CA2479504A1 - Method and system for reducing the false alarm rate of network intrusion detection systems - Google Patents
Method and system for reducing the false alarm rate of network intrusion detection systems Download PDFInfo
- Publication number
- CA2479504A1 CA2479504A1 CA002479504A CA2479504A CA2479504A1 CA 2479504 A1 CA2479504 A1 CA 2479504A1 CA 002479504 A CA002479504 A CA 002479504A CA 2479504 A CA2479504 A CA 2479504A CA 2479504 A1 CA2479504 A1 CA 2479504A1
- Authority
- CA
- Canada
- Prior art keywords
- operating system
- target host
- system fingerprint
- storage location
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract 16
- 238000001514 detection method Methods 0.000 title claims abstract 7
- 238000010926 purge Methods 0.000 claims 8
- 238000012544 monitoring process Methods 0.000 claims 6
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
According to one embodiment of the invention, a method for reducing the false alarm rate of network intrusion detection systems includes receiving an alarm indicating a network intrusion may have occurred, identifying characteristics of the alarm, including at least an attack type and a target address, querying a target host associated with the target address for an operating system fingerprint, receiving the operating system fingerprint that includes the operating system type from the target host, comparing the attack type to the operating system type, and indicating whether the target host is vulnerable to the attack based on the comparison.
Claims (22)
1. A method for reducing the false alarm rate of network intrusion detection systems, comprising:
receiving an alarm indicating a network intrusion may have occurred;
identifying characteristics of the alarm, including at least an attack type and a target address;
querying a target host associated with the target address for an operating system fingerprint;
receiving the operating system fingerprint that includes the operating system type from the target host;
comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison.
receiving an alarm indicating a network intrusion may have occurred;
identifying characteristics of the alarm, including at least an attack type and a target address;
querying a target host associated with the target address for an operating system fingerprint;
receiving the operating system fingerprint that includes the operating system type from the target host;
comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison.
2. The method of Claim 1, further comprising storing the operating system fingerprint of the target host in a storage location for a time period.
3. The method of Claim 1, further comprising:
before querying the target host, accessing a storage location;
determining whether the operating system fingerprint for the target host already exists in the storage location; and if the operating system fingerprint for the target host does not exist, then continuing the method with the querying step; and if the operating system fingerprint for the target host does exist, then:
determining if a cache entry time for the target address is valid; and if the cache entry time is valid, then continuing the method with the comparing step;
otherwise if the cache entry time is invalid, then continuing the method with the querying step.
before querying the target host, accessing a storage location;
determining whether the operating system fingerprint for the target host already exists in the storage location; and if the operating system fingerprint for the target host does not exist, then continuing the method with the querying step; and if the operating system fingerprint for the target host does exist, then:
determining if a cache entry time for the target address is valid; and if the cache entry time is valid, then continuing the method with the comparing step;
otherwise if the cache entry time is invalid, then continuing the method with the querying step.
4. The method of Claim 1, further comprising:
monitoring a dynamic configuration protocol server;
detecting that a lease issue has occurred for a new target host;
accessing a storage location;
determining whether an operating system fingerprint for the new target host already exists in the storage location; and if the operating system fingerprint for the new target host does not exist, then:
querying the new target host for the operating system fingerprint;
receiving the operating system fingerprint from the new target host; and storing the operating system fingerprint of the new target host in the storage location for a length of time; and if the operating system fingerprint for the new target host does exist, then:
purging the existing operating system fingerprint for the new target host from the storage location;
querying the new target host for a new operating system fingerprint;
receiving the new operating system fingerprint from the new target host; and storing the new operating system fingerprint of the new target host in the storage location for a length of time.
monitoring a dynamic configuration protocol server;
detecting that a lease issue has occurred for a new target host;
accessing a storage location;
determining whether an operating system fingerprint for the new target host already exists in the storage location; and if the operating system fingerprint for the new target host does not exist, then:
querying the new target host for the operating system fingerprint;
receiving the operating system fingerprint from the new target host; and storing the operating system fingerprint of the new target host in the storage location for a length of time; and if the operating system fingerprint for the new target host does exist, then:
purging the existing operating system fingerprint for the new target host from the storage location;
querying the new target host for a new operating system fingerprint;
receiving the new operating system fingerprint from the new target host; and storing the new operating system fingerprint of the new target host in the storage location for a length of time.
