.
31 Citations
20 Claims
-
1. A method for detecting an intrusion attempt in a network comprising a plurality of host machines, the method comprising:
-
receiving, at a first host machine, one or more security reports relating to one or more host machines of the plurality of host machines in the network, the one or more security reports summarizing security data based on network traffic at a respective host machine indicative of a possible intrusion attempt and/or context data local to the respective host machine; correlating, at the first host machine, the one or more security reports with security data based on network traffic at the first host machine; associating, at the first host machine, a level of security concern based at least on the correlation exceeding a threshold; and based at least on the level of security concern indicating a network intrusion attempt, notifying at least one other host machine of the plurality of host machines of the level of security concern. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting a security threat to a network comprising a plurality of host machines, the system comprising:
a first processor and a memory, the first processor executing instructions that; receives one or more security reports relating to one or more host machines of the plurality of host machines, the one or more security reports based on security data associated with network traffic at a respective host machine indicative of a possible intrusion attempt at the respective host machine; correlates the one or more security reports with security data from the first processor; associates a level of security concern based on the correlation exceeding a threshold; and based at least on the level of security concern indicating a network intrusion attempt, generates a second security report indicating a suspected network intrusion attempt. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
16. A device, comprising:
-
at least one processor and a memory; the at least one processor configured to; receive at least one security report relating to one or more host machines in a network, the at least one security report based on security data associated with network traffic at a respective host machine indicative of a possible intrusion attempt at the respective host machine; correlate the at least one security report with security data associated with the device; associate a level of security concern based on the correlation exceeding a threshold; and based at least on the level of security concern indicating a network intrusion attempt, generate a second security report indicating a suspected network intrusion attempt. - View Dependent Claims (17, 18, 19, 20)
-
Specification