Multi-level and multi-platform intrusion detection and response system

US 20030188189A1
Filed: 03/27/2002
Published: 10/02/2003
Est. Priority Date: 03/27/2002
Status: Abandoned Application

First Claim

Patent Images

1. An intrusion detection and response system comprising a log-based event classification system, the log-based event classification system comprising:

a log event data collection means for receiving a plurality of data sets from a respective and corresponding plurality of security devices;

an event analysis means for receiving the plurality of data sets and analyzing the data sets with reference to one of a plurality of pre-defined traffic classes, and producing a corresponding plurality of analyzed data sets; and

an event correlation means for receiving the analyzed data sets and correlating events across the plurality of security devices for identifying normal and abnormal data traffic patterns.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection and response system having an event data collector receiving a plurality of data sets from a respective and corresponding plurality of security devices. An event analysis engine receives the plurality of data sets and analyzes the data sets with reference to one of a plurality of pre-defined traffic classes. The event analysis engine produces a corresponding plurality of analyzed data sets. An event correlation engine receives the analyzed data sets and correlates the events across the plurality of security devices for identifying normal and abnormal data traffic patterns.

339 Citations

31 Claims

1. An intrusion detection and response system comprising a log-based event classification system, the log-based event classification system comprising:
- a log event data collection means for receiving a plurality of data sets from a respective and corresponding plurality of security devices;
  
  an event analysis means for receiving the plurality of data sets and analyzing the data sets with reference to one of a plurality of pre-defined traffic classes, and producing a corresponding plurality of analyzed data sets; and
  
  an event correlation means for receiving the analyzed data sets and correlating events across the plurality of security devices for identifying normal and abnormal data traffic patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15)
- - 2. The system of claim 1, wherein the plurality of pre-defined traffic classes are segmented based on enterprise size.
  - 3. The system of claim 1, wherein the plurality of pre-defined traffic classes are segmented based on historical data traffic patterns.
  - 4. The system of claim 1, wherein the plurality of pre-defined traffic classes are segmented based on enterprise size and historical data traffic patterns.
  - 5. The system of claim 1, wherein the event analysis means further analyzes the plurality of data sets with reference to one of a plurality of feature sets.
  - 6. The system of claim 5, wherein the plurality of feature sets are segmented based on pre-defined and discrete numbers of attack signatures.
  - 7. The system of claim 1, wherein the event analysis means comprises means for comparing the plurality of data sets against a discrete threshold corresponding to a normal data traffic pattern for the pre-defined traffic class.
  - 8. The system of claim 1, wherein the log event data is generated by a respective log event generator native to each of the plurality of security devices.
  - 15. The system of claim 1, wherein the event analysis means comprises means for comparing the plurality of data sets against a discrete threshold corresponding to a normal data traffic pattern for the pre-defined traffic class.

9. An intrusion detection and response system comprising a knowledge-based event classification system, the knowledge-based event classification system comprising:
- an event data collection means for receiving a plurality of data sets from a respective and corresponding plurality of security devices;
  
  an event analysis means for receiving the plurality of data sets and analyzing the data sets with reference to one of a plurality of pre-defined traffic classes, and producing a corresponding plurality of analyzed data sets; and
  
  an event correlation means for receiving the analyzed data sets and correlating events across the plurality of security devices for identifying normal and abnormal behavior patterns.
- View Dependent Claims (10, 11, 12, 13, 14, 16, 17)
- - 10. The system of claim 9, wherein the plurality of pre-defined traffic classes are segmented based on enterprise size.
  - 11. The system of claim 9, wherein the plurality of pre-defined traffic classes are segmented based on historical data traffic patterns.
  - 12. The system of claim 9, wherein the plurality of pre-defined traffic classes are segmented based on enterprise size and historical data traffic patterns.
  - 13. The system of claim 9, wherein the event analysis means further analyzes the plurality of data sets with reference to one of a plurality of feature sets.
  - 14. The system of claim 13, wherein the plurality of feature sets are segmented based on pre-defined and discrete numbers of attack signatures.
  - 16. The system of claim 9, wherein the event data is generated by a sensor positioned on a portion of a network.
  - 17. The system of claim 9, wherein the event data is generated by a software agent resident on each of the plurality of security devices.

18. An intrusion detection and response system comprising a combined log-based and knowledge-based event classification system, the event classification system comprising:
- an event data collection means for receiving a plurality of data sets from a respective and corresponding plurality of security devices;
  
  an event analysis means for receiving the plurality of data sets and analyzing the data sets with reference to one of a plurality of pre-defined traffic classes, and producing a corresponding plurality of analyzed data sets; and
  
  an event correlation means for receiving the analyzed data sets and correlating events across the plurality of security devices, and across the log-based and knowledge-based event classification systems, for identifying normal and abnormal data traffic patterns.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The system of claim 18, wherein the plurality of pre-defined traffic classes are segmented based on enterprise size.
  - 20. The system of claim 18, wherein the plurality of pre-defined traffic classes are segmented based on enterprise size and historical data traffic patterns.
  - 21. The system of claim 18, wherein the event analysis means further analyzes the plurality of data sets with reference to one of a plurality of feature sets.
  - 22. The system of claim 21, wherein the plurality of feature sets are segmented based on pre-defined and discrete numbers of attack signatures.
  - 23. The system of claim 18, wherein the event analysis means comprises means for comparing the plurality of data sets against a discrete threshold corresponding to a normal data traffic pattern for the pre-defined traffic class.

24. An intrusion detection and response process, comprising:
- collecting a plurality of data sets from a respective and corresponding plurality of security devices;
  
  analyzing the data sets with reference to one of a plurality of pre-defined traffic classes, and producing a corresponding plurality of analyzed data sets; and
  
  correlating events of the analyzed data sets across the plurality of security devices for identifying normal and abnormal data traffic patterns.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The process of claim 24, further comprising segmenting the plurality of pre-defined traffic classes based on enterprise size.
  - 26. The process of claim 24, further comprising segmenting the plurality of pre-defined traffic classes based on historical data traffic patterns.
  - 27. The process of claim 25, further comprising analyzing the plurality of data sets with reference to one of a plurality of feature sets.
  - 28. The process of claim 27, further comprising segmenting the feature sets based on pre-defined and discrete numbers of attack signatures.
  - 29. The process of claim 24, wherein the plurality of data sets are generated from a log event generator native to each of the plurality of security devices
  - 30. The process of claim 29, wherein the plurality of data sets are generated from a sensor positioned on a portion of a network.
  - 31. The process of claim 30, wherein the plurality of data sets are generated by a software agent resident on each of the plurality of security devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netplexus Corporation
Original Assignee
Netplexus Corporation
Inventors
Tarkington, William C., Desai, Anish P., Jiang, Yuan John, Oliveto, Jeff P.

Application Number

US10/106,387
Publication Number

US 20030188189A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/104 Grouping of entities

H04L 63/145 the attack involving the pr...

Multi-level and multi-platform intrusion detection and response system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

339 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-level and multi-platform intrusion detection and response system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

339 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links