5. The method of Claim 1, further comprising:
monitoring a dynamic configuration protocol server;
detecting that a lease expire has occurred for an existing target host;
accessing a storage location;
determining whether an operating system fingerprint for the existing target host already exists in the storage location; and if the operating system fingerprint for the existing target host does not exist, then disregarding the lease expire; and if the operating system fingerprint for the existing target host does exist, then purging the existing operating system fingerprint for the existing target host from the storage location.
monitoring a dynamic configuration protocol server;
detecting that a lease expire has occurred for an existing target host;
accessing a storage location;
determining whether an operating system fingerprint for the existing target host already exists in the storage location; and if the operating system fingerprint for the existing target host does not exist, then disregarding the lease expire; and if the operating system fingerprint for the existing target host does exist, then purging the existing operating system fingerprint for the existing target host from the storage location.
6. The method of Claim 1, further comprising:
after receiving the alarm, determining whether a format for the alarm is valid; and if the format is not valid, then disregarding the alarm; otherwise if the format is valid, then continuing the method with the identifying step.
after receiving the alarm, determining whether a format for the alarm is valid; and if the format is not valid, then disregarding the alarm; otherwise if the format is valid, then continuing the method with the identifying step.
7. A method for reducing the false alarm rate of network intrusion detection systems, comprising:
receiving an alarm indicating a network intrusion may have occurred;
identifying characteristics of the alarm, including at least an attack type, a source address, a target address, an alarm severity, and an alarm description;
accessing a storage location;
determining whether an operating system fingerprint for a target host associated with the target address already exists in the storage location;
if the operating system fingerprint for the target host does not exist, then:
querying the target host for the operating system fingerprint;
receiving the operating system fingerprint that includes the operating system type from the target host;
comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison;
if the operating system fingerprint for the target host does exist, then:
determining if a cache entry time for the target address is valid; and if the cache entry time is invalid, then:
querying the target host for the operating system fingerprint;
receiving the operating system fingerprint that includes the operating system type from the target host;
comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison;
if the cache entry time is valid, then:
comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison.
receiving an alarm indicating a network intrusion may have occurred;
identifying characteristics of the alarm, including at least an attack type, a source address, a target address, an alarm severity, and an alarm description;
accessing a storage location;
determining whether an operating system fingerprint for a target host associated with the target address already exists in the storage location;
if the operating system fingerprint for the target host does not exist, then:
querying the target host for the operating system fingerprint;
receiving the operating system fingerprint that includes the operating system type from the target host;
comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison;
if the operating system fingerprint for the target host does exist, then:
determining if a cache entry time for the target address is valid; and if the cache entry time is invalid, then:
querying the target host for the operating system fingerprint;
receiving the operating system fingerprint that includes the operating system type from the target host;
comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison;
if the cache entry time is valid, then:
comparing the attack type to the operating system type; and indicating whether the target host is vulnerable to the attack based on the comparison.
8. The method of Claim 7, further comprising storing the operating system fingerprint of the target host in the storage location for a time period.
9. The method of Claim 7, further comprising:
monitoring a dynamic configuration protocol server;
detecting that a lease issue has occurred for a new target host;
accessing the storage location;
determining whether an operating system fingerprint for the new target host already exists in the storage location; and if the operating system fingerprint for the new target host does not exist, then:
querying the new target host for the operating system fingerprint;
receiving the operating system fingerprint from the new target host; and storing the operating system fingerprint of the new target host in the storage location for a length of time; and if the operating system fingerprint for the new target host does exist, then:
purging the existing operating system fingerprint for the new target host from the storage location;
querying the new target host for a new operating system fingerprint;
receiving the new operating system fingerprint from the new target host; and storing the new operating system fingerprint of the new target host in the storage location for a length of time.
monitoring a dynamic configuration protocol server;
detecting that a lease issue has occurred for a new target host;
accessing the storage location;
determining whether an operating system fingerprint for the new target host already exists in the storage location; and if the operating system fingerprint for the new target host does not exist, then:
querying the new target host for the operating system fingerprint;
receiving the operating system fingerprint from the new target host; and storing the operating system fingerprint of the new target host in the storage location for a length of time; and if the operating system fingerprint for the new target host does exist, then:
purging the existing operating system fingerprint for the new target host from the storage location;
querying the new target host for a new operating system fingerprint;
receiving the new operating system fingerprint from the new target host; and storing the new operating system fingerprint of the new target host in the storage location for a length of time.
10. The method of Claim 7, further comprising:
monitoring a dynamic configuration protocol server;
detecting that a lease expire has occurred for an existing target host;
accessing the storage location;
determining whether an operating system fingerprint for the existing target host already exists in the storage location; and if the operating system fingerprint for the existing target host does not exist, then disregarding the lease expire; and if the operating system fingerprint for the existing target host does exist, then purging the existing operating system fingerprint for the existing target host from the storage location.
monitoring a dynamic configuration protocol server;
detecting that a lease expire has occurred for an existing target host;
accessing the storage location;
determining whether an operating system fingerprint for the existing target host already exists in the storage location; and if the operating system fingerprint for the existing target host does not exist, then disregarding the lease expire; and if the operating system fingerprint for the existing target host does exist, then purging the existing operating system fingerprint for the existing target host from the storage location.
11. A system for reducing the false alarm rate of network intrusion detection systems, comprising:
a network intrusion detection system (NIDS) operable to transmit an alarm indicating an attack on a network may have occurred;
a software program embodied in a computer readable medium, the software program, when executed by a processor, operable to:
receive the alarm;
identify characteristics of the alarm, including at least an attack type and a target address;
query a target host associated with the target address for an operating system fingerprint;
receive the operating system fingerprint that includes the operating system type from the target host;
compare the attack type to the operating system type; and indicate whether the target host is vulnerable to the attack based on the comparison.
a network intrusion detection system (NIDS) operable to transmit an alarm indicating an attack on a network may have occurred;
a software program embodied in a computer readable medium, the software program, when executed by a processor, operable to:
receive the alarm;
identify characteristics of the alarm, including at least an attack type and a target address;
query a target host associated with the target address for an operating system fingerprint;
receive the operating system fingerprint that includes the operating system type from the target host;
compare the attack type to the operating system type; and indicate whether the target host is vulnerable to the attack based on the comparison.
12. The system of Claim 11, further comprising a storage location operable to store the operating system fingerprint of the target host for a time period.
13. The system of Claim 11, wherein the software program is further operable to:
access a storage location before querying the target host;
determine whether the operating system fingerprint for the target host already exists in the storage location; and if the operating system fingerprint for the target host does not exist, then continue with the querying step; otherwise if the operating system fingerprint for the target host does exist, then the software program is further operable to:
determine if a cache entry time for the target address is valid; and if the cache entry time is valid, then continue with the comparing step; otherwise if the cache entry time is invalid, then continue with the querying step.
access a storage location before querying the target host;
determine whether the operating system fingerprint for the target host already exists in the storage location; and if the operating system fingerprint for the target host does not exist, then continue with the querying step; otherwise if the operating system fingerprint for the target host does exist, then the software program is further operable to:
determine if a cache entry time for the target address is valid; and if the cache entry time is valid, then continue with the comparing step; otherwise if the cache entry time is invalid, then continue with the querying step.
14. The system of Claim 11, wherein the software program is further operable to:
monitor a dynamic configuration protocol server;
detect that a lease issue has occurred for a new target host;
access a storage location;
determine whether an operating system fingerprint for the new target host already exists in the storage location; and if the operating system fingerprint for the new target host does not exist, then the software program is further operable to:
query the new target host for the operating system fingerprint;
receive the operating system fingerprint from the new target host; and store the operating system fingerprint of the new target host in the storage location for a length of time; and if the operating system fingerprint for the new target host does exist, then the software program is further operable to:
purge the existing operating system fingerprint for the new target host from the storage location;
query the new target host for a new operating system fingerprint;
receive the new operating system fingerprint from the new target host; and store the new operating system fingerprint of the new target host in the storage location for a length of time.
monitor a dynamic configuration protocol server;
detect that a lease issue has occurred for a new target host;
access a storage location;
determine whether an operating system fingerprint for the new target host already exists in the storage location; and if the operating system fingerprint for the new target host does not exist, then the software program is further operable to:
query the new target host for the operating system fingerprint;
receive the operating system fingerprint from the new target host; and store the operating system fingerprint of the new target host in the storage location for a length of time; and if the operating system fingerprint for the new target host does exist, then the software program is further operable to:
purge the existing operating system fingerprint for the new target host from the storage location;
query the new target host for a new operating system fingerprint;
receive the new operating system fingerprint from the new target host; and store the new operating system fingerprint of the new target host in the storage location for a length of time.
15. The system of Claim 11, wherein the software program is further operable to:
monitor a dynamic configuration protocol server;
detect that a lease expire has occurred for an existing target host;
access a storage location;
determine whether an operating system fingerprint for the existing target host already exists in the storage location; and if the operating system fingerprint for the existing target host does not exist, then disregard the lease expire; and if the operating system fingerprint for the existing target host does exist, then purge the existing operating system fingerprint for the existing target host from the storage location.
monitor a dynamic configuration protocol server;
detect that a lease expire has occurred for an existing target host;
access a storage location;
determine whether an operating system fingerprint for the existing target host already exists in the storage location; and if the operating system fingerprint for the existing target host does not exist, then disregard the lease expire; and if the operating system fingerprint for the existing target host does exist, then purge the existing operating system fingerprint for the existing target host from the storage location.
