US20100100961A1 - Intrusion detection system - Google Patents

Intrusion detection system Download PDF

Info

Publication number
US20100100961A1
US20100100961A1 US12/577,574 US57757409A US2010100961A1 US 20100100961 A1 US20100100961 A1 US 20100100961A1 US 57757409 A US57757409 A US 57757409A US 2010100961 A1 US2010100961 A1 US 2010100961A1
Authority
US
United States
Prior art keywords
attack
characteristic
network
attacks
alert
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/577,574
Inventor
Michael Scheidell
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US12/577,574 priority Critical patent/US20100100961A1/en
Publication of US20100100961A1 publication Critical patent/US20100100961A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to computer networks. More particularly, the present invention relates to network security systems for detecting and protecting against security breaches.
  • a significant problem in the field of computer networks has been the inability to adequately protect private Internet-connected computer networks from security attacks. This problem commonly arises, for example when a company interconnects its internal network (typically a local area network) with the Internet to allow company employees to more easily communicate with outside entities.
  • the benefits of connecting the internal network to the Internet are often significant, including, for example, enabling the company to inexpensively disseminate product information and provide online customer support to potential and existing customers.
  • firewall is a computer system that restricts the flow of traffic between two networks based on a pre-programmed access control policy.
  • a common misconception is that a firewall will secure the computer facilities and additional steps don't need to be taken.
  • a firewall is just one component of an effective security model. Additional components or layers should be added to provide an effective security model within an organization.
  • a security model that protects an organization includes the following layers:
  • IDS Intrusion detection systems
  • Every layer provides some protection from intrusion, and the defeat of one layer may not lead to the compromise of your whole organization.
  • Each layer has some inter-dependence on other layers.
  • the Intrusion Detection Systems (IDS) and the incident response plan have some interdependencies. Although they can be implemented independently, it's preferable when they're implemented together. Having an IDS that can alert unauthorized attempts on a system dovetails well with an incident response plan that deals with problems.
  • IDS Intrusion Detection Systems
  • Intrusion detection follows a simple premise: every network resource and user develops and displays a pattern of normal usage—one that is specific and possibly unique to that item. Though anomalies in network usage sometimes appear, they should be explainable. Anything that cannot be readily explained should be considered a probable attack and investigated. Intrusion detection systems automate much of this process.
  • a typical IDS consists of several components:
  • An algorithm construction component defines rules by which network users should be operating
  • a log-generating application records network usage (other products provide this, but we'll talk about the specific IDS application in a moment)
  • An automated tool reviews, catalogs, and searches logs
  • the interface allows an administrator to integrate and manage the IDS components
  • the IDS model is relatively simple. Using the built-in configuration interface, a network administrator sets rules for network users with the algorithm construction component. These rules would vary according to the role of each account holder: general user versus system administrator or functional analyst versus senior manager. Rules can be based on a variety of theories:
  • Threshold Barriers a specific event, such as a failed login, happens several times. Or the threshold could be based on something finite, such as bandwidth, which may be eaten up quickly during a denial-of-service attack.
  • Profiling user activity or network use is recorded and analyzed statistically to create a baseline usage profile. When the actual usage profile deviates from the baseline, the deviation should be investigated.
  • Known Attack Signatures data packets or network activities are screened to look for things like invalid TCP headers, sudden mass emails from multiple users, or TCP scans on servers.
  • IDS applications often provide specific automated responses for rule infractions: flags and warnings for system administrators, automatic user privilege suspensions, automatic email or pager notifications, or a simple but specific notation in a log.
  • the IDS will begin logging network usage and initiate action as defined in the rules. It will also generate log summaries and reports based on input from the automated log review tool. These reports are instrumental in creating a more accurate picture of network usage, which will allow for more appropriate rule creation, an increased ability to plan for future network usage, and a refined ability to predict and counter network attacks.
  • signatures are developed in response to new vulnerabilities or exploits which have been posted or released. Integral to the success of a signature, it must be unique enough to only alert on malicious traffic and rarely on valid network traffic. However, exploit code can often be easily changed. It is not uncommon for an exploit tool to be released and then have its defaults changed shortly thereafter by the hacker community.
  • False positives a common complaint is the amount of false positives an IDS will generate. Developing unique signatures is a difficult task and often times the vendors will err on the side of alerting too often rather than not enough. This is analogous to the story of the boy who cried wolf. It is much more difficult to pick out a valid intrusion attempt if a signature also alerts regularly on valid network activity. A difficult problem that arises from this is how much can be filtered out without potentially missing an attack.
  • False negatives detecting attacks for which there are no known signatures. This leads to the other concept of false negatives where an IDS does not generate an alert when an intrusion is actually taking place. Simply put if a signature has not been written for a particular exploit there is an extremely good chance that the IDS will not detect it.
  • Data overload another aspect which does not relate directly to misuse detection but is extremely important is how much data can an analyst effectively and efficiently analyze. That being said the amount of data he/she needs to look at seems to be growing rapidly. Depending on the intrusion detection tools employed by a company and its size there is the possibility for logs to reach millions of records per day.
  • System Resources implementing an IDS will require significant dedicated resources. Consider the gigabytes of system data that can be logged and the processing power required to generate logs, compare all network usage to programmed rules, and respond to anomalous network activity.
  • Managed care services provide a security audit for the client, facilitate security enhancements to the clients network and install equipment allowing for the remote provision of IDS services.
  • Managed security services need to maintain a critical staff of expertise dedicated to following up on IDS alerts. For example, a typical security system can log over 100,000 attacks per day resulting in 1000 alerts per day requiring analysis.
  • Tier One analysis staff requires approximately 6 trained employees. The process of analysis is tedious and subject to human error.
  • the Tier One alerts are filtered to approximately 40 Tier Two alerts which analyzed at a rate of approximately 3.5 alerts per hour requiring by a staff of two Tier Two analysis personnel.
  • the Tier Two staff send the client up to two alerts per day which may be legitimate threats requiring a response by an IT professional in accordance with the client's incident response plan. It is desirable to reduce the number of Tier One employees needed to maintain managed security services. This not only removes the human error component of the Tier One filtering, but also reduces the cost of the service. It is consequently desirable to reduce the number of false positives, false negatives, personnel resources and system resources needed to implement an IDS.
  • a general attack on a client may be the result of a worm residing in multiple source hosts generally attacking multiple target networks on the Internet. Such attacks are typically defended against by a well maintained network security system.
  • a specific attack may be a hacker or other organization targeting a single specific client.
  • a general attack may require a first type of response while a specific attack may indicate that a more urgent response is appropriate.
  • what is needed is a way to determine if a client is experiencing an attack that is general in nature or if it is a specific targeted attack.
  • One embodiment of the present invention provides a computer network intrusion detection system that includes an intrusion alert generator for detecting external attacks upon a computer network, an analyzer coupled to said intrusion alert generator for analyzing each detected attack and determining a characteristic indicative of each attack, and an adaptive filter coupled to said analyzer for generating an alert based upon characteristics of a plurality of attacks.
  • Another embodiment of the present invention provides a method of generating a network intrusion alert for a first network coupled to a multiple client network system.
  • the method includes the steps of determining a characteristic of an attack upon the first network, determining if the characteristic matches a characteristic of an attack upon a second client coupled to the multiple client network system, and generating a first alert in response to an absence of the match.
  • a further embodiment of the present invention provides a method of preempting an intrusion.
  • the method includes the steps of determining characteristics of an attack upon a first host, and testing a second host for susceptibility to an attack of the determined characteristics.
  • FIG. 1 shows a system block diagram of a network system incorporating the invention.
  • FIG. 2 shows a process of generation of first, second and third categories of alerts.
  • FIG. 3 shows a process flow chart for implementing a Tier One filter.
  • FIG. 4 shows a process flow operating in an Edge Manager process of a Managed Security Service provider.
  • FIG. 5 shows a process flow diagram of a process for performing a preemptory vulnerability test in response to a new attacking process found on the edge network.
  • FIG. 1 shows a system block diagram of a network system incorporating the present invention.
  • the Internet 100 is an example of a multiple client network, other multiple client networks known to those familiar with the art are also anticipated.
  • the clients or hosts are illustrated as individual personal computers 110 , but a client could be any device or set of devices coupled to the Internet including private networks, internal networks, local area networks or wide area networks.
  • Clients and their corresponding networks are subject to various attacks from other sources coupled to the Internet, since a multitude of clients coupled to the Intranet have no security or substantial security holes.
  • Such clients are typically home personal computer systems coupled to the Internet via DSL or cable modems. These clients are ripe for harboring processes which attack other more protected clients.
  • Such processes include worms, Trojan horses, viruses and scripts or other attacking or intruding processes released by hackers or other organizations.
  • Clients infected with attacking processes form a platform for launching attacks against other clients.
  • Protected clients may have various levels of protection against such attacks including the aforementioned firewalls and intrusion detection systems.
  • Each client or sensor 122 in the edge detection network includes a firewall 125 and a log analyzer 126 for analyzing attacks upon the firewall 125 .
  • the attacks are communicated to and maintained in an edge database log 130 .
  • Edge networks are known to those familiar with the art and include the edge network. A network of this type having fourteen thousand clients can log over five million events per day. This is useful in detecting the progress of worms or other attacking process released upon clients coupled to the Intranet.
  • the edge network database is to report attacks to the responsible party and their Internet service provider in order that corrective action may be taken at the source or the ISP of the source.
  • Clients of a managed security service may be included as members of the edge network or supplement information provided by the edge network.
  • the client network 140 may include a mail server, a router or switch or combinations thereof for coupling various host and server devices.
  • the client network is coupled to the Internet by a firewall 145 .
  • the firewall blocks unauthorized access between the client network 140 and the Internet 100 .
  • the client network also has an IT manager 150 which implements and maintains the client network along with various Internet access policies and responds to various attacks or intrusions.
  • a managed security service 160 such, as the service provided by SECNAP Network Security, LLC, is shown supporting the client network 140 .
  • the managed security service typically provides intrusion detection services to a number of client networks (not shown).
  • the managed security service 160 provides a firewall monitor 170 , or HackerTrap T, which monitors traffic between the firewall 145 and the Internet 100 and the firewall 145 and the client network 140 .
  • the hackerTrap includes a traffic analyzer 172 known to those familiar with the art, such as the process called “SNORT” (see snort.org for details).
  • firewall 145 protecting a client network 140 may log 100,000 events per day. The events are generated in response to the signatures and other rules 174 .
  • the traffic analyzer 170 will communicate 1000 alert events to the managed security service 160 .
  • the security service includes an event database 162 for tracking the events received from the HackerTrap 170 .
  • the event analyzer 164 is an automated adaptive filtering process replacing the aforementioned manual process of Tier One filtering.
  • the event analyzer 164 looks for trends in the events and generates a reduced number of alerts 165 for the Tier Two manual analysis 166 .
  • Tier Two analysis sends important alerts to the IT manager 150 of the client network 140 .
  • the firewalls 125 form second intrusion alert generators for detecting attacks on second networks which are typically separate from the client network.
  • the managed security service also includes an edge manager 168 coupled to the alert generators in the edge network 128 which performs at least two functions, determining if an attack on the client network is a general attack or a specific attack targeting the client network, and running a vulnerability test 169 upon the client network upon detection of a new attacking process.
  • the edge manager makes these determinations using information from the aforementioned edge database. For example, if the event analyzer 164 detects a new attack on the client network 140 , and if the edge manager 168 determines the attack is also being experienced by other clients on the edge network 120 , then the attack is a general attack.
  • the attack on the client network 140 is not experienced by a significant number of clients on the edge network 120 , then the attack is specific to the client network 140 and a more urgent alert may be communicated to the IT manager 150 of the client network.
