Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems
First Claim
1. A method for protecting a computer network with automatic signature generation for intrusion prevention systems, comprising:
- providing a network connection on a computer network to a computer system that includes an operating system hosted on a monitoring module that includes a kernel driver coupled with said operating system and hidden from an attacker by preventing the kernel driver from registering with said operating system;
monitoring a network attack on said computer network using the monitoring module, wherein said network attack comprises attack-identifying information that is based on activities on said operating system;
processing said attack-identifying information using a processing module connected to said computer system through a second network connection to identify said network attack and generate an attack signature using the attack-identifying information that is based on activities on said operating system; and
applying said attack signature generated using the attack-identifying information that is based on activities on said operating system to a library of signatures contained in an intrusion prevention system to control access to said computer network.
6 Assignments
0 Petitions
Accused Products
Abstract
Improved methods and systems for decoy networks with automatic signature generation for intrusion detection and intrusion prevention systems. A modular decoy network with front-end monitor/intercept module(s) with a processing back-end that is separate from the protected network. The front-end presents a standard fully functional operating system that is a decoy so that the instigator of an attack is lead to believe a connection has been made to the protected network. The front-end includes a hidden sentinel kernal driver that monitors connections to the system and captures attack-identifying information. The captured information is sent to the processing module for report generation, data analysis and generation of an attack signature. The generated attack signature can then be applied to the library of signatures of the intrusion detection system or intrusion prevention system of the protected network to defend against network based attacks including zero-day attacks.
135 Citations
20 Claims
-
1. A method for protecting a computer network with automatic signature generation for intrusion prevention systems, comprising:
-
providing a network connection on a computer network to a computer system that includes an operating system hosted on a monitoring module that includes a kernel driver coupled with said operating system and hidden from an attacker by preventing the kernel driver from registering with said operating system; monitoring a network attack on said computer network using the monitoring module, wherein said network attack comprises attack-identifying information that is based on activities on said operating system; processing said attack-identifying information using a processing module connected to said computer system through a second network connection to identify said network attack and generate an attack signature using the attack-identifying information that is based on activities on said operating system; and applying said attack signature generated using the attack-identifying information that is based on activities on said operating system to a library of signatures contained in an intrusion prevention system to control access to said computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for a protecting a computer network with automatic signature generation for intrusion prevention systems, comprising:
-
a computer hardware system hosted on a computer network, wherein said computer system includes an operating system hosted on a monitoring module; a kernel driver coupled with said operating system and hidden from an attacker by preventing the kernel driver from registering with said operating system, wherein the monitoring module including said kernel driver is configured to monitor a network attack on said computer network, and said network attack comprises attack-identifying information that is based on activities on said operating system; a processing module comprising a processor, wherein said processing module is connected to said computer system through a second network connection, and said processing module is configured to identify said network attack and generate an attack signature from said attack-identifying information that is based on activities on said operating system; and said processing module further configured to apply said attack signature generated from said attack-identifying information that is based on activities on said operating system to a library of signatures contained in an intrusion prevention system to control access to said computer network. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A system for protecting a computer network having a library of signatures comprising:
-
means for providing a network connection on a computer network to a computer system that includes an operating system hosted on a monitoring module that includes a kernel driver coupled with said functional operating system and hidden from an attacker by preventing the kernel driver from registering with said operating system; means for monitoring a network attack on said computer network using the monitoring module, wherein said network attack comprises attack-identifying information that is based on activities on said operating system; means for processing said attack-identifying information using a processing module connected to said computer system through a second network connection to identify said network attack and generate an attack signature using the attack-identifying information that is based on activities on said operating system; and means for applying said attack signature generated using the attack-identifying information that is based on activities on said operating system to a library of signatures contained in an intrusion prevention system to control access to said computer network. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification