Intrusion detection report correlator and analyzer

US 20060070128A1
Filed: 12/20/2004
Published: 03/30/2006
Est. Priority Date: 12/18/2003
Status: Active Grant

First Claim

Patent Images

1. A method of correlating and analyzing reports of detected activity in a computer network, the method comprising:

receiving and storing intrusion reports from multiple intrusion detectors;

clustering the intrusion reports and associating them with events; and

scoring the events based on an intrusion reference model.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer/computer network security alert management system aggregates information from multiple intrusion detectors. Utilizing reports from multiple intrusion detectors reduces the high false alarm rate experienced by individual detectors while also improving detection of coordinated attacks involving a series of seemingly harmless operations. An internal representation of a protected enclave is utilized, and intrusion detection system (IDS) information is correlated to accurately prioritize alerts. In one embodiment, the system is capable of utilizing data from most existing IDS products, with flexibility to add further IDS products.

79 Citations

View as Search Results

25 Claims

1. A method of correlating and analyzing reports of detected activity in a computer network, the method comprising:
- receiving and storing intrusion reports from multiple intrusion detectors;
  
  clustering the intrusion reports and associating them with events; and
  
  scoring the events based on an intrusion reference model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the events are scored based on plausibility and impact.
  - 3. The method of claim 2 wherein the events are scored using a Bayesian estimation network.
  - 4. The method of claim 2 wherein the events are scored as a function of qualitative probability.
  - 5. The method of claim 1 wherein the intrusion reference model contains information about a protected network, its configuration, installed intrusion detectors, and related security goals.
  - 6. The method of claim 1 and further comprising providing a viewable real time flow of events.
  - 7. The method of claim 1 and further comprising providing a graphical user interface for allowing a user to review information for a selected period of time and select important events.
  - 8. The method of claim 7 and further comprising providing filters in the graphical user interface for selecting events to be displayed.
  - 9. The method of claim 7 and further comprising providing a list of events in the graphical user interface, and providing controls for grouping events by start time, operation involved, hypothesized intent, source IP address or target host.

10. An intrusion detection system comprising:
- means for receiving and storing intrusion reports from multiple intrusion detectors;
  
  means for clustering the intrusion reports and associating them with events; and
  
  means for scoring the events based on an intrusion reference model.
- View Dependent Claims (11, 12, 13)
- - 11. The intrusion detection system of claim 10 and further comprising means for displaying a list of event descriptors sorted by time of occurrence, with subsidiary events indented below their parent.
  - 12. The intrusion detection system of claim 11 and further comprising auxiliary links for viewing relevant entries from vulnerability databases.
  - 13. The intrusion detection system of claim 11 and further comprising means for graphically representing the number of reports of interactions between source IP and target IP.

14. A dynamic evidence aggregator for an intrusion detection system, the dynamic evidence aggregator comprising:
- an input that receives and stores intrusion reports from multiple intrusion detectors;
  
  a first module that clusters the intrusion reports into events; and
  
  a second module that scores the events based on an intrusion reference model.

15. An intrusion detection system comprising:
- an input that receives and stores intrusion reports from multiple intrusion detectors;
  
  a first module that clusters the intrusion reports into events;
  
  an intrusion reference model; and
  
  a second module that scores the events based on the intrusion reference model.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The system of claim 15, wherein the intrusion reference model comprises:
    - a network model;
      
      a security model; and
      
      a plurality of attack models.
  - 17. The system of claim 15 wherein the events are scored based on plausibility and impact.
  - 18. The system of claim 17 wherein the events are scored using a Bayesian estimation network.
  - 19. The system of claim 17 wherein the events are scored as a function of qualitative probability.
  - 20. The system of claim 17 and further comprising a graphical user interface.
  - 21. The system of claim 20 wherein the graphical user interface comprises a plurality of panes of information.
  - 22. The system of claim 21 wherein one of the panes comprises a triage table.
  - 23. The system of claim 22 wherein the triage table comprises numbers of events displayed in cells at multiple levels of plausibility and severity, respectively.
  - 24. The system of claim 23 wherein each cell comprises a link to events at a specific level of plausibility and severity.
  - 25. The system of claim 21 wherein one of the panes comprises a set of filters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Heimerdinger, Walter L., Schewe, Jon P.

Granted Patent

US 8,191,139 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Intrusion detection report correlator and analyzer

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection report correlator and analyzer

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links