Alert transmission apparatus and method for policy-based intrusion detection and response
First Claim
1. An alert transmission apparatus for a policy-based intrusion detection and response, comprising a central policy server (CPS) and an intrusion detection and response system (IDRS), wherein the CPS includes:
- a policy management tool for generating security policy information and storing the generated security policy information in a policy repository;
a COPS-IDR server for sending the security policy information provided from the policy management tool to the IDRS through a COPS-IDR protocol and providing an IDMEF-XML-type alert transmission message having an IDMEF-XML-type alert message provided from the IDRS to a high-level module; and
an IDMEF-XML message parsing and translation module for parsing and translating the IDMEF-XML-type alert transmission message provided from the COPS-IDR server, and then storing the IDMEF-XML-type alert transmission message parsed and translated at an alert DB or providing the IDMEF-XML-type alert transmission message parsed and translated to an alert viewer corresponding to the high-level module,and wherein the IDRS includes;
a COPS-IDR client for receiving the security policy information from the COPS-IDR server through the COPS-IDR protocol and providing the IDMEF-XML-type alert transmission message to the CPS through the COPS-IDR protocol, with the IDMEF-XML-type alert message being encapsulated into an alert object to generate the IDMEF-XML-type alert transmission message;
an intrusion detection module for detecting an intrusion in case a hacker intrudes while the security policy information provided from the COPS-IDR client is being executed and generating a raw alert transmission message;
an intrusion response module for responding to the intrusion in case the raw alert transmission message is transmitted thereto from the intrusion response module; and
an IDMEF-XML message building module for generating the IDMEF-XML-type alert message by formatting the raw alert transmission message and providing the generated IDMEF-XML-type alert message to the COPS-IDR client;
wherein an object of the COPS-IDR protocol includes a S-Num field for identifying the object, a S-Type field for distinguishing encoding methods and an object contents field having a variable length.
1 Assignment
0 Petitions
Accused Products
Abstract
An alert transmission apparatus for a policy-based intrusion detection and response has a central policy server (CPS) and an intrusion detection and response system (IDRS). In the CPS, a policy management tool generates security policy information and then stores the generated security policy information in a policy repository. A COPS-IDR server sends the information to the IDRS and an IDMEF-XML-type alert transmission message to a high-level module. An IDMEF-XML message parsing and translation module stores a parsed and translated IDMEF-XML-type alert transmission message in an alert DB or provides the message to an alert viewer. In the IDRS, a COPS-IDR client generates the IDMEF-XML-type alert transmission message and provides the message to the CPS. An intrusion detection module detects an intrusion. An intrusion response module responds to the intrusion. An IDMEF-XML message building module generates an IDMEF-XML alert message and provides the message to the COPS-IDR client.
-
Citations
10 Claims
-
1. An alert transmission apparatus for a policy-based intrusion detection and response, comprising a central policy server (CPS) and an intrusion detection and response system (IDRS), wherein the CPS includes:
-
a policy management tool for generating security policy information and storing the generated security policy information in a policy repository; a COPS-IDR server for sending the security policy information provided from the policy management tool to the IDRS through a COPS-IDR protocol and providing an IDMEF-XML-type alert transmission message having an IDMEF-XML-type alert message provided from the IDRS to a high-level module; and an IDMEF-XML message parsing and translation module for parsing and translating the IDMEF-XML-type alert transmission message provided from the COPS-IDR server, and then storing the IDMEF-XML-type alert transmission message parsed and translated at an alert DB or providing the IDMEF-XML-type alert transmission message parsed and translated to an alert viewer corresponding to the high-level module, and wherein the IDRS includes; a COPS-IDR client for receiving the security policy information from the COPS-IDR server through the COPS-IDR protocol and providing the IDMEF-XML-type alert transmission message to the CPS through the COPS-IDR protocol, with the IDMEF-XML-type alert message being encapsulated into an alert object to generate the IDMEF-XML-type alert transmission message; an intrusion detection module for detecting an intrusion in case a hacker intrudes while the security policy information provided from the COPS-IDR client is being executed and generating a raw alert transmission message; an intrusion response module for responding to the intrusion in case the raw alert transmission message is transmitted thereto from the intrusion response module; and an IDMEF-XML message building module for generating the IDMEF-XML-type alert message by formatting the raw alert transmission message and providing the generated IDMEF-XML-type alert message to the COPS-IDR client; wherein an object of the COPS-IDR protocol includes a S-Num field for identifying the object, a S-Type field for distinguishing encoding methods and an object contents field having a variable length. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An alert transmission method for providing policy-based intrusion detection and response within a system having a central policy server (CPS) and an intrusion detection and response system (IDRS), comprising the steps of:
-
(a) generating security policy information in a policy management tool in the CPS, and then storing the generated security policy information at a policy repository and providing the generated security information to a COPS-IDR server in the CPS at the same time; (b) providing the security policy information, which is supplied from the COPS-IDR server, to a COPS-IDR client in the IDRS through a COPS-IDR protocol; (c) providing the security policy information provided from the COPS-IDR client through the COPS-IDR protocol to an intrusion response module and an intrusion detection module in the IDRS; (d) detecting an intrusion by the intrusion detection module, in case the intrusion occurs by a hacker while the security policy information is being executed, and then generating a raw alert transmission message at the intrusion detection module and providing the generated raw alert transmission message to an IDMEF-XML message building module in the IDRS; (e) generating an IDMEF-XML-type alert message at the IDMEF-XML message building module by formatting the raw alert transmission message and then providing the IDMEF-XML-type alert message to the COPS-IDR client; (f) generating an IDMEF-XML-type alert transmission message by encapsulating the IDMEF-XML-type alert message into an alert object at the COPS-IDR client and then providing the generated IDMEF-XML-type alert transmission message to the COPS-IDR server through the COPS-IDR protocol; (g) checking whether or not the IDMEF-XML-type alert transmission message transmitted to the COPS-IDR server includes the IDMEF-XML-type alert message and then providing the IDMEF-XML-type alert transmission message, in case the IDMEF-XML-type alert message is included in the IDMEF-XML-type alert transmission message, to an IDMEF-XML message parsing and translation module in the CPS; and (h) parsing and translating the IDMEF-XML-type alert transmission message and then storing the IDMEF-XML-type alert transmission message at an alert DB in the CPS or providing the IDMEF-XML-type alert transmission message to an alert viewer corresponding to a high-level module to thereby output the IDMEF-XML-type alert transmission message; wherein the COPS-IDR protocol at the steps (b) and (f) has a format including; a S-Num field for distinguishing objects, in case the S-Num is embodied by 8 bits, values thereof “
1”
, “
2” and
“
3”
indicating a provisioning instance identifier (PRID) object, an encoded provision instance data (EPD) object and the alert object, respectively;a S-Type field for distinguishing encoding methods, in case the S-Type is embodied by 8 bits, values thereof “
1” and
“
2”
representing a basic encoding rules (BER) encoding and an extensible markup language (XML) encoding, respectively; andan object contents field for conveying the IDMEF-XML-type alert transmission message by including it therein. - View Dependent Claims (8, 9, 10)
-
Specification