Integrated network intrusion detection
1 Assignment
0 Petitions
Accused Products
Abstract
Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion.
107 Citations
22 Claims
-
1. (canceled)
-
2. A machine-implemented method comprising:
-
receiving requests for network communication services from an invoked application;
selectively designating each of the received requests as authorized or unauthorized based on a network policy; and
monitoring network communications, for the invoked application, based on the designating of the requests. - View Dependent Claims (3, 4, 5, 6, 7, 8)
-
-
9. A machine-readable medium embodying machine instructions for causing one or more machines to perform operations comprising:
-
receiving requests for network communication services from an invoked application;
selectively designating each of the received requests as authorized or unauthorized based on a network policy; and
monitoring network communications, for the invoked application, based on the designating of the requests. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
a processor;
a communication interface coupled with the processor; and
a machine-readable medium operatively coupled with the processor and embodying machine instructions for causing the processor to perform operations comprising;
receiving requests for network communication services from an invoked application;
selectively designating each of the received requests as authorized or unauthorized based on a network policy; and
monitoring network communications, for the invoked application, based on the designating of the requests. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification