Alert transmission apparatus and method for policy-based intrusion detection and response
First Claim
1. An alert transmission apparatus for a policy-based intrusion detection and response, comprising a central policy server (CPS) and an intrusion detection and response system (IDRS), wherein the CPS includes:
- a policy management tool for generating security policy information and storing the generated security policy information in a policy repository;
a COPS-IDR server for sending the security policy information provided from the policy management tool to the IDRS through a COPS-IDR protocol and providing an IDMEF-XML-type alert transmission message having an IDMEF-XML-type alert message provided from the IDRS to a high-level module; and
an IDMEF-XML message parsing and translation module for parsing and translating the IDMEF-XML-type alert transmission message provided from the COPS-IDR server, and then storing the IDMEF-XML-type alert transmission message passed and translated at an alert DB or providing the IDMEF-XML-type alert transmission message parsed and translated to an alert viewer corresponding to the high-level module, and wherein the IDRS includes;
a COPS-IDR client for receiving the security policy information from the COPS-IDR server through the COPS-IDR protocol and providing the IDMEF-XML-type alert transmission message to the CPS through the COPS-IDR protocol, with the IDMEF-XML-type alert message being encapsulated into an alert object to generate the IDMEF-XML-type alert transmission message;
an intrusion detection module for detecting an intrusion in case a hacker intrudes while the security policy information provided from the COPS-IDR client is being executed and generating a raw alert transmission message;
an intrusion response module for responding to the intrusion in case the raw alert transmission message is transmitted thereto from the intrusion response module; and
an IDMEF-XML message building module for generating the IDMEF-XML-type alert message by formatting the raw alert transmission message and providing the generated IDMEF-XML-type alert message to the COPS-IDR client.
1 Assignment
0 Petitions
Accused Products
Abstract
An alert transmission apparatus for a policy-based intrusion detection and response has a central policy server (CPS) and an intrusion detection and response system (IDRS). In the CPS, a policy management tool generates security policy information and then stores the generated security policy information in a policy repository. A COPS-IDR server sends the information to the IDRS and an IDMEF-XML-type alert transmission message to a high-level module. An IDMEF-XML message parsing and translation module stores a parsed and translated IDMEF-XML-type alert transmission message in an alert DB or provides the message to an alert viewer. In the IDRS, a COPS-IDR client generates the IDMEF-XML-type alert transmission message and provides the message to the CPS. An intrusion detection module detects an intrusion. An intrusion response module responds to the intrusion. An IDMEF-XML message building module generates an IDMEF-XML alert message and provides the message to the COPS-IDR client.
65 Citations
12 Claims
-
1. An alert transmission apparatus for a policy-based intrusion detection and response, comprising a central policy server (CPS) and an intrusion detection and response system (IDRS), wherein the CPS includes:
-
a policy management tool for generating security policy information and storing the generated security policy information in a policy repository;
a COPS-IDR server for sending the security policy information provided from the policy management tool to the IDRS through a COPS-IDR protocol and providing an IDMEF-XML-type alert transmission message having an IDMEF-XML-type alert message provided from the IDRS to a high-level module; and
an IDMEF-XML message parsing and translation module for parsing and translating the IDMEF-XML-type alert transmission message provided from the COPS-IDR server, and then storing the IDMEF-XML-type alert transmission message passed and translated at an alert DB or providing the IDMEF-XML-type alert transmission message parsed and translated to an alert viewer corresponding to the high-level module, and wherein the IDRS includes;
a COPS-IDR client for receiving the security policy information from the COPS-IDR server through the COPS-IDR protocol and providing the IDMEF-XML-type alert transmission message to the CPS through the COPS-IDR protocol, with the IDMEF-XML-type alert message being encapsulated into an alert object to generate the IDMEF-XML-type alert transmission message;
an intrusion detection module for detecting an intrusion in case a hacker intrudes while the security policy information provided from the COPS-IDR client is being executed and generating a raw alert transmission message;
an intrusion response module for responding to the intrusion in case the raw alert transmission message is transmitted thereto from the intrusion response module; and
an IDMEF-XML message building module for generating the IDMEF-XML-type alert message by formatting the raw alert transmission message and providing the generated IDMEF-XML-type alert message to the COPS-IDR client. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An alert transmission method for a policy-based intrusion detection and response of a system having a CPS and an IDRS, comprising the steps of:
-
(a) generating security policy information in a policy management tool in the CPS, and then storing the generated security policy information at a policy repository and providing the generated security information to a COPS-IDR server in the CPS at the same time;
(b) providing the security policy information, which is supplied from the COPS-IDR server, to a COPS-IDR client in the IDRS through a COPS-IDR protocol;
(c) providing the security policy information provided from the COPS-IDR client through the COPS-IDR protocol to an intrusion response module and an intrusion detection module in the IDRS;
(d) detecting an intrusion by the intrusion detection module, in case the intrusion occurs by a hacker while the security policy information is being executed, and then generating a raw alert transmission message at the intrusion detection module and providing the generated raw alert transmission message to an IDMEF-XML message building module in the IDRS;
(e) generating an IDMEF-XML-type alert message at the IDMEF-XML message building module by formatting the raw alert transmission message and then providing the IDMEF-XML-type alert message to the COPS-IDR client;
(f) generating an IDMEF-XML-type alert transmission message by encapsulating the IDMEF-XML-type alert message into an alert object at the COPS-IDR client and then providing the generated IDMEF-XML-type alert transmission message to the COPS-IDR server through the COPS-IDR protocol;
(g) checking whether or not the IDMEF-XML-type alert transmission message transmitted to the COPS-IDR server includes the IDMEF-XML-type alert message and then providing the IDMEF-XML-type alert transmission message, in case the IDMEF-XML-type alert message is included in the IDMEF-XML-type alert transmission message, to an IDMEF-XML message parsing and translation module in the CPS; and
(h) parsing and translating the IDMEF-XML-type alert transmission message and then storing the IDMEF-XML-type alert transmission message at an alert DB in the CPS or providing the IDMEF-XML-type alert transmission message to an alert viewer corresponding to a high-level module to thereby output the IDMEF-XML-type alert transmission message. - View Dependent Claims (9, 10, 11, 12)
-
Specification