16. The system of Claim 11, wherein the software program has no knowledge of the protected network architecture.
17. The system of Claim 11, wherein the NIDS is vendor independent.
18. A system for reducing the false alarm rate of network intrusion detection systems, comprising:
means for receiving an alarm indicating a network intrusion may have occurred;
means for identifying characteristics of the alarm, including at least an attack type and a target address;
means for querying a target host associated with the target address for an operating system fingerprint;
means for receiving the operating system fingerprint that includes the operating system type from the target host;
means for comparing the attack type to the operating system type; and means for indicating whether the target host is vulnerable to the attack based on the comparison.
means for receiving an alarm indicating a network intrusion may have occurred;
means for identifying characteristics of the alarm, including at least an attack type and a target address;
means for querying a target host associated with the target address for an operating system fingerprint;
means for receiving the operating system fingerprint that includes the operating system type from the target host;
means for comparing the attack type to the operating system type; and means for indicating whether the target host is vulnerable to the attack based on the comparison.
19. The system of Claim 18, further comprising means for storing the operating system fingerprint of the target host in a storage location for a time period.
20. The system of Claim 18, further comprising:
means for accessing a storage location;
means for determining whether the operating system fingerprint for the target host already exists in the storage location; and if the operating system fingerprint for the target host does exist, then means for determining if a cache entry time for the target address is valid.
means for accessing a storage location;
means for determining whether the operating system fingerprint for the target host already exists in the storage location; and if the operating system fingerprint for the target host does exist, then means for determining if a cache entry time for the target address is valid.
21. The system of Claim 18, further comprising:
means for monitoring a dynamic configuration protocol server;
means for detecting that a lease issue has occurred for a new target host;
means for accessing a storage location;
means for determining whether an operating system fingerprint for the new target host already exists in the storage location; and if the operating system fingerprint for the new target host does not exist, then further comprising:
means for querying the new target host for the operating system fingerprint;
means for receiving the operating system fingerprint from the new target host; and means for storing the operating system fingerprint of the new target host in the storage location for a length of time; and if the operating system fingerprint for the new target host does exist, then further comprising:
means for purging the existing operating system fingerprint for the new target host from the storage location;
means for querying the new target host for a new operating system fingerprint;
means for receiving the new operating system fingerprint from the new target host; and means for storing the new operating system fingerprint of the new target host in the storage location for a length of time.
means for monitoring a dynamic configuration protocol server;
means for detecting that a lease issue has occurred for a new target host;
means for accessing a storage location;
means for determining whether an operating system fingerprint for the new target host already exists in the storage location; and if the operating system fingerprint for the new target host does not exist, then further comprising:
means for querying the new target host for the operating system fingerprint;
means for receiving the operating system fingerprint from the new target host; and means for storing the operating system fingerprint of the new target host in the storage location for a length of time; and if the operating system fingerprint for the new target host does exist, then further comprising:
means for purging the existing operating system fingerprint for the new target host from the storage location;
means for querying the new target host for a new operating system fingerprint;
means for receiving the new operating system fingerprint from the new target host; and means for storing the new operating system fingerprint of the new target host in the storage location for a length of time.
22. The system of Claim 18, further comprising:
means for monitoring a dynamic configuration protocol server;
means for detecting that a lease expire has occurred for an existing target host;
means for accessing a storage location;
means for determining whether an operating system fingerprint for the existing target host already exists in the storage location; and if the operating system fingerprint for the existing target host does not exist, then disregarding the lease expire; and if the operating system fingerprint for the existing target host does exist, then means for purging the existing operating system fingerprint for the existing target host from the storage location.
