Alert transmission apparatus and method for policy-based intrusion detection and response

US 20040088583A1
Filed: 05/30/2003
Published: 05/06/2004
Est. Priority Date: 10/31/2002
Status: Active Grant

First Claim

Patent Images

1. An alert transmission apparatus for a policy-based intrusion detection and response, comprising a central policy server (CPS) and an intrusion detection and response system (IDRS), wherein the CPS includes:

a policy management tool for generating security policy information and storing the generated security policy information in a policy repository;

a COPS-IDR server for sending the security policy information provided from the policy management tool to the IDRS through a COPS-IDR protocol and providing an IDMEF-XML-type alert transmission message having an IDMEF-XML-type alert message provided from the IDRS to a high-level module; and

an IDMEF-XML message parsing and translation module for parsing and translating the IDMEF-XML-type alert transmission message provided from the COPS-IDR server, and then storing the IDMEF-XML-type alert transmission message passed and translated at an alert DB or providing the IDMEF-XML-type alert transmission message parsed and translated to an alert viewer corresponding to the high-level module, and wherein the IDRS includes;

a COPS-IDR client for receiving the security policy information from the COPS-IDR server through the COPS-IDR protocol and providing the IDMEF-XML-type alert transmission message to the CPS through the COPS-IDR protocol, with the IDMEF-XML-type alert message being encapsulated into an alert object to generate the IDMEF-XML-type alert transmission message;

an intrusion detection module for detecting an intrusion in case a hacker intrudes while the security policy information provided from the COPS-IDR client is being executed and generating a raw alert transmission message;

an intrusion response module for responding to the intrusion in case the raw alert transmission message is transmitted thereto from the intrusion response module; and

an IDMEF-XML message building module for generating the IDMEF-XML-type alert message by formatting the raw alert transmission message and providing the generated IDMEF-XML-type alert message to the COPS-IDR client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An alert transmission apparatus for a policy-based intrusion detection and response has a central policy server (CPS) and an intrusion detection and response system (IDRS). In the CPS, a policy management tool generates security policy information and then stores the generated security policy information in a policy repository. A COPS-IDR server sends the information to the IDRS and an IDMEF-XML-type alert transmission message to a high-level module. An IDMEF-XML message parsing and translation module stores a parsed and translated IDMEF-XML-type alert transmission message in an alert DB or provides the message to an alert viewer. In the IDRS, a COPS-IDR client generates the IDMEF-XML-type alert transmission message and provides the message to the CPS. An intrusion detection module detects an intrusion. An intrusion response module responds to the intrusion. An IDMEF-XML message building module generates an IDMEF-XML alert message and provides the message to the COPS-IDR client.

65 Citations

View as Search Results

12 Claims

1. An alert transmission apparatus for a policy-based intrusion detection and response, comprising a central policy server (CPS) and an intrusion detection and response system (IDRS), wherein the CPS includes:
- a policy management tool for generating security policy information and storing the generated security policy information in a policy repository;
  
  a COPS-IDR server for sending the security policy information provided from the policy management tool to the IDRS through a COPS-IDR protocol and providing an IDMEF-XML-type alert transmission message having an IDMEF-XML-type alert message provided from the IDRS to a high-level module; and
  
  an IDMEF-XML message parsing and translation module for parsing and translating the IDMEF-XML-type alert transmission message provided from the COPS-IDR server, and then storing the IDMEF-XML-type alert transmission message passed and translated at an alert DB or providing the IDMEF-XML-type alert transmission message parsed and translated to an alert viewer corresponding to the high-level module, and wherein the IDRS includes;
  
  a COPS-IDR client for receiving the security policy information from the COPS-IDR server through the COPS-IDR protocol and providing the IDMEF-XML-type alert transmission message to the CPS through the COPS-IDR protocol, with the IDMEF-XML-type alert message being encapsulated into an alert object to generate the IDMEF-XML-type alert transmission message;
  
  an intrusion detection module for detecting an intrusion in case a hacker intrudes while the security policy information provided from the COPS-IDR client is being executed and generating a raw alert transmission message;
  
  an intrusion response module for responding to the intrusion in case the raw alert transmission message is transmitted thereto from the intrusion response module; and
  
  an IDMEF-XML message building module for generating the IDMEF-XML-type alert message by formatting the raw alert transmission message and providing the generated IDMEF-XML-type alert message to the COPS-IDR client.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein an object of the COPS-IDR protocol includes a S-Num field for identifying the object, a S-Type field for distinguishing encoding methods and an object contents field having a variable length.
  - 3. The apparatus of claim 2, wherein, in case the S-Num is embodied by 8 bits, the S-Num field has a value among “
    - 1”
      
      , “
      
      2” and
      
      “
      
      3”
      
      , indicating a provisioning instance identifier (PRID) object, an encoded provision instance data (EPD) object and the alert object, respectively.
  - 4. The apparatus of claim 3, wherein the values of the S-Num field “
    - 1” and
      
      “
      
      2”
      
      represent objects for conveying the security policy information and the value of the S-Num field “
      
      3”
      
      indicates an object for transmitting the IDMEF-XML-type alert transmission message.
  - 5. The apparatus of claim 2, wherein, in case the S-Type is embodied by 8 bits, the S-Type field has a value among “
    - 1” and
      
      “
      
      2”
      
