Method and system for encrypted network management and intrusion detection
First Claim
Patent Images
1. A network security system, the system comprising:
- a) a system data store capable of storing risk criteria data, network default data, and network performance and usage data;
b) a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;
c) a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising of;
i) receiving data corresponding to a communication transmitted over an encrypted computer network and the signal used to transmit the communication via the communication interface;
ii) detecting a violation by applying a plurality of tests that each compare the received data with data in the system data store or information derived therefrom;
iii) generating an alarm signal if a violation was detected.
9 Assignments
0 Petitions
Accused Products
Abstract
A network security system includes a system data store capable of storing a variety of data associated with an encrypted computer network and communications transmitted thereon, a communication interface supporting communication over a communication channel and a system processor. Data corresponding to communications transmitted over the encrypted communication network are received. One or more tests are applied to the received data to determine whether a particular communication represents a potential security violation. An alarm may be generated based upon the results of the applied test or tests.
213 Citations
28 Claims
-
1. A network security system, the system comprising:
-
a) a system data store capable of storing risk criteria data, network default data, and network performance and usage data;
b) a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;
c) a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising of;
i) receiving data corresponding to a communication transmitted over an encrypted computer network and the signal used to transmit the communication via the communication interface;
ii) detecting a violation by applying a plurality of tests that each compare the received data with data in the system data store or information derived therefrom;
iii) generating an alarm signal if a violation was detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A network security method, the method comprising the steps of:
-
a) receiving configuration information comprising one or more risk criteria, network default data, network policy, performance and usage data from a configuration file, an interactive data entry interface or a command line;
b) receiving data corresponding to a communication transmitted over an encrypted computer network and the signal used to transmit the communication;
c) updating a database containing data corresponding to stations in the encrypted computer network based upon the received data;
d) updating state information associated with the encrypted computer network based upon the received data;
e) if a statistical interval has ended based upon the received data or a fixed time interval, updating a database of statistics associated with the encrypted computer network;
f) testing the received data to determine if it represents a signature violation by comparing the received data with configuration information or information derived therefrom;
g) testing the received data to determine if it represents a protocol violation by comparing the received data with configuration information or information derived therefrom;
h) testing the received data to determine if it represents a statistical anomaly by comparing the received data with configuration information, information derived therefrom or information in the database of statistics associated with the wireless computer network;
i) testing the received data to determine if it represents a policy violation by comparing the received data with configuration information or information derived therefrom;
j) generating an alarm signal if the received data represents a signature violation, a protocol violation, a statistical anomaly or a policy violation, wherein the generated alarm signal comprises a type and a severity;
k) in response to the generated alarm, i) notifying an administrator of the generated alarm, its type and its severity;
orii) actively defending the wireless computer network based upon the generated alarm'"'"'s type and severity by;
1) CRC errors;
2) transmitting communications comprising random data;
or3) locking-down the encrypted computer network; and
l) mapping station identity. - View Dependent Claims (27)
-
-
28. A network security system, the system comprising:
-
a) storing means for receiving and storing risk criteria data, network default data, and network performance and usage data;
b) configuration means for receiving configuration information and forwarding the received configuration information to the storing means;
c) communication data receiving means for receiving data corresponding to a communication transmitted over an encrypted computer network and the signal used to transmit the communication;
d) database update means for transferring updated data to the storing means based upon data received by the communication data receiving means;
e) testing means for applying a plurality of tests to data received by the communication data receiving means, wherein each of the plurality of tests is of a type selected from the group consisting of signature test, protocol test, statistical anomaly test and policy test and wherein each test compares data received by the frame data receiving means with data in the storing means or information derived therefrom;
f) alarm means for generating an alarm signal if the data received by the communication data receiving means represents a signature violation, a protocol violation, a statistical anomaly or a policy violation as determined by the testing means, wherein the generated alarm signal comprises a type and a severity;
g) notification means for notifying an administrator of an alarm generated by the alarm means, its type and its severity;
h) active defense means for actively defending the encrypted computer network based upon the type and severity of an alarm generated by the alarm means by;
i) CRC errors;
ii) transmitting communications comprising random data;
oriii) locking-down the encrypted computer network; and
i) mapping means for mapping station identity.
-
Specification