  • the edge network detects a new attack not matching previous signatures, then a new attack signature is generated and the managed security system launches a vulnerability test against the client network. If the client network is vulnerable, then the IT manager can be notified of the vulnerability prior to being attacked by the new process.
  • the tier one filter is provided by the managed security service.
  • the managed security service 160 can receive a large volume of alerts from a multiplicity of HackerTraps 170 of its multiple clients and corresponding networks 140 . If a thousand alerts per day were received from the HackerTraps, the aforementioned Tier One filtering service could reduce those alerts to forty Tier Two alerts.
  • FIG. 2 and FIG. 3 illustrate an automated filtering process that performs the Tier One filtering process.
  • FIG. 2 shows a graph of the number of events occurring on a particular signature and is thus illustrative of a plurality of attacks having a common characteristic.
  • FIG. 3 shows a flowchart implementing the filtering process shown in FIG. 2 .
  • FIG. 2 shows a graph representative of four hundred events for example, occurring on the signature within a predetermined time of say seventy-two hours. With an optional Tmin filter, FIG. 2 shows the four hundred Tier One alerts result in five-Tier Two alerts (as shown at the top of the graph of FIG. 2 ).
  • FIG. 2 shows a process for generation of first, second and third category of alert signals of FIG. 1 .
  • the first alert signal indicates new activity on the signature
  • the second alert signal indicates a moderate activity rate
  • the third alert signal indicates an exceedingly high event activity rate.
  • the first alert of FIG. 2 is generated upon a first or new occurrence of the signature event or attack characteristic. Subsequent events are accumulated but not alerted until a first threshold is exceeded. A second alert signal is generated indicative of the first threshold being exceeded.
  • the accumulated alerts are subject to an aging criterion which in the example of FIG. 2 brings the accumulation again to zero.
  • an occurrence of a subsequent signature event brings the accumulation from zero to one, however since the first alert was generated in less than an amount of time equal to Tmin, a subsequent first alert is not generated. Aging returns the accumulation to zero. An occurrence of a subsequent signature event brings the accumulation to a non-zero value, and since more than a predetermined Tmin amount of time has elapsed since a prior first alert, another first alert signal is generated. Aging again brings the accumulation to zero. A rapid increase in events on the signature occurs at the end of the graph of FIG. 2 . While no first alert is generated because the predetermined time Tmin has not elapsed since the prior first alert, a second alert is generated when the first threshold is crossed.
  • a third alert is generated when the second threshold is crossed by the value in the accumulator.
  • the third alert is generated in response to an increase in rate or frequency of attacks of that characteristic exceeding a predetermined rate or frequency.
  • Other methods of determining the rate or frequency of events known to those familiar with the art are also anticipated.
  • the predetermined rate or frequency may be varied deterministically as deterministic variations of thresholds are known to those familiar with the art.
  • FIG. 3 shows a process flow chart for implementing the Tier One filter.
  • an aging timer is initialized 300 , to a value of fifteen minutes for example.
  • the process then waits for either a signature event 302 to occur or for the aging timer to time out 304 .
  • the value in the accumulator associated with the signature is decremented 306 .
  • the accumulator does not decrement below zero. If a signature event is detected 302 , then the count is incremented 308 . If the count equals one 310 , then the first alert is generated 312 unless the optional step of determining if a time less than Tmin since the generation of the last previous first alert 314 .
  • This optional step 314 limits the rate or frequency at which first alerts are generated. If the count equals the first threshold 316 , then the second alert is generated 318 unless the optional step of determining if a time less than Tmin 1 since the generation of the last previous second alert 320 . This optional step limits the rate or frequency at which second alerts are generated. If the count equals the second threshold 322 , then the third alert is generated 324 unless the optional step of determining if a time less than Tmin 2 since the generation of the last previous third alert 326 . This optional step limits the rate or frequency at which third alerts are generated.
  • the process flow of FIG. 3 shows a process incorporating multiple predetermined thresholds for alert generation with aging.
  • the process has the advantage of implementing the Tier One filter with a single accumulator per signature. This results in a flat file which has the advantage of filtering alerts while conserving memory. Memory could otherwise grow quite large considering that each host has potentially over sixty five thousand ports, each port representing a characteristic or signature of an attack, and the service manager may provide security for networks having hundreds or thousands of host computers. Furthermore, the conservation of memory facilitates rapid processing of a very large number of attacks upon the host computers, thereby advantageously conserving system resources.
  • the thresholds of FIG. 3 may be modified or tuned in accordance with the requirements of the client network.
  • the first alert may be generated in response to a different threshold greater than one.
  • the thresholds of the figure and the number of alert types may be varied in accordance with the needs of the system.
  • the Tmin, Tmin 2 and Tmin 3 processes can be eliminated to conserve memory and processing requirements. Aging is shown as decrementing the accumulator at a predetermined interval, which may be varied and in accordance with the needs of the client network.
  • the intervals and thresholds may further be dynamic and varied in response to other variables.
  • the method of aging may be varied. For example, the accumulator value could be periodically reset or divided by two, once a day for example.
  • aging may take other forms known to those familiar with the art.
  • the example shows an accumulator having an aging characteristic or a decay rate, other methods of determining the frequency or rate of an event are anticipated.
  • alerts may be generated in response to a rate of change of frequency of events.
  • FIG. 2 there are a first large number of attacks followed by a second larger number of attacks with small sporadic attacks in between.
  • a conventional system with manual Tier One review after determining the attack to be relatively benign, the system may be manually “tuned” after the first large number of attacks by turning the signature off. Thus, subsequent attacks having the signature would not be received by the Tier One group for manual review. Consequently, the second attack on the client system would be totally missed by the conventionally managed security service provider, resulting in a false negative.
  • the improved system of FIG. 2 and FIG. 3 not only facilitates the elimination of a significant number of manual Tier One reviews, but further provides for more meaningful alerts.
  • the five alerts generated in the example of FIG. 2 are analyzed by the Tier Two personnel, who may perform a detailed investigation of the attack after the initial “second alert” and may notify the IT manager in response to the initial “third alert” in order that an appropriate response may be taken.
  • the edge network adds additional intrusion detection capabilities by allowing an attack on a client network to be distinguished between a general attack on multiple clients on the network or a specific attack directed at the particular client. Furthermore, the edge network allows for the determination of new attack processes prior to an attack upon a client network in order that the vulnerability of the client network may be ascertained and preemptive measures taken.
  • FIG. 4 shows a process flow operating in the Edge Manager process of the Managed Security Service provider 160 of FIG. 1 .
  • An alert is received by the edge manager process 400 .
  • the alert is preferably generated by the process of FIG. 3 .
  • the alert is compared with alerts stored in the edge database 402 . If the characteristics are similar 404 , then the attack is determined to be a general attack and treated accordingly 406 .
  • a general attack may be generated by a worm process residing in a number of source hosts coupled to the Internet attempting to attack a number of target hosts coupled to the Internet.
  • General attacks may have one or more characteristics indicative of a general attack. These characteristics include attacks on multiple sources, multiple targets, and/or multiple ports.
  • An attack is determined to be a specific attack in the absence of characteristics indicative of a general attack 408 .
  • Client specific attacks preferably receive more urgent treatment because of the more invidious nature of the attack.
  • By comparing the characteristic of attacks upon a client network with those of the edge network it can be determined if the attack is general or specific and the priority of the alert adjusted accordingly.
  • the invention's ability to quickly and automatically identify and alert a specific attack has significant advantages in intrusion detection and corresponding responses in protecting the client network.
  • a general attack would consist of a self-propagating worm, whose payload may just be a process that propagates itself, or may be a payload that allows a hacker or group of hackers remote access to the victim computer.
  • This type of attack may be judged to be of lower priority since it is not an attack directed towards the client network, but an attack based on some linear or random scan algorithm. While this is a lower priority attack, it should still be included in alerts since a client network may be susceptible to this type of attack.
  • a client receives a web-based attack on the web server, and the IDS captures the source ip and the attack type.
  • Normal Incident response policies might require that the Tier 1 manager decide, based on that one attack, or multiple attacks against their own network if that is an attack directed toward them or a general attack. Without external correlation this determination can only be made based on a ‘guess’ that a common attack type is in fact a general attack or worm.
  • this information can be verified by comparing and correlating the source ip with other edge based sensors on the Internet. If this source ip address shows up in the edge database and has been recorded by several different target networks then a reasonable assumption can be made that this is a general *attack on the Internet.
  • Individual Incident Response procedures may allow this attack type to be given a lower priority, or the client may just relay on the automated procedures on the edge network to notify the administrator of the source network.
  • the Tier 1 technician is unable to find a correlation between the source ip and additional targets, he can make the assumption that either his ip space is at the beginning of the attack, or this attack is directed towards his network: EVEN IF THIS LOOKS LIKE A COMMON WORM, Hackers may have modified the original worm slightly and use it to map out the clients network and vulnerabilities.
  • This type of attack should be given a higher priority by the Tier 1 technicians and either additional monitoring of that source ip need to be made, or they need to take measures to block that source ip address from further network access.
  • FIG. 5 shows a process flow diagram of a process for performing a preemptory vulnerability test in response to a new attacking process found on the edge network.
  • the edge network may include clients or client networks of the Managed
  • the computer hosts on the edge network are also referred to as sensors. If a new attack process is detected by one or more edge sensors 502 , then the process determines if the clients or client networks may have a similar vulnerability 504 . This is done in two steps. First, the process tests each client's network to see if they may have a corresponding service running, either exposed to the Internet or used internally. The client point of contact is then notified of new suspicious traffic on the Internet, and given a list of his own servers to monitor. Second, monitoring is set up for these specific services to record information about the attack. If a client attack is captured, an appropriate alert is generated and a corresponding signature created and then distributed to all the client's traffic analyzers 506 .
  • a vulnerability test is developed 508 and the client is tested 510 .
  • This is preferably done by capturing the attacking process and removing any harmful payload from its header prior to exposure to the-client network.
  • This process has the advantage of determining if a client is vulnerable to a new attacking process prior to being attacked by the process 512 .
  • the attack is found by network sensors prior to an attack on the client.
  • the client's network can be tested for vulnerability to the attack.
  • the client's network can be secured prior to intrusion 514 .
  • the edge network and the managed security service provide for intrusion preemption to new attacking process released on the Internet 516 .
  • FIG. 5 shows a process flow a second intrusion alert generator of the edge detection network that detects attacks upon a second edge network wherein said adaptive filter is coupled to said second intrusion alert generator and the predetermined rate or frequency is determined in response to a frequency or rate of attacks having the new characteristic upon the second network.
  • edge sensors In an example of an SQL Snake worm, several individual edge sensors would begin to pick up an increase in traffic targeting the Microsoft SQL Service. These sensors then send this data to the edge database where the process began to monitor it. At this point, there would be just one source network generating the scans and it could be an individual hacker or a misconfigured client. Later, edge sensors would pick up additional source networks, some of which would report being scanned. These network sources then create additional scans which infect other systems which create additional scans. The process then determines that there is in fact what looks like a self propagating worm. The hackerTrap then does its own scans of the clients' network and informs each administrator of any systems that may be running SQL server and warns them that there is an unknown worm or attack targeting SQL Server.
  • the process attempts to capture a copy of the worm through increasing logging of traffic to the SQL Servers. Prior to capturing the attacking process it has been identified and a security bulletin released. Client networks are tested for this vulnerability prior to the worm reaching their network and are able to mitigate the damage done by restricting access to the server until the vendor could provide a patch or workaround. In the SQLSnake worm example, it was a matter of days before Microsoft was able to create a patch and damage to client's networks was avoided.
  • Another example is the detection of increased scanning from several different network sources to several different network targets for a remote control administrative service called ‘radmin’ from famatech (radmin.com).
  • radmin remote control administrative service
  • the clients would be informed that they need to take additional steps to secure their radmin enabled computers and avoid compromise.
  • the managed security service not only has the advantage of reduced false positive and negative alerts, but also reduces data overload and the need for systems resources and personnel resources, while providing intrusion preemption for new attacking processes.