      , representing a basic encoding rules (BER) encoding and an extensible markup language (XML) encoding, respectively.
  - 6. The apparatus of claim 2, wherein the object contents field conveys the IDMEF-XML-type alert transmission message by including it therein.
  - 7. The apparatus of claim 1, wherein, in a format of the IDMEF-XML-type alert transmission message, a value of an Op Code field in a Common Header object is “
    - 3”
      
      , a value of a Client-Type field in the Common Header object is “
      
      4”
      
      , and a value of a Report-Type field in a Report-Type object is “
      
      3”
      
      , the values respectively indicating the alert transmission message, the COPS-IDR and an Accounting;
      
      the Named Client SI object, the alert object being encapsulated thereinto, is used for conveying the alert message;
      
      a value of a S-Num field in the alert object is “
      
      3” and
      
      a value of a S-Type field is “
      
      2”
      
      , the values respectively indicating an alert and an XML;
      
      an object contents field is filled with the IDMEF-XML alert message.

8. An alert transmission method for a policy-based intrusion detection and response of a system having a CPS and an IDRS, comprising the steps of:
- (a) generating security policy information in a policy management tool in the CPS, and then storing the generated security policy information at a policy repository and providing the generated security information to a COPS-IDR server in the CPS at the same time;
  
  (b) providing the security policy information, which is supplied from the COPS-IDR server, to a COPS-IDR client in the IDRS through a COPS-IDR protocol;
  
  (c) providing the security policy information provided from the COPS-IDR client through the COPS-IDR protocol to an intrusion response module and an intrusion detection module in the IDRS;
  
  (d) detecting an intrusion by the intrusion detection module, in case the intrusion occurs by a hacker while the security policy information is being executed, and then generating a raw alert transmission message at the intrusion detection module and providing the generated raw alert transmission message to an IDMEF-XML message building module in the IDRS;
  
  (e) generating an IDMEF-XML-type alert message at the IDMEF-XML message building module by formatting the raw alert transmission message and then providing the IDMEF-XML-type alert message to the COPS-IDR client;
  
  (f) generating an IDMEF-XML-type alert transmission message by encapsulating the IDMEF-XML-type alert message into an alert object at the COPS-IDR client and then providing the generated IDMEF-XML-type alert transmission message to the COPS-IDR server through the COPS-IDR protocol;
  
  (g) checking whether or not the IDMEF-XML-type alert transmission message transmitted to the COPS-IDR server includes the IDMEF-XML-type alert message and then providing the IDMEF-XML-type alert transmission message, in case the IDMEF-XML-type alert message is included in the IDMEF-XML-type alert transmission message, to an IDMEF-XML message parsing and translation module in the CPS; and
  
  (h) parsing and translating the IDMEF-XML-type alert transmission message and then storing the IDMEF-XML-type alert transmission message at an alert DB in the CPS or providing the IDMEF-XML-type alert transmission message to an alert viewer corresponding to a high-level module to thereby output the IDMEF-XML-type alert transmission message.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein the COPS-IDR protocol at the steps (b) and (f) has a format including:
    - a S-Num field for distinguishing objects, in case the S-Num is embodied by 8 bits, values thereof “
      
      1”
      
      , “
      
      2” and
      
      “
      
      3”
      
      indicating a provisioning instance identifier (PRID) object, an encoded provision instance data (EPD) object and the alert object, respectively;
      
      a S-Type field for distinguishing encoding methods, in case the S-Type is embodied by 8 bits, values thereof “
      
      1” and
      
      “
      
      2”
      
      representing a basic encoding rules (BER) encoding and an extensible markup language (XML) encoding, respectively; and
      
      an object contents field for conveying the IDMEF-XML-type alert transmission message by including it therein.
  - 10. The method of claim 9, wherein the values of the S-Num field “
    - 1” and
      
      “
      
      2”
      
      are used for conveying the security policy information and the value of the S-Num field “
      
      3”
      
      is used for transmitting the IDMEF-XML-type alert transmission message.
  - 11. The method of claim 8, further comprising a step, in case the IDMEF-XML-type alert message is not included in the IDMEF-XML-type alert transmission message at the step (g), of making a request, to the COPS-IDR client, for providing the IDMEF-XML-type alert transmission message, with the IDMEF-XML-type alert message being included therein.
  - 12. The method of claim 8, wherein, in a format of the IDMEF-XML-type alert transmission message, a value of an Op Code field in a Common Header object is “
    - 3”
      
      , a value of a Client-Type field in the Common Header object is “
      
      4”
      
      , and a value of a Report-Type field in a Report-Type object is “
      
      3”
      
      , the values respectively indicating the alert transmission message, the COPS-IDR and an Accounting;
      
      the Named Client SI object, the alert object being encapsulated thereinto, is used for conveying the alert message;
      
      a value of a S-Num field in the alert object is “
      
      3” and
      
      a value of a S-Type field is “
      
      2”
      
      , the values respectively indicating an alert and an XML;
      
      an object contents field is filled with the IDMEF-XML alert message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Ahn, Gae Il, Jang, Jong Soo, Kim, Ki Young, Yoon, Seung Yong

Granted Patent

US 7,386,733 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Alert transmission apparatus and method for policy-based intrusion detection and response

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

65 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Alert transmission apparatus and method for policy-based intrusion detection and response

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links