means for monitoring a dynamic configuration protocol server;
means for detecting that a lease expire has occurred for an existing target host;
means for accessing a storage location;
means for determining whether an operating system fingerprint for the existing target host already exists in the storage location; and if the operating system fingerprint for the existing target host does not exist, then disregarding the lease expire; and if the operating system fingerprint for the existing target host does exist, then means for purging the existing operating system fingerprint for the existing target host from the storage location.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US31915902P | 2002-03-29 | 2002-03-29 | |
US60/319,159 | 2002-03-29 | ||
PCT/US2003/009665 WO2003084181A1 (en) | 2002-03-29 | 2003-03-28 | Method and system for reducing the false alarm rate of network intrusion detection systems |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2479504A1 true CA2479504A1 (en) | 2003-10-09 |
CA2479504C CA2479504C (en) | 2010-07-13 |
Family
ID=28675210
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2479504A Expired - Fee Related CA2479504C (en) | 2002-03-29 | 2003-03-28 | Method and system for reducing the false alarm rate of network intrusion detection systems |
Country Status (8)
Country | Link |
---|---|
US (1) | US7886357B2 (en) |
EP (1) | EP1491019B1 (en) |
CN (1) | CN1643876B (en) |
AT (1) | ATE483310T1 (en) |
AU (2) | AU2003220582A1 (en) |
CA (1) | CA2479504C (en) |
DE (1) | DE60334368D1 (en) |
WO (1) | WO2003084181A1 (en) |
Families Citing this family (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7073198B1 (en) * | 1999-08-26 | 2006-07-04 | Ncircle Network Security, Inc. | Method and system for detecting a vulnerability in a network |
US6957348B1 (en) | 2000-01-10 | 2005-10-18 | Ncircle Network Security, Inc. | Interoperability of vulnerability and intrusion detection systems |
US7181769B1 (en) | 2000-08-25 | 2007-02-20 | Ncircle Network Security, Inc. | Network security system having a device profiler communicatively coupled to a traffic monitor |
US7506374B2 (en) * | 2001-10-31 | 2009-03-17 | Computer Associates Think, Inc. | Memory scanning system and method |
AU2003220582A1 (en) | 2002-03-29 | 2003-10-13 | Cisco Technology, Inc. | Method and system for reducing the false alarm rate of network intrusion detection systems |
AU2003243253B2 (en) * | 2002-05-14 | 2009-12-03 | Cisco Technology, Inc. | Method and system for analyzing and addressing alarms from network intrusion detection systems |
US7496662B1 (en) | 2003-05-12 | 2009-02-24 | Sourcefire, Inc. | Systems and methods for determining characteristics of a network and assessing confidence |
AU2003279517A1 (en) * | 2003-08-11 | 2005-02-25 | Telecom Italia S.P.A. | Method and system for detecting unauthorised use of a communication network |
US7805762B2 (en) * | 2003-10-15 | 2010-09-28 | Cisco Technology, Inc. | Method and system for reducing the false alarm rate of network intrusion detection systems |
US20070297349A1 (en) * | 2003-11-28 | 2007-12-27 | Ofir Arkin | Method and System for Collecting Information Relating to a Communication Network |
CN1886935B (en) * | 2003-11-28 | 2014-05-14 | 迈克菲爱尔兰控股有限公司 | Method and system for collecting information relating to communication network and operation system of operation on communication network node |
US7895448B1 (en) * | 2004-02-18 | 2011-02-22 | Symantec Corporation | Risk profiling |
US20050229250A1 (en) * | 2004-02-26 | 2005-10-13 | Ring Sandra E | Methodology, system, computer readable medium, and product providing a security software suite for handling operating system exploitations |
FR2868227B1 (en) * | 2004-03-26 | 2006-05-26 | Radiotelephone Sfr | METHOD FOR SUPERVISING THE SECURITY OF A NETWORK |
US7904960B2 (en) * | 2004-04-27 | 2011-03-08 | Cisco Technology, Inc. | Source/destination operating system type-based IDS virtualization |
US7539681B2 (en) | 2004-07-26 | 2009-05-26 | Sourcefire, Inc. | Methods and systems for multi-pattern searching |
CN100435513C (en) * | 2005-06-30 | 2008-11-19 | 杭州华三通信技术有限公司 | Method of linking network equipment and invading detection system |
CN100386993C (en) * | 2005-09-05 | 2008-05-07 | 北京启明星辰信息技术有限公司 | Network invading event risk evaluating method and system |
US8046833B2 (en) * | 2005-11-14 | 2011-10-25 | Sourcefire, Inc. | Intrusion event correlation with network discovery information |
