Intrusion detection report correlator and analyzer
First Claim
1. A method of correlating and analyzing reports of detected activity in a computer network, the method comprising:
- receiving and storing intrusion reports from multiple intrusion detectors;
clustering the intrusion reports and associating them with events; and
scoring the events based on an intrusion reference model.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer/computer network security alert management system aggregates information from multiple intrusion detectors. Utilizing reports from multiple intrusion detectors reduces the high false alarm rate experienced by individual detectors while also improving detection of coordinated attacks involving a series of seemingly harmless operations. An internal representation of a protected enclave is utilized, and intrusion detection system (IDS) information is correlated to accurately prioritize alerts. In one embodiment, the system is capable of utilizing data from most existing IDS products, with flexibility to add further IDS products.
79 Citations
25 Claims
-
1. A method of correlating and analyzing reports of detected activity in a computer network, the method comprising:
-
receiving and storing intrusion reports from multiple intrusion detectors;
clustering the intrusion reports and associating them with events; and
scoring the events based on an intrusion reference model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An intrusion detection system comprising:
-
means for receiving and storing intrusion reports from multiple intrusion detectors;
means for clustering the intrusion reports and associating them with events; and
means for scoring the events based on an intrusion reference model. - View Dependent Claims (11, 12, 13)
-
-
14. A dynamic evidence aggregator for an intrusion detection system, the dynamic evidence aggregator comprising:
-
an input that receives and stores intrusion reports from multiple intrusion detectors;
a first module that clusters the intrusion reports into events; and
a second module that scores the events based on an intrusion reference model.
-
-
15. An intrusion detection system comprising:
-
an input that receives and stores intrusion reports from multiple intrusion detectors;
a first module that clusters the intrusion reports into events;
an intrusion reference model; and
a second module that scores the events based on the intrusion reference model. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification