Method and system for detecting unauthorized use of a communication network
2 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting unauthorised use of a network is provided with a pattern matching engine for searching attack signatures into data packets, and with a response analysis engine for detecting response signatures into data packets sent back from an attacked network/computer. When a suspect signature has been detected into a packet, the system enters an alarm status starting a monitoring process on the packets sent back from the potentially attacked network/computer. An alarm is generated only in case the analysis of the response packets produces as well a positive result. Such intrusion detection system is much less prone to false positives and misdiagnosis than a conventional pattern matching intrusion detection system.
96 Citations
50 Claims
-
1-25. -25. (canceled)
-
26. An intrusion detection system for detecting unauthorised use of a network, comprising:
-
a sniffer for capturing data being transmitted on said network and a pattern matching engine receiving data captured by said sniffer and comparing said data with attack signatures for generating an event when a match between captured data and at least one attack signature is found; and
a response analysis engine, triggered by said event for comparing with response signatures the data being transmitted on said network as a response to said data matched with said attack signature and for correlating the results of said comparisons with attack and response signatures for generating an alarm. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. A method for detecting unauthorised use of a network, comprising the steps:
-
capturing data being transmitted on said network;
comparing said data with attack signatures for generating an event when a match between captured data and at least one attack signature is found; and
when triggered by said event;
comparing with response signatures the data being transmitted on said network as a response to said data matched with said attack signature; and
correlating the results of said comparisons with attack and response signatures for generating an alarm. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
Specification