US7733803B2 (en) * | 2005-11-14 | 2010-06-08 | Sourcefire, Inc. | Systems and methods for modifying network map attributes |
US7948988B2 (en) | 2006-07-27 | 2011-05-24 | Sourcefire, Inc. | Device, system and method for analysis of fragments in a fragment train |
US7701945B2 (en) * | 2006-08-10 | 2010-04-20 | Sourcefire, Inc. | Device, system and method for analysis of segments in a transmission control protocol (TCP) session |
US8458308B1 (en) * | 2006-08-23 | 2013-06-04 | Infoblox Inc. | Operating system fingerprinting |
US8069352B2 (en) * | 2007-02-28 | 2011-11-29 | Sourcefire, Inc. | Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session |
US8127353B2 (en) | 2007-04-30 | 2012-02-28 | Sourcefire, Inc. | Real-time user awareness for a computer network |
US8850568B2 (en) * | 2008-03-07 | 2014-09-30 | Qualcomm Incorporated | Method and apparatus for detecting unauthorized access to a computing device and securely communicating information about such unauthorized access |
US8839460B2 (en) * | 2008-03-07 | 2014-09-16 | Qualcomm Incorporated | Method for securely communicating information about the location of a compromised computing device |
US8474043B2 (en) | 2008-04-17 | 2013-06-25 | Sourcefire, Inc. | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing |
US8272055B2 (en) | 2008-10-08 | 2012-09-18 | Sourcefire, Inc. | Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system |
CA2789824C (en) | 2010-04-16 | 2018-11-06 | Sourcefire, Inc. | System and method for near-real time network attack detection, and system and method for unified detection via detection routing |
US8433790B2 (en) | 2010-06-11 | 2013-04-30 | Sourcefire, Inc. | System and method for assigning network blocks to sensors |
US8671182B2 (en) | 2010-06-22 | 2014-03-11 | Sourcefire, Inc. | System and method for resolving operating system or service identity conflicts |
CA2895957C (en) * | 2010-07-01 | 2022-04-05 | Mariano Nunez Di Croce | Automated security assessment of business-critical systems and applications |
US8499173B2 (en) * | 2010-11-23 | 2013-07-30 | Lockheed Martin Corporation | Apparatus and method for protection of circuit boards from tampering |
US8601034B2 (en) | 2011-03-11 | 2013-12-03 | Sourcefire, Inc. | System and method for real time data awareness |
US9055090B2 (en) * | 2012-06-12 | 2015-06-09 | Verizon Patent And Licensing Inc. | Network based device security and controls |
CN104038372B (en) * | 2014-05-30 | 2016-03-09 | 国家电网公司 | Electric power wide area flux monitoring method |
US9680855B2 (en) | 2014-06-30 | 2017-06-13 | Neo Prime, LLC | Probabilistic model for cyber risk forecasting |
US9710364B2 (en) | 2015-09-04 | 2017-07-18 | Micron Technology Licensing, Llc | Method of detecting false test alarms using test step failure analysis |
US10999307B2 (en) * | 2016-05-19 | 2021-05-04 | Infinite Group, Inc. | Network assessment systems and methods thereof |
CN107506443A (en) * | 2017-08-25 | 2017-12-22 | 国网辽宁省电力有限公司 | A kind of cross-platform intelligent data transmission method |
CN111565203B (en) * | 2020-07-16 | 2020-10-23 | 腾讯科技(深圳)有限公司 | Method, device and system for protecting service request and computer equipment |
CN112019538B (en) * | 2020-08-26 | 2023-05-26 | 国网山东省电力公司滨州供电公司 | Remote intelligent alarm system and method for safety equipment and storage medium |
Family Cites Families (48)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ATE224620T1 (en) * | 1995-05-08 | 2002-10-15 | Koninkl Kpn Nv | ARRANGEMENT AND METHOD FOR PROTOCOL IMPLEMENTATION |
US5991881A (en) * | 1996-11-08 | 1999-11-23 | Harris Corporation | Network surveillance system |
US5919257A (en) * | 1997-08-08 | 1999-07-06 | Novell, Inc. | Networked workstation intrusion detection system |
US5961644A (en) * | 1997-09-19 | 1999-10-05 | International Business Machines Corporation | Method and apparatus for testing the integrity of computer security alarm systems |
US6148407A (en) * | 1997-09-30 | 2000-11-14 | Intel Corporation | Method and apparatus for producing computer platform fingerprints |
US6070244A (en) * | 1997-11-10 | 2000-05-30 | The Chase Manhattan Bank | Computer network security management system |
US6279113B1 (en) * | 1998-03-16 | 2001-08-21 | Internet Tools, Inc. | Dynamic signature inspection-based network intrusion detection |
US6408391B1 (en) * | 1998-05-06 | 2002-06-18 | Prc Inc. | Dynamic system defense for information warfare |
US6275942B1 (en) * | 1998-05-20 | 2001-08-14 | Network Associates, Inc. | System, method and computer program product for automatic response to computer system misuse using active response modules |