Abstract

An intrusion detection system monitors the rate and characteristics of Internet attacks on a computer network and filters attack alerts based upon various rates and frequencies of the attacks. The intrusion detection system monitors attacks on other hosts and determines if the attacks are random or general attacks or attacks directed towards a specific computer network and generates a corresponding signal. The intrusion detections system also tests a computer network's vulnerability to attacks detected on the other monitored hosts.

Description

    FIELD OF THE INVENTION
  • The present invention relates to computer networks. More particularly, the present invention relates to network security systems for detecting and protecting against security breaches.
  • BACKGROUND
  • A significant problem in the field of computer networks has been the inability to adequately protect private Internet-connected computer networks from security attacks. This problem commonly arises, for example when a company interconnects its internal network (typically a local area network) with the Internet to allow company employees to more easily communicate with outside entities. The benefits of connecting the internal network to the Internet are often significant, including, for example, enabling the company to inexpensively disseminate product information and provide online customer support to potential and existing customers.
  • As many companies have discovered, however, connecting the internal network to the Internet can have devastating consequences in the absence of an adequate security mechanism. A break-in by a hacker, for example, will often result in the deletion of important data or software files, the introduction of a virus to the network, and/or the public dissemination of confidential information. Less overt break-ins may involve the secret misappropriation of company trade secrets, or the covert manipulation of company data files. Even an innocent act by a company employee, such as the downloading of a virus-ridden file from a Web site, can have devastating effects.
  • One type of security system which provides limited protection against intrusions is a network firewall system (“firewall”). A firewall is a computer system that restricts the flow of traffic between two networks based on a pre-programmed access control policy. A common misconception is that a firewall will secure the computer facilities and additional steps don't need to be taken. A firewall is just one component of an effective security model. Additional components or layers should be added to provide an effective security model within an organization. A security model that protects an organization includes the following layers:
  • 1. Security policy of the organization
  • 2. Host system security
  • 3. Auditing
  • 4. Router security
  • 5. Firewalls
  • 6. Intrusion detection systems (IDS)
  • 7. Incident response plan
  • Using multiple layers in a security model is an effective method of deterring unauthorized use of computer systems and network services. Every layer provides some protection from intrusion, and the defeat of one layer may not lead to the compromise of your whole organization. Each layer has some inter-dependence on other layers. For example, the Intrusion Detection Systems (IDS) and the incident response plan have some interdependencies. Although they can be implemented independently, it's preferable when they're implemented together. Having an IDS that can alert unauthorized attempts on a system dovetails well with an incident response plan that deals with problems.
  • Intrusion detection follows a simple premise: every network resource and user develops and displays a pattern of normal usage—one that is specific and possibly unique to that item. Though anomalies in network usage sometimes appear, they should be explainable. Anything that cannot be readily explained should be considered a probable attack and investigated. Intrusion detection systems automate much of this process.
  • A typical IDS consists of several components:
  • An algorithm construction component defines rules by which network users should be operating
  • A log-generating application records network usage (other products provide this, but we'll talk about the specific IDS application in a moment)
  • An automated tool reviews, catalogs, and searches logs
  • The interface allows an administrator to integrate and manage the IDS components
  • The IDS model is relatively simple. Using the built-in configuration interface, a network administrator sets rules for network users with the algorithm construction component. These rules would vary according to the role of each account holder: general user versus system administrator or functional analyst versus senior manager. Rules can be based on a variety of theories:
  • Threshold Barriers—a specific event, such as a failed login, happens several times. Or the threshold could be based on something finite, such as bandwidth, which may be eaten up quickly during a denial-of-service attack.
  • Profiling—user activity or network use is recorded and analyzed statistically to create a baseline usage profile. When the actual usage profile deviates from the baseline, the deviation should be investigated.
  • Known Attack Signatures—data packets or network activities are screened to look for things like invalid TCP headers, sudden mass emails from multiple users, or TCP scans on servers.
  • IDS applications often provide specific automated responses for rule infractions: flags and warnings for system administrators, automatic user privilege suspensions, automatic email or pager notifications, or a simple but specific notation in a log. Once the network administrator has set these rules and the IDS is fully deployed, the IDS will begin logging network usage and initiate action as defined in the rules. It will also generate log summaries and reports based on input from the automated log review tool. These reports are instrumental in creating a more accurate picture of network usage, which will allow for more appropriate rule creation, an increased ability to plan for future network usage, and a refined ability to predict and counter network attacks.
  • While an IDS is relatively simple, it does have shortcomings.
  • Variants: signatures are developed in response to new vulnerabilities or exploits which have been posted or released. Integral to the success of a signature, it must be unique enough to only alert on malicious traffic and rarely on valid network traffic. However, exploit code can often be easily changed. It is not uncommon for an exploit tool to be released and then have its defaults changed shortly thereafter by the hacker community.
  • False positives: a common complaint is the amount of false positives an IDS will generate. Developing unique signatures is a difficult task and often times the vendors will err on the side of alerting too often rather than not enough. This is analogous to the story of the boy who cried wolf. It is much more difficult to pick out a valid intrusion attempt if a signature also alerts regularly on valid network activity. A difficult problem that arises from this is how much can be filtered out without potentially missing an attack.
  • False negatives: detecting attacks for which there are no known signatures. This leads to the other concept of false negatives where an IDS does not generate an alert when an intrusion is actually taking place. Simply put if a signature has not been written for a particular exploit there is an extremely good chance that the IDS will not detect it.
  • Data overload: another aspect which does not relate directly to misuse detection but is extremely important is how much data can an analyst effectively and efficiently analyze. That being said the amount of data he/she needs to look at seems to be growing rapidly. Depending on the intrusion detection tools employed by a company and its size there is the possibility for logs to reach millions of records per day.
  • System Resources: implementing an IDS will require significant dedicated resources. Consider the gigabytes of system data that can be logged and the processing power required to generate logs, compare all network usage to programmed rules, and respond to anomalous network activity.
  • Personnel Resources: even with automated tools, large networks require personnel dedicated to following up on IDS alerts, maintaining IDS equipment (including patches and upgrades), and formulating IDS rules based on current and future requirements.
  • Given the potentially huge corporate liability and exposure to lost profits coming from Internet threats, traditional security systems with an IDS are far from being able to eliminate the complex, blended cyber attacks that business face today. At the same time, deploying and managing in-house security systems, hiring and training IT professionals with security expertise and integrating and maintaining heterogeneous systems has become cost prohibitive for many companies. Consequently, managed security services are providing security for a number of companies. Managed care services provide a security audit for the client, facilitate security enhancements to the clients network and install equipment allowing for the remote provision of IDS services. Managed security services need to maintain a critical staff of expertise dedicated to following up on IDS alerts. For example, a typical security system can log over 100,000 attacks per day resulting in 1000 alerts per day requiring analysis. At 10 minutes per alert, a Tier One analysis staff requires approximately 6 trained employees. The process of analysis is tedious and subject to human error. The Tier One alerts are filtered to approximately 40 Tier Two alerts which analyzed at a rate of approximately 3.5 alerts per hour requiring by a staff of two Tier Two analysis personnel. The Tier Two staff send the client up to two alerts per day which may be legitimate threats requiring a response by an IT professional in accordance with the client's incident response plan. It is desirable to reduce the number of Tier One employees needed to maintain managed security services. This not only removes the human error component of the Tier One filtering, but also reduces the cost of the service. It is consequently desirable to reduce the number of false positives, false negatives, personnel resources and system resources needed to implement an IDS.
  • Given the large number of attacks that may be experienced by a client, it is desirable to determine if the attack is a general attack or a specific attack directed at the particular client. A general attack on a client may be the result of a worm residing in multiple source hosts generally attacking multiple target networks on the Internet. Such attacks are typically defended against by a well maintained network security system. However, a specific attack may be a hacker or other organization targeting a single specific client. A general attack may require a first type of response while a specific attack may indicate that a more urgent response is appropriate. Thus, what is needed is a way to determine if a client is experiencing an attack that is general in nature or if it is a specific targeted attack.
  • SUMMARY OF THE INVENTION
  • One embodiment of the present invention provides a computer network intrusion detection system that includes an intrusion alert generator for detecting external attacks upon a computer network, an analyzer coupled to said intrusion alert generator for analyzing each detected attack and determining a characteristic indicative of each attack, and an adaptive filter coupled to said analyzer for generating an alert based upon characteristics of a plurality of attacks.
  • Another embodiment of the present invention provides a method of generating a network intrusion alert for a first network coupled to a multiple client network system. The method includes the steps of determining a characteristic of an attack upon the first network, determining if the characteristic matches a characteristic of an attack upon a second client coupled to the multiple client network system, and generating a first alert in response to an absence of the match.
  • A further embodiment of the present invention provides a method of preempting an intrusion. The method includes the steps of determining characteristics of an attack upon a first host, and testing a second host for susceptibility to an attack of the determined characteristics.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 shows a system block diagram of a network system incorporating the invention.
  • FIG. 2 shows a process of generation of first, second and third categories of alerts.
  • FIG. 3 shows a process flow chart for implementing a Tier One filter.
  • FIG. 4 shows a process flow operating in an Edge Manager process of a Managed Security Service provider.
  • FIG. 5 shows a process flow diagram of a process for performing a preemptory vulnerability test in response to a new attacking process found on the edge network.
  • DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
  • FIG. 1 shows a system block diagram of a network system incorporating the present invention. The Internet 100 is an example of a multiple client network, other multiple client networks known to those familiar with the art are also anticipated. The clients or hosts are illustrated as individual personal computers 110, but a client could be any device or set of devices coupled to the Internet including private networks, internal networks, local area networks or wide area networks. Clients and their corresponding networks are subject to various attacks from other sources coupled to the Internet, since a multitude of clients coupled to the Intranet have no security or substantial security holes. Such clients are typically home personal computer systems coupled to the Internet via DSL or cable modems. These clients are ripe for harboring processes which attack other more protected clients. Such processes include worms, Trojan horses, viruses and scripts or other attacking or intruding processes released by hackers or other organizations. Clients infected with attacking processes form a platform for launching attacks against other clients. Protected clients may have various levels of protection against such attacks including the aforementioned firewalls and intrusion detection systems.
  • Some clients in FIG. 1 are shown being members of an edge detection network 120. Each client or sensor 122 in the edge detection network includes a firewall 125 and a log analyzer 126 for analyzing attacks upon the firewall 125. The attacks are communicated to and maintained in an edge database log 130. Edge networks are known to those familiar with the art and include the edge network. A network of this type having fourteen thousand clients can log over five million events per day. This is useful in detecting the progress of worms or other attacking process released upon clients coupled to the Intranet. The edge network database is to report attacks to the responsible party and their Internet service provider in order that corrective action may be taken at the source or the ISP of the source. Clients of a managed security service, to be described in more detail below, may be included as members of the edge network or supplement information provided by the edge network.
  • On the left side of FIG. 1 is shown a client network 140. The client network may include a mail server, a router or switch or combinations thereof for coupling various host and server devices. The client network is coupled to the Internet by a firewall 145. The firewall blocks unauthorized access between the client network 140 and the Internet 100. The client network also has an IT manager 150 which implements and maintains the client network along with various Internet access policies and responds to various attacks or intrusions.
  • A managed security service 160 such, as the service provided by SECNAP Network Security, LLC, is shown supporting the client network 140. The managed security service typically provides intrusion detection services to a number of client networks (not shown). The managed security service 160 provides a firewall monitor 170, or HackerTrap T, which monitors traffic between the firewall 145 and the Internet 100 and the firewall 145 and the client network 140. The HackerTrap includes a traffic analyzer 172 known to those familiar with the art, such as the process called “SNORT” (see snort.org for details). In an exemplary system, firewall 145 protecting a client network 140 may log 100,000 events per day. The events are generated in response to the signatures and other rules 174. Of those events, the traffic analyzer 170 will communicate 1000 alert events to the managed security service 160. The security service includes an event database 162 for tracking the events received from the HackerTrap 170. The event analyzer 164 is an automated adaptive filtering process replacing the aforementioned manual process of Tier One filtering. The event analyzer 164 looks for trends in the events and generates a reduced number of alerts 165 for the Tier Two manual analysis 166. Tier Two analysis sends important alerts to the IT manager 150 of the client network 140.
