Method and Apparatus for Providing Network and Computer System Security
2 Assignments
0 Petitions
Accused Products
Abstract
An improved network intrusion detection and response system and method is disclosed for detecting and preventing misuse of network resources. More particularly, the system and method dynamically self-adjusts to changes in network activity using a plurality of alert levels wherein each successively higher alert level triggers a corresponding heightened security response from the networked computer being misused. These heightened alert levels are integrated on both the system (individual node) and the network level. The disclosed intrusion detection and response system is also implemented at low cost using currently-existing hardware and software (i.e., network computers).
67 Citations
68 Claims
-
1-31. -31. (canceled)
-
32. An article of manufacture including a sequence of instructions stored on a computer-readable media which when executed by a computer network node cause the network node to perform the acts of:
-
analyzing computer data transmissions with the instructions to determine type, destination, and origin of data contained in the computer data transmissions in order to classify the data according to one or more categories;
modifying an alert variable based on the computer data transmissions originating from one or more suspect computer nodes comprising workstations;
triggering a first response when said alert variable reaches a first predetermined threshold level; and
triggering a second response when said alert variable reaches a second predetermined threshold level. - View Dependent Claims (33, 35, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
34. The article of manufacture as claimed in claim 34 wherein one of said triggered responses includes a passive scan of one or more of said suspect computer nodes.
- 36. The article of manufacture as claimed in claim 36 wherein one of said triggered responses includes an active scan of one or more of said suspect computer nodes.
-
49. An article of manufacture including a sequence of instructions stored on a computer-readable media which when executed by a computer network node cause the computer network node to perform the acts of:
-
with the sequence of instructions, analyzing computer data transmissions comprising non-voice based data to determine type and origin of data contained in the computer data transmissions in order to classify the data according to one or more categories;
modifying a first suspect-specific alert variable based on the computer data transmissions originating from a first suspect computer node comprising a workstation;
modifying a second suspect-specific alert variable based on the computer data transmissions originating from a second suspect computer node comprising a workstation; and
triggering a suspect-specific response when either of said suspect-specific alert variables reach a predetermined threshold level. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56)
-
-
57. An article of manufacture including a sequence of instructions stored on a computer-readable media which when executed by a computer network server node cause the computer network server node to perform the acts of:
-
storing a plurality of suspect-specific alert variables for a plurality of computer network nodes comprising workstations;
modifying a network alert variable based on the value of each of said plurality of suspect-specific alert variables; and
triggering a network response when said network alert variable reaches a predetermined threshold level, wherein the network response comprises notifying each of the plurality of computer network nodes that they should each increase their suspect-specific alert variable towards a particular suspect computer node and initiating an active scan of the particular suspect computer node. - View Dependent Claims (58, 59)
-
-
60. A method comprising:
-
with a sequence of instructions in software, analyzing a first event from a suspect computer node comprising a workstation to determine type, destination, and origin of data contained in the event without using pattern alarms;
recording said first event in a first data structure having an event count value;
with the sequence of instructions in software, analyzing a second event from said computer suspect node to determine type, destination, and origin of data contained in the event without using pattern alarms, said second event being of a same type as said first event; and
recording said second event in said first data structure and incrementing said count value if said second event occurs within a predetermined window of time after said first event. - View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68)
-
Specification