US6182223B1 (en) * | 1998-06-10 | 2001-01-30 | International Business Machines Corporation | Method and apparatus for preventing unauthorized access to computer-stored information |
US6282546B1 (en) * | 1998-06-30 | 2001-08-28 | Cisco Technology, Inc. | System and method for real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment |
US6134664A (en) * | 1998-07-06 | 2000-10-17 | Prc Inc. | Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources |
DE69817176T2 (en) * | 1998-09-09 | 2004-06-24 | International Business Machines Corp. | Method and device for intrusion detection in computers and computer networks |
US6460141B1 (en) * | 1998-10-28 | 2002-10-01 | Rsa Security Inc. | Security and access management system for web-enabled and non-web-enabled applications and content on a computer network |
US6564216B2 (en) * | 1998-10-29 | 2003-05-13 | Nortel Networks Limited | Server manager |
US6415321B1 (en) * | 1998-12-29 | 2002-07-02 | Cisco Technology, Inc. | Domain mapping method and system |
US6301668B1 (en) * | 1998-12-29 | 2001-10-09 | Cisco Technology, Inc. | Method and system for adaptive network security using network vulnerability assessment |
US6477651B1 (en) * | 1999-01-08 | 2002-11-05 | Cisco Technology, Inc. | Intrusion detection system and method having dynamically loaded signatures |
US6839850B1 (en) * | 1999-03-04 | 2005-01-04 | Prc, Inc. | Method and system for detecting intrusion into and misuse of a data processing system |
US6725377B1 (en) * | 1999-03-12 | 2004-04-20 | Networks Associates Technology, Inc. | Method and system for updating anti-intrusion software |
US6405318B1 (en) * | 1999-03-12 | 2002-06-11 | Psionic Software, Inc. | Intrusion detection system |
WO2000070464A1 (en) | 1999-05-14 | 2000-11-23 | L-3 Communications Corporation | Object oriented security analysis tool |
US7073198B1 (en) * | 1999-08-26 | 2006-07-04 | Ncircle Network Security, Inc. | Method and system for detecting a vulnerability in a network |
US6647400B1 (en) * | 1999-08-30 | 2003-11-11 | Symantec Corporation | System and method for analyzing filesystems to detect intrusions |
US6990591B1 (en) * | 1999-11-18 | 2006-01-24 | Secureworks, Inc. | Method and system for remotely configuring and monitoring a communication device |
US6957348B1 (en) * | 2000-01-10 | 2005-10-18 | Ncircle Network Security, Inc. | Interoperability of vulnerability and intrusion detection systems |
CN1310393A (en) * | 2000-02-24 | 2001-08-29 | 英业达股份有限公司 | Computer viral infection preventing method |
US7159237B2 (en) * | 2000-03-16 | 2007-01-02 | Counterpane Internet Security, Inc. | Method and system for dynamic network intrusion monitoring, detection and response |
US7574740B1 (en) * | 2000-04-28 | 2009-08-11 | International Business Machines Corporation | Method and system for intrusion detection in a computer network |
US7162649B1 (en) * | 2000-06-30 | 2007-01-09 | Internet Security Systems, Inc. | Method and apparatus for network assessment and authentication |
US7917393B2 (en) | 2000-09-01 | 2011-03-29 | Sri International, Inc. | Probabilistic alert correlation |
WO2002069194A1 (en) * | 2000-10-23 | 2002-09-06 | Xacct Technologies, Ltd. | Data collection system and method for reducing latency |
WO2002056152A2 (en) * | 2001-01-10 | 2002-07-18 | Psionic Software Inc | Computer security and management system |
US20030056116A1 (en) * | 2001-05-18 | 2003-03-20 | Bunker Nelson Waldo | Reporter |
US7237264B1 (en) * | 2001-06-04 | 2007-06-26 | Internet Security Systems, Inc. | System and method for preventing network misuse |
US6513122B1 (en) * | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
US7444679B2 (en) * | 2001-10-31 | 2008-10-28 | Hewlett-Packard Development Company, L.P. | Network, method and computer readable medium for distributing security updates to select nodes on a network |
US7197762B2 (en) * | 2001-10-31 | 2007-03-27 | Hewlett-Packard Development Company, L.P. | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits |
US6714513B1 (en) * | 2001-12-21 | 2004-03-30 | Networks Associates Technology, Inc. | Enterprise network analyzer agent system and method |
US7152105B2 (en) * | 2002-01-15 | 2006-12-19 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
US6941467B2 (en) * | 2002-03-08 | 2005-09-06 | Ciphertrust, Inc. | Systems and methods for adaptive message interrogation through multiple queues |