  • The firewalls 125 form second intrusion alert generators for detecting attacks on second networks which are typically separate from the client network. The managed security service also includes an edge manager 168 coupled to the alert generators in the edge network 128 which performs at least two functions, determining if an attack on the client network is a general attack or a specific attack targeting the client network, and running a vulnerability test 169 upon the client network upon detection of a new attacking process. The edge manager makes these determinations using information from the aforementioned edge database. For example, if the event analyzer 164 detects a new attack on the client network 140, and if the edge manager 168 determines the attack is also being experienced by other clients on the edge network 120, then the attack is a general attack. However, if the attack on the client network 140 is not experienced by a significant number of clients on the edge network 120, then the attack is specific to the client network 140 and a more urgent alert may be communicated to the IT manager 150 of the client network. In another example, if the edge network detects a new attack not matching previous signatures, then a new attack signature is generated and the managed security system launches a vulnerability test against the client network. If the client network is vulnerable, then the IT manager can be notified of the vulnerability prior to being attacked by the new process.
  • The tier one filter is provided by the managed security service. The managed security service 160 can receive a large volume of alerts from a multiplicity of HackerTraps 170 of its multiple clients and corresponding networks 140. If a thousand alerts per day were received from the HackerTraps, the aforementioned Tier One filtering service could reduce those alerts to forty Tier Two alerts. FIG. 2 and FIG. 3 illustrate an automated filtering process that performs the Tier One filtering process. FIG. 2 shows a graph of the number of events occurring on a particular signature and is thus illustrative of a plurality of attacks having a common characteristic. FIG. 3 shows a flowchart implementing the filtering process shown in FIG. 2. The signature could detect an attack upon a predefined port having a payload including the term “credit” for example. FIG. 2 shows a graph representative of four hundred events for example, occurring on the signature within a predetermined time of say seventy-two hours. With an optional Tmin filter, FIG. 2 shows the four hundred Tier One alerts result in five-Tier Two alerts (as shown at the top of the graph of FIG. 2).
  • FIG. 2 shows a process for generation of first, second and third category of alert signals of FIG. 1. The first alert signal indicates new activity on the signature, the second alert signal indicates a moderate activity rate while the third alert signal indicates an exceedingly high event activity rate. The first alert of FIG. 2 is generated upon a first or new occurrence of the signature event or attack characteristic. Subsequent events are accumulated but not alerted until a first threshold is exceeded. A second alert signal is generated indicative of the first threshold being exceeded. The accumulated alerts are subject to an aging criterion which in the example of FIG. 2 brings the accumulation again to zero.
  • After returning to zero, an occurrence of a subsequent signature event brings the accumulation from zero to one, however since the first alert was generated in less than an amount of time equal to Tmin, a subsequent first alert is not generated. Aging returns the accumulation to zero. An occurrence of a subsequent signature event brings the accumulation to a non-zero value, and since more than a predetermined Tmin amount of time has elapsed since a prior first alert, another first alert signal is generated. Aging again brings the accumulation to zero. A rapid increase in events on the signature occurs at the end of the graph of FIG. 2. While no first alert is generated because the predetermined time Tmin has not elapsed since the prior first alert, a second alert is generated when the first threshold is crossed. Then a third alert is generated when the second threshold is crossed by the value in the accumulator. When combined with aging, the third alert is generated in response to an increase in rate or frequency of attacks of that characteristic exceeding a predetermined rate or frequency. Other methods of determining the rate or frequency of events known to those familiar with the art are also anticipated. Furthermore, the predetermined rate or frequency may be varied deterministically as deterministic variations of thresholds are known to those familiar with the art.
  • Thus, the four hundred signature events from the HackerTrap have been reduced to five alerts for consideration by Tier Two personnel. Note that if the Tmin function were removed, then two additional first alerts would be generated. Thus, the system described advantageously reduces false positives, data overload, and personnel resource required for intrusion detection systems described in the aforementioned background.
  • FIG. 3 shows a process flow chart for implementing the Tier One filter. First, an aging timer is initialized 300, to a value of fifteen minutes for example. The process then waits for either a signature event 302 to occur or for the aging timer to time out 304. Upon the timing out of the time, the value in the accumulator associated with the signature is decremented 306. The accumulator does not decrement below zero. If a signature event is detected 302, then the count is incremented 308. If the count equals one 310, then the first alert is generated 312 unless the optional step of determining if a time less than Tmin since the generation of the last previous first alert 314. This optional step 314 limits the rate or frequency at which first alerts are generated. If the count equals the first threshold 316, then the second alert is generated 318 unless the optional step of determining if a time less than Tmin1 since the generation of the last previous second alert 320. This optional step limits the rate or frequency at which second alerts are generated. If the count equals the second threshold 322, then the third alert is generated 324 unless the optional step of determining if a time less than Tmin2 since the generation of the last previous third alert 326. This optional step limits the rate or frequency at which third alerts are generated.
  • The process flow of FIG. 3 shows a process incorporating multiple predetermined thresholds for alert generation with aging. The process has the advantage of implementing the Tier One filter with a single accumulator per signature. This results in a flat file which has the advantage of filtering alerts while conserving memory. Memory could otherwise grow quite large considering that each host has potentially over sixty five thousand ports, each port representing a characteristic or signature of an attack, and the service manager may provide security for networks having hundreds or thousands of host computers. Furthermore, the conservation of memory facilitates rapid processing of a very large number of attacks upon the host computers, thereby advantageously conserving system resources.
  • It should be appreciated that the thresholds of FIG. 3 may be modified or tuned in accordance with the requirements of the client network. For example, the first alert may be generated in response to a different threshold greater than one. The thresholds of the figure and the number of alert types may be varied in accordance with the needs of the system. Furthermore, the Tmin, Tmin2 and Tmin3 processes can be eliminated to conserve memory and processing requirements. Aging is shown as decrementing the accumulator at a predetermined interval, which may be varied and in accordance with the needs of the client network. The intervals and thresholds may further be dynamic and varied in response to other variables. Furthermore, the method of aging may be varied. For example, the accumulator value could be periodically reset or divided by two, once a day for example. In alternate embodiments, aging may take other forms known to those familiar with the art. Although the example shows an accumulator having an aging characteristic or a decay rate, other methods of determining the frequency or rate of an event are anticipated. Furthermore, alerts may be generated in response to a rate of change of frequency of events.
  • In the example of FIG. 2, there are a first large number of attacks followed by a second larger number of attacks with small sporadic attacks in between. In a conventional system with manual Tier One review, after determining the attack to be relatively benign, the system may be manually “tuned” after the first large number of attacks by turning the signature off. Thus, subsequent attacks having the signature would not be received by the Tier One group for manual review. Consequently, the second attack on the client system would be totally missed by the conventionally managed security service provider, resulting in a false negative. However, the improved system of FIG. 2 and FIG. 3 not only facilitates the elimination of a significant number of manual Tier One reviews, but further provides for more meaningful alerts. The five alerts generated in the example of FIG. 2 are analyzed by the Tier Two personnel, who may perform a detailed investigation of the attack after the initial “second alert” and may notify the IT manager in response to the initial “third alert” in order that an appropriate response may be taken.
  • The edge network adds additional intrusion detection capabilities by allowing an attack on a client network to be distinguished between a general attack on multiple clients on the network or a specific attack directed at the particular client. Furthermore, the edge network allows for the determination of new attack processes prior to an attack upon a client network in order that the vulnerability of the client network may be ascertained and preemptive measures taken.
  • FIG. 4 shows a process flow operating in the Edge Manager process of the Managed Security Service provider 160 of FIG. 1. An alert is received by the edge manager process 400. The alert is preferably generated by the process of FIG. 3. The alert is compared with alerts stored in the edge database 402. If the characteristics are similar 404, then the attack is determined to be a general attack and treated accordingly 406. A general attack may be generated by a worm process residing in a number of source hosts coupled to the Internet attempting to attack a number of target hosts coupled to the Internet. General attacks may have one or more characteristics indicative of a general attack. These characteristics include attacks on multiple sources, multiple targets, and/or multiple ports. An attack is determined to be a specific attack in the absence of characteristics indicative of a general attack 408. Client specific attacks preferably receive more urgent treatment because of the more invidious nature of the attack. By comparing the characteristic of attacks upon a client network with those of the edge network, it can be determined if the attack is general or specific and the priority of the alert adjusted accordingly. The invention's ability to quickly and automatically identify and alert a specific attack has significant advantages in intrusion detection and corresponding responses in protecting the client network.
  • For example, a general attack would consist of a self-propagating worm, whose payload may just be a process that propagates itself, or may be a payload that allows a hacker or group of hackers remote access to the victim computer. This type of attack may be judged to be of lower priority since it is not an attack directed towards the client network, but an attack based on some linear or random scan algorithm. While this is a lower priority attack, it should still be included in alerts since a client network may be susceptible to this type of attack.
  • In an example of modality, a client receives a web-based attack on the web server, and the IDS captures the source ip and the attack type. Normal Incident response policies might require that the Tier 1 manager decide, based on that one attack, or multiple attacks against their own network if that is an attack directed toward them or a general attack. Without external correlation this determination can only be made based on a ‘guess’ that a common attack type is in fact a general attack or worm. With the edge network, this information can be verified by comparing and correlating the source ip with other edge based sensors on the Internet. If this source ip address shows up in the edge database and has been recorded by several different target networks then a reasonable assumption can be made that this is a general *attack on the Internet. Individual Incident Response procedures may allow this attack type to be given a lower priority, or the client may just relay on the automated procedures on the edge network to notify the administrator of the source network.
  • On the other hand, if after recording the source of the attack, the Tier 1 technician is unable to find a correlation between the source ip and additional targets, he can make the assumption that either his ip space is at the beginning of the attack, or this attack is directed towards his network: EVEN IF THIS LOOKS LIKE A COMMON WORM, Hackers may have modified the original worm slightly and use it to map out the clients network and vulnerabilities. This type of attack should be given a higher priority by the Tier 1 technicians and either additional monitoring of that source ip need to be made, or they need to take measures to block that source ip address from further network access.
  • FIG. 5 shows a process flow diagram of a process for performing a preemptory vulnerability test in response to a new attacking process found on the edge network. Note that the edge network may include clients or client networks of the Managed
  • Security Service. The computer hosts on the edge network are also referred to as sensors. If a new attack process is detected by one or more edge sensors 502, then the process determines if the clients or client networks may have a similar vulnerability 504. This is done in two steps. First, the process tests each client's network to see if they may have a corresponding service running, either exposed to the Internet or used internally. The client point of contact is then notified of new suspicious traffic on the Internet, and given a list of his own servers to monitor. Second, monitoring is set up for these specific services to record information about the attack. If a client attack is captured, an appropriate alert is generated and a corresponding signature created and then distributed to all the client's traffic analyzers 506. Then a vulnerability test is developed 508 and the client is tested 510. This is preferably done by capturing the attacking process and removing any harmful payload from its header prior to exposure to the-client network. This process has the advantage of determining if a client is vulnerable to a new attacking process prior to being attacked by the process 512. The attack is found by network sensors prior to an attack on the client. Once the attributes of the attacking process are determined, the client's network can be tested for vulnerability to the attack. The client's network can be secured prior to intrusion 514. Thus, the edge network and the managed security service provide for intrusion preemption to new attacking process released on the Internet 516.
  • FIG. 5 shows a process flow a second intrusion alert generator of the edge detection network that detects attacks upon a second edge network wherein said adaptive filter is coupled to said second intrusion alert generator and the predetermined rate or frequency is determined in response to a frequency or rate of attacks having the new characteristic upon the second network.
  • In an example of an SQL Snake worm, several individual edge sensors would begin to pick up an increase in traffic targeting the Microsoft SQL Service. These sensors then send this data to the edge database where the process began to monitor it. At this point, there would be just one source network generating the scans and it could be an individual hacker or a misconfigured client. Later, edge sensors would pick up additional source networks, some of which would report being scanned. These network sources then create additional scans which infect other systems which create additional scans. The process then determines that there is in fact what looks like a self propagating worm. The HackerTrap then does its own scans of the clients' network and informs each administrator of any systems that may be running SQL server and warns them that there is an unknown worm or attack targeting SQL Server. The process then attempts to capture a copy of the worm through increasing logging of traffic to the SQL Servers. Prior to capturing the attacking process it has been identified and a security bulletin released. Client networks are tested for this vulnerability prior to the worm reaching their network and are able to mitigate the damage done by restricting access to the server until the vendor could provide a patch or workaround. In the SQLSnake worm example, it was a matter of days before Microsoft was able to create a patch and damage to client's networks was avoided.
  • Another example is the detection of increased scanning from several different network sources to several different network targets for a remote control administrative service called ‘radmin’ from famatech (radmin.com). In response, the clients would be informed that they need to take additional steps to secure their radmin enabled computers and avoid compromise.
  • Thus, what is described is an improved intrusion detection system with enhanced alert filtering, general vs. specific attack determination and intrusion preemption capabilities. The managed security service not only has the advantage of reduced false positive and negative alerts, but also reduces data overload and the need for systems resources and personnel resources, while providing intrusion preemption for new attacking processes. The information above and attached appendices describe embodiments of the present invention. Is should be appreciated that modifications and alterations may be made to the description provided herein without departing from the spirit and scope of the invention.

Claims (20)

1. A computer network intrusion detection system comprising:
an intrusion detector for detecting external attacks upon a computer network;
an analyzer coupled to said intrusion detector for analyzing each detected attack and determining a characteristic indicative thereof; and
a filter coupled to said analyzer for generating an alert based upon characteristics of a plurality of attacks.
2. The system according to claim 1 wherein said filter generates a first alert signal in response to an attack having a new characteristic, and further generates a second alert signal indicative of a predetermined plurality of attacks having the new characteristic occurring within a predetermined time.
3. The system according to claim 1 wherein said filter generates a first alert signal in response to an attack having a new characteristic, and further generates a subsequent first alert signal in response to a subsequent attack having the new characteristic occurring after an absence of attacks having the new characteristic occurring within a predetermined time.
4. The system according to claim 1 wherein said filter generates the alert in response to attacks of a predetermined characteristic exceeding a predetermined rate or frequency.
5. The system according to claim 4 wherein the predetermined rate or frequency deterministically varies.
6. The system according to claim 1 further comprising a second intrusion detector for detecting attacks upon a second computer network, wherein said filter is further coupled to said second intrusion detector and communicates the alert to the computer network in response to attacks of a predetermined characteristic upon the second computer network exceeding a predetermined rate or frequency.
7. The system according to claim 1 further comprising: a vulnerability tester coupled to said analyzer for testing a second computer network for a vulnerability to an attack characteristic detected by said analyzer.
8. The system according to claim 1 further comprising:
an second intrusion detector for detecting external attacks upon a second computer network;
a second analyzer coupled to said second intrusion detector for analyzing each detected attack upon the second network and determining a characteristic indicative thereof, wherein said filter is further coupled to said second analyzer and further compares the attack characteristics determined by said analyzer and said second analyzer and generates a general attack alert in response to a substantial similarity in the comparison.
9. The system according to claim 1 further comprising:
a second intrusion detector for detecting external attacks upon a second computer network;
a second analyzer coupled to said second intrusion detector for analyzing each detected attack upon the second network and determining a characteristic indicative thereof, wherein said filter is further coupled to said second analyzer and further compares the attack characteristics determined by said analyzer and said second analyzer and generates a specific attack alert in response to a substantial absence of similarity in the comparison.
10. The system according to claim 9 further comprising an alert generator for generating an alert indicative of the specific attack on the one of the networks experiencing the attacks having the absence of similarity of attacks on the other of the networks.
11. The system according to claim 9 further comprising:
a vulnerability tester coupled to said filter for testing the one of the networks not experiencing the attacks for a vulnerability to the attack characteristic experienced by the other of the computer networks.
12. A method of generating a network intrusion alert for a first network coupled to a multiple client network system comprising the steps of:
determining a characteristic of an attack upon the first network; determining if the characteristic matches a characteristic of an attack upon a second client coupled to the multiple client network system; and
generating a first alert in response to an absence of the match.
13. The method according to claim 12 further comprising the step of generating a second alert in response to the presence of the match.
14. The method according to claim 13 wherein the first alert is indicative of a specific attack on the first network and the second alert is indicative of a non-specific attack on the first network.
15. The method according to claim 12 wherein said step of determining if the characteristic matches a characteristic of an attack upon a second client determines if the characteristic matches a characteristic of attacks upon multiple clients coupled to the multiple client network system.
16. A method of preempting an intrusion comprising the steps of:
determining characteristics of an attack upon a first host; and
testing a second host for a susceptibility to an attack of the determined characteristics.
17. The method according to claim 16 further comprising the step of further determining if the characteristic of the attack upon the first host is a new characteristic, wherein said step of testing does not test the susceptibility of the second host if said step of further determining does not determine that the characteristic of the attack upon the first host corresponds to the new characteristic.
18. The method according to claim 17 wherein the new characteristic corresponds to a characteristic not previously determined.
19. The method according to claim 16 further comprising the step of generating an alert if said step of testing indicates that the second host is susceptible to the determined characteristics.
20. The method according to claim 16 further comprising the step of filtering the determined characteristics of a plurality of attacks determined by said step of determining and generating an alert signal in response to a substantial increase in frequency or rate of attacks of the characteristic, wherein said step of testing tests the susceptibility of the second host in response to the alert signal.
US12/577,574 2002-10-31 2009-10-12 Intrusion detection system Abandoned US20100100961A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/577,574 US20100100961A1 (en) 2002-10-31 2009-10-12 Intrusion detection system

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US42272002P 2002-10-31 2002-10-31
US10/699,005 US7603711B2 (en) 2002-10-31 2003-10-30 Intrusion detection system
US12/577,574 US20100100961A1 (en) 2002-10-31 2009-10-12 Intrusion detection system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/699,005 Continuation US7603711B2 (en) 2002-10-31 2003-10-30 Intrusion detection system

Publications (1)

Publication Number Publication Date
US20100100961A1 true US20100100961A1 (en) 2010-04-22

Family

ID=32302582

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/699,005 Active 2026-06-17 US7603711B2 (en) 2002-10-31 2003-10-30 Intrusion detection system
US12/577,574 Abandoned US20100100961A1 (en) 2002-10-31 2009-10-12 Intrusion detection system

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/699,005 Active 2026-06-17 US7603711B2 (en) 2002-10-31 2003-10-30 Intrusion detection system

Country Status (3)

Country Link
US (2) US7603711B2 (en)
AU (1) AU2003287419A1 (en)
WO (1) WO2004042524A2 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9088618B1 (en) * 2014-04-18 2015-07-21 Kaspersky Lab Zao System and methods for ensuring fault tolerance of antivirus protection realized in a virtual environment
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
WO2015013376A3 (en) * 2013-07-23 2015-11-26 Crypteia Networks S.A. Systems and methods for self-tuning network intrusion detection and prevention
JP2015231138A (en) * 2014-06-05 2015-12-21 日本電信電話株式会社 Cyber attack practice system, practice environment providing method, and, practice environment providing program
CN105471854A (en) * 2015-11-18 2016-04-06 国网智能电网研究院 Adaptive boundary abnormity detection method based on multistage strategies
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9392007B2 (en) 2013-11-04 2016-07-12 Crypteia Networks S.A. System and method for identifying infected networks and systems from unknown attacks
CN112100626A (en) * 2020-09-24 2020-12-18 成都信息工程大学 Development method for improving source code audit vulnerability hit rate

Families Citing this family (133)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002027438A2 (en) 2000-09-28 2002-04-04 Vigilos, Inc. Method and process for configuring a premises for monitoring
US8392552B2 (en) 2000-09-28 2013-03-05 Vig Acquisitions Ltd., L.L.C. System and method for providing configurable security monitoring utilizing an integrated information system
US7664845B2 (en) * 2002-01-15 2010-02-16 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7543056B2 (en) 2002-01-15 2009-06-02 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7480715B1 (en) * 2002-01-25 2009-01-20 Vig Acquisitions Ltd., L.L.C. System and method for performing a predictive threat assessment based on risk factors
US8209756B1 (en) 2002-02-08 2012-06-26 Juniper Networks, Inc. Compound attack detection in a computer network
US7359962B2 (en) * 2002-04-30 2008-04-15 3Com Corporation Network security system integration
US8359650B2 (en) * 2002-10-01 2013-01-22 Skybox Secutiry Inc. System, method and computer readable medium for evaluating potential attacks of worms
US8407798B1 (en) 2002-10-01 2013-03-26 Skybox Secutiry Inc. Method for simulation aided security event management
US7603711B2 (en) * 2002-10-31 2009-10-13 Secnap Networks Security, LLC Intrusion detection system
JP4161693B2 (en) * 2002-11-25 2008-10-08 松下電器産業株式会社 Multicarrier transmission apparatus, multicarrier reception apparatus, and multicarrier communication apparatus
US7219239B1 (en) * 2002-12-02 2007-05-15 Arcsight, Inc. Method for batching events for transmission by software agent
US8176527B1 (en) * 2002-12-02 2012-05-08 Hewlett-Packard Development Company, L. P. Correlation engine with support for time-based rules
US7243147B2 (en) * 2002-12-30 2007-07-10 Bellsouth Ip Corporation Systems and methods for the detection and management of network assets
US7483972B2 (en) * 2003-01-08 2009-01-27 Cisco Technology, Inc. Network security monitoring system
US8561175B2 (en) 2003-02-14 2013-10-15 Preventsys, Inc. System and method for automated policy audit and remediation management
US7895649B1 (en) 2003-04-04 2011-02-22 Raytheon Company Dynamic rule generation for an enterprise intrusion detection system
US8127359B2 (en) * 2003-04-11 2012-02-28 Samir Gurunath Kelekar Systems and methods for real-time network-based vulnerability assessment
US7308716B2 (en) * 2003-05-20 2007-12-11 International Business Machines Corporation Applying blocking measures progressively to malicious network traffic
US7712133B2 (en) * 2003-06-20 2010-05-04 Hewlett-Packard Development Company, L.P. Integrated intrusion detection system and method
US6985920B2 (en) * 2003-06-23 2006-01-10 Protego Networks Inc. Method and system for determining intra-session event correlation across network address translation devices
US7406714B1 (en) 2003-07-01 2008-07-29 Symantec Corporation Computer code intrusion detection system based on acceptable retrievals
US7568229B1 (en) * 2003-07-01 2009-07-28 Symantec Corporation Real-time training for a computer code intrusion detection system
US7644365B2 (en) 2003-09-12 2010-01-05 Cisco Technology, Inc. Method and system for displaying network security incidents
US8015604B1 (en) * 2003-10-10 2011-09-06 Arcsight Inc Hierarchical architecture in a network security system
US9027120B1 (en) 2003-10-10 2015-05-05 Hewlett-Packard Development Company, L.P. Hierarchical architecture in a network security system
US7237267B2 (en) * 2003-10-16 2007-06-26 Cisco Technology, Inc. Policy-based network security management
US8266177B1 (en) 2004-03-16 2012-09-11 Symantec Corporation Empirical database access adjustment
US7225468B2 (en) * 2004-05-07 2007-05-29 Digital Security Networks, Llc Methods and apparatus for computer network security using intrusion detection and prevention
US7523504B2 (en) * 2004-08-02 2009-04-21 Netiq Corporation Methods, systems and computer program products for evaluating security of a network environment
US8176126B2 (en) 2004-08-26 2012-05-08 International Business Machines Corporation System, method and program to limit rate of transferring messages from suspected spammers
KR100622670B1 (en) * 2004-12-07 2006-09-19 한국전자통신연구원 Real-time network attack pattern detection system for unknown network attack and method thereof
US7809826B1 (en) * 2005-01-27 2010-10-05 Juniper Networks, Inc. Remote aggregation of network traffic profiling data
US7937755B1 (en) 2005-01-27 2011-05-03 Juniper Networks, Inc. Identification of network policy violations
US7797411B1 (en) 2005-02-02 2010-09-14 Juniper Networks, Inc. Detection and prevention of encapsulated network attacks using an intermediate device
US7444331B1 (en) 2005-03-02 2008-10-28 Symantec Corporation Detecting code injection attacks against databases
US8046374B1 (en) 2005-05-06 2011-10-25 Symantec Corporation Automatic training of a database intrusion detection system
US7558796B1 (en) 2005-05-19 2009-07-07 Symantec Corporation Determining origins of queries for a database intrusion detection system
FR2887385B1 (en) * 2005-06-15 2007-10-05 Advestigo Sa METHOD AND SYSTEM FOR REPORTING AND FILTERING MULTIMEDIA INFORMATION ON A NETWORK
US8572733B1 (en) * 2005-07-06 2013-10-29 Raytheon Company System and method for active data collection in a network security system
FR2888440A1 (en) * 2005-07-08 2007-01-12 France Telecom METHOD AND SYSTEM FOR DETECTING INTRUSIONS
US7774361B1 (en) 2005-07-08 2010-08-10 Symantec Corporation Effective aggregation and presentation of database intrusion incidents
US7690037B1 (en) 2005-07-13 2010-03-30 Symantec Corporation Filtering training data for machine learning
US7882262B2 (en) 2005-08-18 2011-02-01 Cisco Technology, Inc. Method and system for inline top N query computation
US7950058B1 (en) 2005-09-01 2011-05-24 Raytheon Company System and method for collaborative information security correlation in low bandwidth environments
US8224761B1 (en) 2005-09-01 2012-07-17 Raytheon Company System and method for interactive correlation rule design in a network security system
US8904529B2 (en) * 2005-09-07 2014-12-02 International Business Machines Corporation Automated deployment of protection agents to devices connected to a computer network
US9794272B2 (en) * 2006-01-03 2017-10-17 Alcatel Lucent Method and apparatus for monitoring malicious traffic in communication networks
US7849185B1 (en) 2006-01-10 2010-12-07 Raytheon Company System and method for attacker attribution in a network security system
US20070195776A1 (en) * 2006-02-23 2007-08-23 Zheng Danyang R System and method for channeling network traffic
US8554536B2 (en) * 2006-05-24 2013-10-08 Verizon Patent And Licensing Inc. Information operations support system, method, and computer program product
US8233388B2 (en) 2006-05-30 2012-07-31 Cisco Technology, Inc. System and method for controlling and tracking network content flow
US8811156B1 (en) 2006-11-14 2014-08-19 Raytheon Company Compressing n-dimensional data
US8180873B2 (en) * 2006-11-14 2012-05-15 Fmr Llc Detecting fraudulent activity
CA2714549A1 (en) * 2007-02-09 2008-08-14 Smobile Systems, Inc. Off-line mms malware scanning system and method
US8955105B2 (en) * 2007-03-14 2015-02-10 Microsoft Corporation Endpoint enabled for enterprise security assessment sharing
US8959568B2 (en) * 2007-03-14 2015-02-17 Microsoft Corporation Enterprise security assessment sharing
US8413247B2 (en) * 2007-03-14 2013-04-02 Microsoft Corporation Adaptive data collection for root-cause analysis and intrusion detection
US20080229419A1 (en) * 2007-03-16 2008-09-18 Microsoft Corporation Automated identification of firewall malware scanner deficiencies
US7882542B2 (en) * 2007-04-02 2011-02-01 Microsoft Corporation Detecting compromised computers by correlating reputation data with web access logs
EP1986391A1 (en) * 2007-04-23 2008-10-29 Mitsubishi Electric Corporation Detecting anomalies in signalling flows
US20080295172A1 (en) * 2007-05-22 2008-11-27 Khushboo Bohacek Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks
US8272044B2 (en) * 2007-05-25 2012-09-18 New Jersey Institute Of Technology Method and system to mitigate low rate denial of service (DoS) attacks
CN101803305B (en) * 2007-09-28 2014-06-11 日本电信电话株式会社 Network monitoring device, network monitoring method, and network monitoring program
KR20090121579A (en) * 2008-05-22 2009-11-26 주식회사 이베이지마켓 System for checking vulnerabilities of servers and method thereof
US20100070776A1 (en) * 2008-09-17 2010-03-18 Shankar Raman Logging system events
US8364813B2 (en) 2010-11-02 2013-01-29 International Business Machines Corporation Administering incident pools for event and alert analysis
US8386602B2 (en) 2010-11-02 2013-02-26 International Business Machines Corporation Relevant alert delivery in a distributed processing system
US8621277B2 (en) 2010-12-06 2013-12-31 International Business Machines Corporation Dynamic administration of component event reporting in a distributed processing system
US8737231B2 (en) 2010-12-07 2014-05-27 International Business Machines Corporation Dynamic administration of event pools for relevant event and alert analysis during event storms
US8805999B2 (en) 2010-12-07 2014-08-12 International Business Machines Corporation Administering event reporting rules in a distributed processing system
US8868984B2 (en) 2010-12-07 2014-10-21 International Business Machines Corporation Relevant alert delivery in a distributed processing system with event listeners and alert listeners
CN102025785B (en) * 2010-12-24 2012-11-07 汉柏科技有限公司 Method for monitoring safety of network through WEB
US8756462B2 (en) 2011-05-24 2014-06-17 International Business Machines Corporation Configurable alert delivery for reducing the amount of alerts transmitted in a distributed processing system
US8645757B2 (en) 2011-05-26 2014-02-04 International Business Machines Corporation Administering incident pools for event and alert analysis
US9213621B2 (en) 2011-05-27 2015-12-15 International Business Machines Corporation Administering event pools for relevant event analysis in a distributed processing system
US8676883B2 (en) 2011-05-27 2014-03-18 International Business Machines Corporation Event management in a distributed processing system
US8880943B2 (en) 2011-06-22 2014-11-04 International Business Machines Corporation Restarting event and alert analysis after a shutdown in a distributed processing system
US8392385B2 (en) 2011-06-22 2013-03-05 International Business Machines Corporation Flexible event data content management for relevant event and alert analysis within a distributed processing system
US8713366B2 (en) 2011-06-22 2014-04-29 International Business Machines Corporation Restarting event and alert analysis after a shutdown in a distributed processing system
US9419650B2 (en) 2011-06-22 2016-08-16 International Business Machines Corporation Flexible event data content management for relevant event and alert analysis within a distributed processing system
US20130097272A1 (en) 2011-10-18 2013-04-18 International Business Machines Corporation Prioritized Alert Delivery In A Distributed Processing System
US9178936B2 (en) 2011-10-18 2015-11-03 International Business Machines Corporation Selected alert delivery in a distributed processing system
US20130097215A1 (en) 2011-10-18 2013-04-18 International Business Machines Corporation Selected Alert Delivery In A Distributed Processing System
US8887175B2 (en) 2011-10-18 2014-11-11 International Business Machines Corporation Administering incident pools for event and alert analysis
US9094288B1 (en) * 2011-10-26 2015-07-28 Narus, Inc. Automated discovery, attribution, analysis, and risk assessment of security threats
US8713581B2 (en) 2011-10-27 2014-04-29 International Business Machines Corporation Selected alert delivery in a distributed processing system
US8914406B1 (en) 2012-02-01 2014-12-16 Vorstack, Inc. Scalable network security with fast response protocol
US9137258B2 (en) * 2012-02-01 2015-09-15 Brightpoint Security, Inc. Techniques for sharing network security event information
US9710644B2 (en) * 2012-02-01 2017-07-18 Servicenow, Inc. Techniques for sharing network security event information
EP2828752B1 (en) 2012-03-22 2020-04-29 Triad National Security, LLC Path scanning for the detection of anomalous subgraphs and use of dns requests and host agents for anomaly/change detection and network situational awareness
WO2013184099A1 (en) 2012-06-05 2013-12-12 Empire Technology Development, Llc Cross-user correlation for detecting server-side multi-target intrusion
US9043920B2 (en) 2012-06-27 2015-05-26 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
US9088606B2 (en) 2012-07-05 2015-07-21 Tenable Network Security, Inc. System and method for strategic anti-malware monitoring
US8954811B2 (en) 2012-08-06 2015-02-10 International Business Machines Corporation Administering incident pools for incident analysis
US8943366B2 (en) 2012-08-09 2015-01-27 International Business Machines Corporation Administering checkpoints for incident analysis
US9021599B2 (en) * 2013-03-13 2015-04-28 Google Inc. Protecting privacy via a gateway
US9467464B2 (en) 2013-03-15 2016-10-11 Tenable Network Security, Inc. System and method for correlating log data to discover network vulnerabilities and assets
EP2785008A1 (en) * 2013-03-29 2014-10-01 British Telecommunications public limited company Method and apparatus for detecting a multi-stage event
EP2785009A1 (en) 2013-03-29 2014-10-01 British Telecommunications public limited company Method and apparatus for detecting a multi-stage event
US9361184B2 (en) 2013-05-09 2016-06-07 International Business Machines Corporation Selecting during a system shutdown procedure, a restart incident checkpoint of an incident analyzer in a distributed processing system
US9170860B2 (en) 2013-07-26 2015-10-27 International Business Machines Corporation Parallel incident processing
US9658902B2 (en) 2013-08-22 2017-05-23 Globalfoundries Inc. Adaptive clock throttling for event processing
US9256482B2 (en) 2013-08-23 2016-02-09 International Business Machines Corporation Determining whether to send an alert in a distributed processing system
US9602337B2 (en) 2013-09-11 2017-03-21 International Business Machines Corporation Event and alert analysis in a distributed processing system
US9086968B2 (en) 2013-09-11 2015-07-21 International Business Machines Corporation Checkpointing for delayed alert creation
US9389943B2 (en) 2014-01-07 2016-07-12 International Business Machines Corporation Determining a number of unique incidents in a plurality of incidents for incident processing in a distributed processing system
US9485262B1 (en) * 2014-03-28 2016-11-01 Juniper Networks, Inc. Detecting past intrusions and attacks based on historical network traffic information
PL3095034T3 (en) 2014-10-21 2019-11-29 Ironnet Cybersecurity Inc Cybersecurity system
US9690928B2 (en) * 2014-10-25 2017-06-27 Mcafee, Inc. Computing platform security methods and apparatus
US9571517B2 (en) * 2014-11-11 2017-02-14 Goldman, Sachs & Co. Synthetic cyber-risk model for vulnerability determination
US9591022B2 (en) 2014-12-17 2017-03-07 The Boeing Company Computer defenses and counterattacks
US9648036B2 (en) * 2014-12-29 2017-05-09 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
CN105871775B (en) * 2015-01-19 2019-03-12 中国移动通信集团公司 A kind of safety protecting method and DPMA Protection Model
US10282455B2 (en) * 2015-04-20 2019-05-07 Splunk Inc. Display of data ingestion information based on counting generated events
US10817544B2 (en) 2015-04-20 2020-10-27 Splunk Inc. Scaling available storage based on counting generated events
US10454950B1 (en) * 2015-06-30 2019-10-22 Fireeye, Inc. Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks
US10701104B2 (en) * 2015-08-18 2020-06-30 Acronis International Gmbh Agentless security of virtual machines using a network interface controller
US20170054686A1 (en) * 2015-08-18 2017-02-23 Konstantin Malkov Agentless Security of Virtual Machines using a Filtering Platform
US10425447B2 (en) * 2015-08-28 2019-09-24 International Business Machines Corporation Incident response bus for data security incidents
US10284631B2 (en) * 2015-10-12 2019-05-07 Vmware, Inc. Management-as-a-service for on-premises information-technology systems
US10609110B2 (en) 2015-10-12 2020-03-31 Vmware, Inc. Remote access over internet using reverse session-origination (RSO) tunnel
US10742480B2 (en) 2015-10-12 2020-08-11 Vmware, Inc. Network management as a service (MaaS) using reverse session-origination (RSO) tunnel
JP2017079042A (en) * 2015-10-22 2017-04-27 富士通株式会社 Attention alert action support program, attention alert action support device, and attention alert action support method
WO2017100534A1 (en) * 2015-12-11 2017-06-15 Servicenow, Inc. Computer network threat assessment
US9965633B2 (en) 2015-12-29 2018-05-08 Sap Se Using code similarities for improving auditing and fixing of SAST-discovered code vulnerabilities
LT3338205T (en) 2016-07-14 2019-06-25 IronNet Cybersecurity, Inc. Simulation and virtual reality based cyber behavioral system
US10237300B2 (en) 2017-04-06 2019-03-19 Microsoft Technology Licensing, Llc System and method for detecting directed cyber-attacks targeting a particular set of cloud based machines
US11271967B2 (en) * 2017-05-02 2022-03-08 International Business Machines Corporation Methods and systems for cyber-hacking detection
US10333960B2 (en) 2017-05-03 2019-06-25 Servicenow, Inc. Aggregating network security data for export
US20180324207A1 (en) 2017-05-05 2018-11-08 Servicenow, Inc. Network security threat intelligence sharing
US10432647B2 (en) 2017-06-27 2019-10-01 Honeywell International Inc. Malicious industrial internet of things node activity detection for connected plants
US11128648B2 (en) 2018-01-02 2021-09-21 Maryam AMIRMAZLAGHANI Generalized likelihood ratio test (GLRT) based network intrusion detection system in wavelet domain

Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5991881A (en) * 1996-11-08 1999-11-23 Harris Corporation Network surveillance system
US6088804A (en) * 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
US6119236A (en) * 1996-10-07 2000-09-12 Shipley; Peter M. Intelligent network security device and method
US6282546B1 (en) * 1998-06-30 2001-08-28 Cisco Technology, Inc. System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment
US6477651B1 (en) * 1999-01-08 2002-11-05 Cisco Technology, Inc. Intrusion detection system and method having dynamically loaded signatures
US20020178383A1 (en) * 2001-01-25 2002-11-28 Michael Hrabik Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures
US20030009696A1 (en) * 2001-05-18 2003-01-09 Bunker V. Nelson Waldo Network security testing
US6519703B1 (en) * 2000-04-14 2003-02-11 James B. Joyce Methods and apparatus for heuristic firewall
US20030188194A1 (en) * 2002-03-29 2003-10-02 David Currie Method and apparatus for real-time security verification of on-line services
US20040117658A1 (en) * 2002-09-27 2004-06-17 Andrea Klaes Security monitoring and intrusion detection system
US7076803B2 (en) * 2002-01-28 2006-07-11 International Business Machines Corporation Integrated intrusion detection services
US7152242B2 (en) * 2002-09-11 2006-12-19 Enterasys Networks, Inc. Modular system for detecting, filtering and providing notice about attack events associated with network security
US20070136813A1 (en) * 2005-12-08 2007-06-14 Hsing-Kuo Wong Method for eliminating invalid intrusion alerts
US7237008B1 (en) * 2002-05-10 2007-06-26 Mcafee, Inc. Detecting malware carried by an e-mail message
US20070226803A1 (en) * 2006-03-22 2007-09-27 Woonyon Kim System and method for detecting internet worm traffics through classification of traffic characteristics by types
US20070240218A1 (en) * 2006-04-06 2007-10-11 George Tuvell Malware Detection System and Method for Mobile Platforms
US20080086773A1 (en) * 2006-10-06 2008-04-10 George Tuvell System and method of reporting and visualizing malware on mobile networks
US20080086776A1 (en) * 2006-10-06 2008-04-10 George Tuvell System and method of malware sample collection on mobile networks
US20080263661A1 (en) * 2007-04-23 2008-10-23 Mitsubishi Electric Corporation Detecting anomalies in signaling flows
US20080301810A1 (en) * 2007-06-04 2008-12-04 Agilent Technologies, Inc. Monitoring apparatus and method therefor
US20090077663A1 (en) * 2007-09-17 2009-03-19 Alcatel Lucent Score-based intrusion prevention system
US7603711B2 (en) * 2002-10-31 2009-10-13 Secnap Networks Security, LLC Intrusion detection system
US7631354B2 (en) * 2004-12-30 2009-12-08 Intel Corporation System security agent authentication and alert distribution
US7673342B2 (en) * 2001-07-26 2010-03-02 Mcafee, Inc. Detecting e-mail propagated malware
US20100154059A1 (en) * 2008-12-11 2010-06-17 Kindsight Network based malware detection and reporting

