Method and Apparatus for Providing Network and Computer System Security

US 20070022090A1
Filed: 09/27/2006
Published: 01/25/2007
Est. Priority Date: 12/09/1998
Status: Active Grant

First Claim

Patent Images

1-31. -31. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved network intrusion detection and response system and method is disclosed for detecting and preventing misuse of network resources. More particularly, the system and method dynamically self-adjusts to changes in network activity using a plurality of alert levels wherein each successively higher alert level triggers a corresponding heightened security response from the networked computer being misused. These heightened alert levels are integrated on both the system (individual node) and the network level. The disclosed intrusion detection and response system is also implemented at low cost using currently-existing hardware and software (i.e., network computers).

67 Citations

View as Search Results

68 Claims

1-31. -31. (canceled)

32. An article of manufacture including a sequence of instructions stored on a computer-readable media which when executed by a computer network node cause the network node to perform the acts of:
- analyzing computer data transmissions with the instructions to determine type, destination, and origin of data contained in the computer data transmissions in order to classify the data according to one or more categories;
  
  modifying an alert variable based on the computer data transmissions originating from one or more suspect computer nodes comprising workstations;
  
  triggering a first response when said alert variable reaches a first predetermined threshold level; and
  
  triggering a second response when said alert variable reaches a second predetermined threshold level.
- View Dependent Claims (33, 35, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 33. The article of manufacture as claimed in claim 32 further including the step of triggering additional responses when said alert variable reaches one or more additional threshold levels.
  - 35. The article of manufacture as claimed in claim 32 wherein said passive scan includes the step of recording the computer data transmissions in a log file.
  - 39. The article of manufacture as claimed in claim 32 wherein one of said triggered responses includes said computer network node requiring increased authentication from any other computer node before providing access to its resources.
  - 40. The article of manufacture as claimed in claim 39 wherein said increased authentication includes the step of forcing two or more logins before providing access to its resources.
  - 41. The article of manufacture as claimed in claim 32 wherein one of said triggered responses includes the step of blocking incoming computer data transmissions.
  - 42. The article of manufacture as claimed in claim 32 wherein said alert variable responds differently over time to particular types of computer data transmissions.
  - 43. The article of manufacture as claimed in claim 42 wherein said alert variable continuously increases in response to the continuous receipt of a particular type of computer data transmission until the alert variable reaches a predetermined value.
  - 44. The article of manufacture as claimed in claim 43 wherein said particular type of computer data transmission originating from said suspect computer node is an invalid login attempt.
  - 45. The article of manufacture as claimed in claim 42 wherein said alert variable initially increases in response to the continuous receipt of a particular type of computer data transmission and subsequently decreases in response to the continued receipt of said particular type of computer data transmission.
  - 46. The article of manufacture as claimed in claim 45 wherein said particular type of computer data transmission originating from said suspect computer node is a computer data transmission which retrieves information about said computer network node.
  - 47. The article of manufacture as claimed in claim 32 wherein said computer data transmissions are analyzed by said computer network node on a network packet level.
  - 48. The article of manufacture as claimed in claim 47 wherein said computer data transmissions are filtered by said computer network node on a network packet level.

34. The article of manufacture as claimed in claim 34 wherein one of said triggered responses includes a passive scan of one or more of said suspect computer nodes.

36. The article of manufacture as claimed in claim 36 wherein one of said triggered responses includes an active scan of one or more of said suspect computer nodes.
- View Dependent Claims (37, 38)
- - 37. The article of manufacture as claimed in claim 36 wherein said active scan includes the step of retrieving information about one or more of said suspect computer nodes including the network address of said suspect computer nodes.
  - 38. The article of manufacture as claimed in claim 36 wherein said active scan includes the step of determining the network route taken by data originating from one or more of said suspect computer nodes.

49. An article of manufacture including a sequence of instructions stored on a computer-readable media which when executed by a computer network node cause the computer network node to perform the acts of:
- with the sequence of instructions, analyzing computer data transmissions comprising non-voice based data to determine type and origin of data contained in the computer data transmissions in order to classify the data according to one or more categories;
  
  modifying a first suspect-specific alert variable based on the computer data transmissions originating from a first suspect computer node comprising a workstation;
  
  modifying a second suspect-specific alert variable based on the computer data transmissions originating from a second suspect computer node comprising a workstation; and
  
  triggering a suspect-specific response when either of said suspect-specific alert variables reach a predetermined threshold level.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56)
- - 50. The article of manufacture as claimed in claim 49 including the act of triggering additional suspect-specific responses when either of said suspect-specific alert variables reaches additional predetermined threshold values.
  - 51. The article of manufacture as claimed in claim 49 including the act of modifying an overall alert variable based on said computer data transmissions originating from each of said suspect computer nodes.
  - 52. The article of manufacture as claimed in claim 51 including the act of triggering a response towards each one of said plurality of suspect computer nodes when said overall alert variable reaches a predetermined threshold value.
  - 53. The article of manufacture as claimed in claim 51 wherein said overall alert variable is more responsive to new types of computer data transmissions than to computer data transmissions previously received at said computer network node.
  - 54. The article of manufacture as claimed in claim 53 including the act of initially increasing said overall alert variable in response to the computer data transmissions originating from a particular suspect computer node and subsequently decreasing said overall alert variable upon continued receipt of said computer data transmissions from said particular suspect computer node.
  - 55. The article of manufacture as claimed in claim 49 including the act of communicating each of said suspect-specific alert variables to a network database residing on a computer server node.
  - 56. The article of manufacture as claimed in claim 51 including the act of communicating said overall alert variable to a network database residing on a computer server node.

57. An article of manufacture including a sequence of instructions stored on a computer-readable media which when executed by a computer network server node cause the computer network server node to perform the acts of:
- storing a plurality of suspect-specific alert variables for a plurality of computer network nodes comprising workstations;
  
  modifying a network alert variable based on the value of each of said plurality of suspect-specific alert variables; and
  
  triggering a network response when said network alert variable reaches a predetermined threshold level, wherein the network response comprises notifying each of the plurality of computer network nodes that they should each increase their suspect-specific alert variable towards a particular suspect computer node and initiating an active scan of the particular suspect computer node.
- View Dependent Claims (58, 59)
- - 58. The article of manufacture as claimed in claim 57, wherein said network response includes the act of said computer network server node initiating a passive scan of the particular suspect computer node.
  - 59. The article of manufacture as claimed in claim 57, wherein said network response includes the act of blocking all communication between said suspect computer node and said plurality of computer network nodes.

60. A method comprising:
- with a sequence of instructions in software, analyzing a first event from a suspect computer node comprising a workstation to determine type, destination, and origin of data contained in the event without using pattern alarms;
  
  recording said first event in a first data structure having an event count value;
  
  with the sequence of instructions in software, analyzing a second event from said computer suspect node to determine type, destination, and origin of data contained in the event without using pattern alarms, said second event being of a same type as said first event; and
  
  recording said second event in said first data structure and incrementing said count value if said second event occurs within a predetermined window of time after said first event.
- View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68)
- - 61. The method as claimed in claim 60 further comprising recording said second event in a second data structure having a count value if said second event occurs outside of said predetermined window of time after said first event.
  - 62. The method as claimed in claim 61 wherein said predetermined window of time is increased responsive to said second event occurring outside of said predetermined window of time.
  - 63. The method as claimed in claim 60 wherein said predetermined window of time is modified based on said first or second event type.
  - 64. The method as claimed in claim 63 wherein said window of time is increased for more serious event types and decreased for less serious event types
  - 65. The method as claimed in claim 64 wherein said event type is an invalid login.
  - 66. The method as claimed in claim 64 wherein said event type is a ping.
  - 67. The method as claimed in claim 60 further comprising generating a report of all new events which occur over a predetermined time period.
  - 68. The method as claimed in claim 67 wherein an event is identified as a new event by:
    - determining whether said event is included in a single data structure with one or more pervious events received in a time period preceding said predetermined time period;
      
      searching all data structures generated during said time period preceding said predetermined time period if said event is not included in said single data structure with one or more previous events; and
      
      including said event in said report if said event is not identified in any data structures generated during said time period preceding said predetermined time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Industry Network Company Limited
Inventors
Graham, Robert

Granted Patent

US 7,934,254 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Method and Apparatus for Providing Network and Computer System Security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Providing Network and Computer System Security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links