US20030196123A1 (en) * | 2002-03-29 | 2003-10-16 | Rowland Craig H. | Method and system for analyzing and addressing alarms from network intrusion detection systems |
AU2003220582A1 (en) | 2002-03-29 | 2003-10-13 | Cisco Technology, Inc. | Method and system for reducing the false alarm rate of network intrusion detection systems |
AU2003243253B2 (en) | 2002-05-14 | 2009-12-03 | Cisco Technology, Inc. | Method and system for analyzing and addressing alarms from network intrusion detection systems |
KR100456635B1 (en) * | 2002-11-14 | 2004-11-10 | 한국전자통신연구원 | Method and system for defensing distributed denial of service |
US7904960B2 (en) | 2004-04-27 | 2011-03-08 | Cisco Technology, Inc. | Source/destination operating system type-based IDS virtualization |
NO20050564D0 (en) | 2005-02-02 | 2005-02-02 | Tore Lysemose Hansen | Program monitor to identify unauthorized intrusion into computer systems |
WO2007122495A2 (en) | 2006-04-21 | 2007-11-01 | Axalto Sa | A framework for protecting resource-constrained network devices from denial-of-service attacks |
-
2003
- 2003-03-28 AU AU2003220582A patent/AU2003220582A1/en not_active Abandoned
- 2003-03-28 EP EP03716896A patent/EP1491019B1/en not_active Expired - Lifetime
- 2003-03-28 DE DE60334368T patent/DE60334368D1/en not_active Expired - Lifetime
- 2003-03-28 US US10/402,649 patent/US7886357B2/en active Active
- 2003-03-28 AT AT03716896T patent/ATE483310T1/en not_active IP Right Cessation
- 2003-03-28 CA CA2479504A patent/CA2479504C/en not_active Expired - Fee Related
- 2003-03-28 WO PCT/US2003/009665 patent/WO2003084181A1/en not_active Application Discontinuation
- 2003-03-28 CN CN038073196A patent/CN1643876B/en not_active Expired - Lifetime
-
2008
- 2008-10-09 AU AU2008229835A patent/AU2008229835B2/en not_active Ceased
Also Published As
Publication number | Publication date |
---|---|
US20030212910A1 (en) | 2003-11-13 |
CN1643876B (en) | 2010-09-29 |
AU2003220582A1 (en) | 2003-10-13 |
DE60334368D1 (en) | 2010-11-11 |
AU2008229835A1 (en) | 2008-11-06 |
CN1643876A (en) | 2005-07-20 |
EP1491019B1 (en) | 2010-09-29 |
ATE483310T1 (en) | 2010-10-15 |
CA2479504C (en) | 2010-07-13 |
EP1491019A1 (en) | 2004-12-29 |
WO2003084181A1 (en) | 2003-10-09 |
US7886357B2 (en) | 2011-02-08 |
AU2008229835B2 (en) | 2010-12-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2479504A1 (en) | Method and system for reducing the false alarm rate of network intrusion detection systems | |
US7805762B2 (en) | Method and system for reducing the false alarm rate of network intrusion detection systems | |
US7900194B1 (en) | Kernel-based intrusion detection using bloom filters | |
US7596810B2 (en) | Apparatus and method of detecting network attack situation | |
US20030196123A1 (en) | Method and system for analyzing and addressing alarms from network intrusion detection systems | |
JP2008021274A (en) | Process monitoring device and method | |
WO2001084270A3 (en) | Method and system for intrusion detection in a computer network | |
JP2007094997A (en) | Event analysis of ids and warning system | |
US20190371139A1 (en) | Intrustion detection and notification device | |
CN112748987A (en) | Behavior security processing method and device based on virtual host | |
US6470425B1 (en) | Cache line replacement threshold based on sequential hits or misses | |
US20060015939A1 (en) | Method and system to protect a file system from viral infections | |
CA2484461A1 (en) | Method and system for analyzing and addressing alarms from network intrusion detection systems | |
US8271774B1 (en) | Circumstantial blocking of incoming network traffic containing code | |
JP2004030287A (en) | Bi-directional network intrusion detection system and bi-directional intrusion detection program | |
CN115225321A (en) | Financial data anti-theft alarm system and method based on big data | |
JP2000105745A (en) | Stolen computer information notice system | |
WO2021035429A1 (en) | Method and system for security management on a mobile storage device | |
JP2006201890A (en) | Device for taking countermeasures against program abnormality | |
JP2011034319A (en) | Terminal operation state monitoring system, terminal operation state monitoring method, and terminal operation state monitoring program | |
JP2019067031A (en) | Unauthorized software detection system | |
JP2009116792A (en) | Server device, information processor, information processing method and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKLA | Lapsed |
Effective date: 20180328 |