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2706652B1 (en) * 1993-06-09 1995-08-18 Alsthom Cge Alcatel Device for detecting intrusions and suspicious users for a computer system and security system comprising such a device.
US5878420A (en) * 1995-08-31 1999-03-02 Compuware Corporation Network monitoring and management system
US5898830A (en) * 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
JP3165366B2 (en) * 1996-02-08 2001-05-14 株式会社日立製作所 Network security system
US6453345B2 (en) * 1996-11-06 2002-09-17 Datadirect Networks, Inc. Network security and surveillance system
US6279113B1 (en) * 1998-03-16 2001-08-21 Internet Tools, Inc. Dynamic signature inspection-based network intrusion detection
US6578147B1 (en) * 1999-01-15 2003-06-10 Cisco Technology, Inc. Parallel intrusion detection sensors with load balancing for high speed networks
US6971028B1 (en) * 1999-08-30 2005-11-29 Symantec Corporation System and method for tracking the source of a computer attack
US6769066B1 (en) 1999-10-25 2004-07-27 Visa International Service Association Method and apparatus for training a neural network model for use in computer network intrusion detection
US6611869B1 (en) * 1999-10-28 2003-08-26 Networks Associates, Inc. System and method for providing trustworthy network security concern communication in an active security management environment
GB2362076B (en) 2000-05-03 2002-08-14 3Com Corp Detection of an attack such as a pre-attack on a computer network
US7134141B2 (en) * 2000-06-12 2006-11-07 Hewlett-Packard Development Company, L.P. System and method for host and network based intrusion detection and response
US7406713B2 (en) * 2000-08-18 2008-07-29 Invicta Networks, Inc. Systems and methods for distributed network protection
US20030051026A1 (en) * 2001-01-19 2003-03-13 Carter Ernst B. Network surveillance and security system
WO2002071227A1 (en) * 2001-03-01 2002-09-12 Cyber Operations, Llc System and method for anti-network terrorism
US7379993B2 (en) * 2001-09-13 2008-05-27 Sri International Prioritizing Bayes network alerts
US20030084349A1 (en) * 2001-10-12 2003-05-01 Oliver Friedrichs Early warning system for network attacks
US20030084319A1 (en) * 2001-10-31 2003-05-01 Tarquini Richard Paul Node, method and computer readable medium for inserting an intrusion prevention system into a network stack
US7222366B2 (en) * 2002-01-28 2007-05-22 International Business Machines Corporation Intrusion event filtering
US20040006704A1 (en) * 2002-07-02 2004-01-08 Dahlstrom Dale A. System and method for determining security vulnerabilities
US7017186B2 (en) * 2002-07-30 2006-03-21 Steelcloud, Inc. Intrusion detection system using self-organizing clusters
US6952779B1 (en) * 2002-10-01 2005-10-04 Gideon Cohen System and method for risk detection and analysis in a computer network
US7596807B2 (en) * 2003-07-03 2009-09-29 Arbor Networks, Inc. Method and system for reducing scope of self-propagating attack code in network

Patent Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6119236A (en) * 1996-10-07 2000-09-12 Shipley; Peter M. Intelligent network security device and method
US6304975B1 (en) * 1996-10-07 2001-10-16 Peter M. Shipley Intelligent network security device and method
US5991881A (en) * 1996-11-08 1999-11-23 Harris Corporation Network surveillance system
US6088804A (en) * 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
US6282546B1 (en) * 1998-06-30 2001-08-28 Cisco Technology, Inc. System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment
US6477651B1 (en) * 1999-01-08 2002-11-05 Cisco Technology, Inc. Intrusion detection system and method having dynamically loaded signatures
US6519703B1 (en) * 2000-04-14 2003-02-11 James B. Joyce Methods and apparatus for heuristic firewall
US20020178383A1 (en) * 2001-01-25 2002-11-28 Michael Hrabik Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures
US20030009696A1 (en) * 2001-05-18 2003-01-09 Bunker V. Nelson Waldo Network security testing
US7673342B2 (en) * 2001-07-26 2010-03-02 Mcafee, Inc. Detecting e-mail propagated malware
US7076803B2 (en) * 2002-01-28 2006-07-11 International Business Machines Corporation Integrated intrusion detection services
US20030188194A1 (en) * 2002-03-29 2003-10-02 David Currie Method and apparatus for real-time security verification of on-line services
US7237008B1 (en) * 2002-05-10 2007-06-26 Mcafee, Inc. Detecting malware carried by an e-mail message
US20110173677A1 (en) * 2002-05-10 2011-07-14 Mcafee, Inc., A Delaware Corporation Detecting malware carried by an e-mail message
US7152242B2 (en) * 2002-09-11 2006-12-19 Enterasys Networks, Inc. Modular system for detecting, filtering and providing notice about attack events associated with network security
US20040117658A1 (en) * 2002-09-27 2004-06-17 Andrea Klaes Security monitoring and intrusion detection system
US7603711B2 (en) * 2002-10-31 2009-10-13 Secnap Networks Security, LLC Intrusion detection system
US7631354B2 (en) * 2004-12-30 2009-12-08 Intel Corporation System security agent authentication and alert distribution
US20070136813A1 (en) * 2005-12-08 2007-06-14 Hsing-Kuo Wong Method for eliminating invalid intrusion alerts
US20070226803A1 (en) * 2006-03-22 2007-09-27 Woonyon Kim System and method for detecting internet worm traffics through classification of traffic characteristics by types
US20070240218A1 (en) * 2006-04-06 2007-10-11 George Tuvell Malware Detection System and Method for Mobile Platforms
US20070240217A1 (en) * 2006-04-06 2007-10-11 George Tuvell Malware Modeling Detection System And Method for Mobile Platforms
US20080086776A1 (en) * 2006-10-06 2008-04-10 George Tuvell System and method of malware sample collection on mobile networks
US20080086773A1 (en) * 2006-10-06 2008-04-10 George Tuvell System and method of reporting and visualizing malware on mobile networks
US20080263661A1 (en) * 2007-04-23 2008-10-23 Mitsubishi Electric Corporation Detecting anomalies in signaling flows
US20080301810A1 (en) * 2007-06-04 2008-12-04 Agilent Technologies, Inc. Monitoring apparatus and method therefor
US20090077663A1 (en) * 2007-09-17 2009-03-19 Alcatel Lucent Score-based intrusion prevention system
US20100154059A1 (en) * 2008-12-11 2010-06-17 Kindsight Network based malware detection and reporting

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10154055B2 (en) 2003-07-01 2018-12-11 Securityprofiling, Llc Real-time vulnerability monitoring
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9225686B2 (en) 2003-07-01 2015-12-29 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10050988B2 (en) 2003-07-01 2018-08-14 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
US9319425B2 (en) 2013-07-23 2016-04-19 Crypteia Networks S.A. Systems and methods for self-tuning network intrusion detection and prevention
WO2015013376A3 (en) * 2013-07-23 2015-11-26 Crypteia Networks S.A. Systems and methods for self-tuning network intrusion detection and prevention
US9392007B2 (en) 2013-11-04 2016-07-12 Crypteia Networks S.A. System and method for identifying infected networks and systems from unknown attacks
US9088618B1 (en) * 2014-04-18 2015-07-21 Kaspersky Lab Zao System and methods for ensuring fault tolerance of antivirus protection realized in a virtual environment
JP2015231138A (en) * 2014-06-05 2015-12-21 日本電信電話株式会社 Cyber attack practice system, practice environment providing method, and, practice environment providing program
CN105471854A (en) * 2015-11-18 2016-04-06 国网智能电网研究院 Adaptive boundary abnormity detection method based on multistage strategies
CN112100626A (en) * 2020-09-24 2020-12-18 成都信息工程大学 Development method for improving source code audit vulnerability hit rate

Also Published As

Publication number Publication date
WO2004042524A2 (en) 2004-05-21
AU2003287419A8 (en) 2004-06-07
AU2003287419A1 (en) 2004-06-07
US7603711B2 (en) 2009-10-13
WO2004042524A3 (en) 2004-11-18
US20040098623A1 (en) 2004-05-20

Similar Documents

Publication Publication Date Title
US7603711B2 (en) Intrusion detection system
Bace et al. Intrusion detection systems
US8640234B2 (en) Method and apparatus for predictive and actual intrusion detection on a network
US20150047032A1 (en) System and method for computer security
US20120084866A1 (en) Methods, systems, and media for measuring computer security
Mualfah et al. Network forensics for detecting flooding attack on web server
Beigh et al. Intrusion Detection and Prevention System: Classification and Quick
Kim et al. DSS for computer security incident response applying CBR and collaborative response
Kurundkar et al. Network intrusion detection using Snort
Almadhoob et al. Cybercrime prevention in the Kingdom of Bahrain via IT security audit plans
Aboelfotoh et al. A review of cyber-security measuring and assessment methods for modern enterprises
Kvarnström A survey of commercial tools for intrusion detection
Badea et al. Computer networks security based on the detection of user's behavior
LaPadula State of the art in anomaly detection and reaction
Allan Intrusion Detection Systems (IDSs): Perspective
Jayasekara Security operations & incident management: Case study analysis
Vuppala et al. Intrusion Detection & Prevention Systems-Sourcefire Snort
Nayak Research on application of intrusion detection system in data mining
Kanika Security of network using Ids and firewall
Yüksel Experimenting, threat detection and SIEM integration with custom created honeypots
Karie et al. Cybersecurity Incident Response in the Enterprise
Satti et al. Information security on Internet enterprise managed intrusion detection system (EMIDS)
Goodwin Attackers Inside the Walls: Detecting Malicious Activity.
Saoutine Barbarians at the Gate
Asarcıklı Firewall monitoring using intrusion detection systems

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION