Intrusion detection system
First Claim
1. An intrusion detection system (IDS) comprising:
- a traffic sniffer for extracting network packets from passing network traffic;
a traffic parser configured to extract individual data from defined packet fields of said network packets;
a traffic logger configured to store individual packet fields of said network packets in a database;
a vector builder configured to generate multi-dimensional vectors from selected features of said stored packet fields;
at least one self-organizing clustering module configured to process said multi-dimensional vectors to produce a self-organized map of clusters;
an anomaly detector able to detect anomalous correlations between individual ones of said clusters in said self-organized map based upon at least one configurable correlation metric; and
, a classifier configured to classify detected anomalous correlations as one of an alarm and normal behavior.
8 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system (IDS). An IDS which has been configured in accordance with the present invention can include a traffic sniffer for extracting network packets from passing network traffic; a traffic parser configured to extract individual data from defined packet fields of the network packets; and, a traffic logger configured to store individual packet fields of the network packets in a database. A vector builder can be configured to generate multi-dimensional vectors from selected features of the stored packet fields. Notably, at least one self-organizing clustering module can be configured to process the multi-dimensional vectors to produce a self-organized map of clusters. Subsequently, an anomaly detector can detect anomalous correlations between individual ones of the clusters in the self-organized map based upon at least one configurable correlation metric. Finally, a classifier can classify detected anomalous correlations as one of an alarm and normal behavior.
299 Citations
18 Claims
-
1. An intrusion detection system (IDS) comprising:
-
a traffic sniffer for extracting network packets from passing network traffic;
a traffic parser configured to extract individual data from defined packet fields of said network packets;
a traffic logger configured to store individual packet fields of said network packets in a database;
a vector builder configured to generate multi-dimensional vectors from selected features of said stored packet fields;
at least one self-organizing clustering module configured to process said multi-dimensional vectors to produce a self-organized map of clusters;
an anomaly detector able to detect anomalous correlations between individual ones of said clusters in said self-organized map based upon at least one configurable correlation metric; and
,a classifier configured to classify detected anomalous correlations as one of an alarm and normal behavior. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An intrusion detection method comprising the steps of:
-
monitoring network traffic passing across a network communications path;
extracting network packets from said passing traffic;
storing individual components of said network packets in a database;
constructing multi-dimensional vectors from at least two of said stored individual components and applying at least one multi-variate analysis to said constructed multi-dimensional vectors, said at least one multi-variate analysis producing a corresponding output set;
establishing a correlation between individual output sets based upon a selected metric to identify anomalous behavior; and
,classifying said anomalous behavior as an event selected from the group consisting of a network fault, a change in network performance and a network attack. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An intrusion detection method comprising the steps of:
-
monitoring network traffic passing across a network communications path destined for multiple target devices in multiple independent network domains and extracting network packets from said passing traffic;
identifying protocol boundaries in each extracted network packet and storing data from each field separated by said identified protocol boundaries in a database;
associating said data in said database with at least one of a corresponding target device, a target network domain, a target customer, and a target customer sub-net;
processing said stored data using at least one self-organizing clustering method to establish correlations between fields of different network packets destined for different ones of said multiple independent network domains; and
,identifying a network attack, a network fault, or a change in network performance based upon said established correlations.
-
-
13. A machine readable storage having stored thereon a computer program for detecting network intrusions, said computer program comprising a routine set of instructions which when executed cause the machine to perform the steps of:
-
monitoring network traffic passing across a network communications path;
extracting network packets from said passing traffic;
storing individual components of said network packets in a database;
constructing multi-dimensional vectors from at least two of said stored individual components and applying at least one multi-variate analysis to said constructed multi-dimensional vectors, said at least one multi-variate analysis producing a corresponding output set;
establishing a correlation between individual output sets based upon a selected metric to identify anomalous behavior; and
,classifying said anomalous behavior as one of a network fault or a network attack. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A machine readable storage having stored thereon a computer program for detecting network intrusions, said computer program comprising a routine set of instructions which when executed cause the machine to perform the steps of:
-
monitoring network traffic passing across a network communications path destined for multiple target devices in multiple independent network domains and extracting network packets from said passing traffic;
identifying protocol boundaries in each extracted network packet and storing data from each field separated by said identified protocol boundaries in a database;
associating said data in said database with at least one of a corresponding target device, a target network domain, a target customer, and a target customer sub-net;
processing said stored data using at least one self-organizing clustering method to establish correlations between fields of different network packets destined for different ones of said multiple independent network domains; and
,identifying a network attack, a network fault, or a change in network performance based upon said established correlations.
-
Specification