US20050193429A1 - Integrated data traffic monitoring system - Google Patents
Integrated data traffic monitoring system Download PDFInfo
- Publication number
- US20050193429A1 US20050193429A1 US11/042,493 US4249305A US2005193429A1 US 20050193429 A1 US20050193429 A1 US 20050193429A1 US 4249305 A US4249305 A US 4249305A US 2005193429 A1 US2005193429 A1 US 2005193429A1
- Authority
- US
- United States
- Prior art keywords
- packet
- event
- event data
- analysis
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1475—Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Definitions
- This application relates generally to monitoring data traffic related to computing systems, and more particularly to an integrated system for monitoring data traffic.
- monitor modules Some common monitor modules and their functions include:
- Monitor modules such as those described above each perform a different monitoring and/or security function and are usually provided as a separate and distinct application (or device, depending on the implementation) on the computing system. Because computing system administrators wish to select and employ only those monitor modules deemed necessary, most monitor modules are designed to be standalone modules that function independently of the existence of other monitor modules. Therefore, each monitor module independently generates and tracks various data as necessary to perform its function, regardless of whether the same data is being tracked or generated by other monitor modules.
- monitor modules are not designed to interface with other monitor modules or even provide data in a format useful to other monitor modules. Therefore, monitor modules are not capable of taking advantage of information known to other monitor modules or reacting to actions being performed by other monitor modules.
- an anti-virus filter might include a file of known viruses that it uses when screening message traffic received by the computing system. Any messages containing files that include a virus identified in the known virus file is deleted, quarantined, or otherwise acted on by the virus filter without input from, or knowledge of, the other monitor modules.
- an anti-spam filter may include a list of words or other information that it uses to screen out messages received by an e-mail application.
- These monitor modules may report data to an administrator of the computing system indicating that viruses or spam have been detected or that actions have been taken, but the other monitor modules on the computing system are unaware of and make their own decisions independent of any such knowledge or actions. It is left to the administrator to determine from the data if another monitor module needs to be provided with this new data to more effectively perform its function.
- Each disparate monitor module has its own requirements for evaluating messages received from the communication network.
- an anti-virus filter In the case of an anti-virus filter, the entire message is typically received before the filter makes its analysis. The same is true for the anti-spam filter.
- a firewall can delete the packets that make up a communication as the packets arrive, preventing them from ever being passed into the computing system proper. However, the firewall has no way of predicting that a given message or communication contains a virus, is spam, is an attempt to take over the computer, or represents some other threat, so such threats are passed into the computer to be screened by the other monitor modules.
- the monitor modules do not share information, the fact that threats are identified by one monitor module, does not benefit any of the other monitor modules. Take, for example, a situation where a remote computer is attempting to take control of a computing system.
- the first effort may be to infect the computing system with one of a number of viruses that allow remote control of the computing system, by sending virus-laden messages to the computing system. If the virus software catches all of the viruses, then an attempt may be made to log into the computing system as a user. If the clear text password detection system foils this attempt, an attempt may then be made to reconfigure the computing system to allow public access to restricted material, thereby testing the HIDS system. This scenario shows that if the remote computer keeps looking for weaknesses long enough, it is likely something will be found.
- the password detection system does not have the benefit of the knowledge that there have already been repeated infection attempts from the remote computer.
- the HIDS system does not know that the remote computer was the source numerous, different, and concerted attempts to take over control of the computer.
- the monitor modules often report data related to identified threats and the actions taken in response to an administrator. However, it is up to the administrator to read the disparate reports and notifications and attempt to identify trends indicative of a more significant threat to the computing system. In the scenario described above it is left to the administrator to view the data from each of the monitor modules, correlate the data, determine an appropriate coordinated response by the computing system, and implement the response. Depending on the level of communications traffic and size of the computing systems, this may involve the analysis of huge amounts of data stored in multiple data logs, each in different formats and containing different types of information. The administrator may have difficulties correlating data from one monitor module to data from another monitor module, not to mention difficulties in identifying trends in the collected data.
- Administrators have a further challenge in that most attacks occur quickly. Often, by the time the administrator has determined from the data provided by the various monitor modules that a concerted attack on multiple fronts is occurring, it has either succeeded or failed. Administrators cannot analyze the data provided in time necessary to provide effective feedback to the various monitor modules.
- the present invention includes an integrated monitoring system monitoring communications received from an external communication network.
- the integrated monitoring system may be implemented on one or more computing systems that handle incoming and outgoing communications between the external communications network and a protected computing network (the “protected network”) having at least one computing device.
- the integrated monitoring system receives communications from the communications network, such as the Internet, a telephone system, a wireless network, or any combination of communications networks, screens the communications for threats, and transmits safe communications to the appropriate destination within the protected network it serves while deleting communications that represent potential threats to the protected system.
- the communications network such as the Internet, a telephone system, a wireless network, or any combination of communications networks
- the integrated security system includes a plurality of monitoring modules for screening a plurality of different types of communications, such as e-mail messages, VPN communications, and web page traffic. Based on event data generated by the monitoring modules upon determination of a potential threat, new rules are automatically developed by the integrated security system and implemented using one or more of the monitoring modules.
- the present invention relates to a method of automatically generating rules for use by a monitoring module.
- the method includes analyzing a data packet received from a communication network by the monitoring module using a predetermined set of rules.
- the data packet includes information identifying the packet's source (e.g., a source IP address) and the packet's destination.
- the method searches an event database for events associated with the source of the packet. If the event database contains an event record associated with the source of the packet, a new rule is generated to block subsequent packets from the source of the packet for a predetermined period of time. The new rule is then added to the set of rules used by the monitoring module.
- FIG. 1 illustrates an integrated monitoring system in accordance with an embodiment of the present invention.
- FIG. 2 illustrates some of the functional components of an embodiment of an integrated monitoring system for a computing system.
- FIG. 3 illustrates a detailed embodiment of an exemplary implementation of an integrated monitoring system.
- FIG. 4 shows, at a high level, an embodiment of the logical operations of the integrated monitoring system of FIG. 3 .
- FIG. 5 illustrates an embodiment of the logical operations of the IDS analysis operation of FIG. 4 .
- FIG. 6 illustrates an embodiment of the logical operations of the firewall analysis operation of FIG. 4 .
- FIG. 7 illustrates an embodiment of the logical operations of the e-mail analysis operation of FIG. 4 .
- FIG. 8 illustrates an embodiment of the logical operations of the web content analysis operation of FIG. 4 .
- FIG. 9 illustrates an embodiment of the logical operations of the VPN analysis operation of FIG. 4 .
- FIG. 10 illustrates an embodiment of the logical operations of the event data analysis operation of FIG. 4 .
- a computing system may include a single computing device or multiple, connected computing devices.
- Computing devices are electronic devices that perform functions using a combination of hardware and/or software.
- Computing devices may include such hardware as a processor, computer readable storage media (including, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by the system), and one or more communication devices suitable for transmitting and receiving data over communication media.
- computing devices may also include software, firmware or a combination of the two stored on the computer readable media. Examples of computing devices include personal computers, handheld computing devices, mobile communication devices, cellular telephones, networked appliances, computer servers, and mainframes and any other programmable device that is exposed to and receives data traffic.
- Communication media includes any medium capable of carrying data or information such as computer-readable instructions, data structures, and program modules, whether such data is embodied in a modulated data signal such as a carrier wave or other transport mechanism.
- communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media.
- Computing devices may be implemented using different software operating systems and programming languages.
- operating systems include Microsoft Windows XP, Macintosh OS X, OS2, Unix- and Linux-based operating systems, and Microsoft Windows CE.
- programming languages suitable for developing software embodiments include C, C++, Java, Visual Basic, Perl, and markup languages such as XML, HTML, and XAML. Selection of operating systems and software languages is often more an issue of user and developer preferences or convenience.
- Computing devices may be described in terms of the logical operations performed by the devices.
- the logical operations of the following various embodiments are implemented (1) as a sequence of computer implemented acts running on a computing system and/or (2) as interconnected machine logic circuits or circuit modules within the computing system.
- the implementation is a matter of choice dependent on the performance requirements of the computing system implementing the invention. Accordingly, the logical operations making up the embodiments described herein are referred to variously as operations, structural devices, acts or modules. It will be recognized by one skilled in the art that these operations, structural devices, acts and modules may be implemented in software, in firmware, in special purpose digital logic, and any combination thereof without deviating from the spirit and scope of the present invention as recited within the claims attached hereto.
- FIG. 1 illustrates an exemplary computing system 100 that implements an embodiment of an integrated monitoring system 120 .
- the exemplary computing system 100 as shown includes an email server 102 , a web server 104 and an intranet server 106 .
- the servers are further connected to an internal communication network 108 , such as an intranet.
- the internal communications network 108 connects the various computing devices and components internal to the computing system 100 .
- the internal network 108 is connected to the servers 102 , 104 , 106 and a plurality of additional computing devices 112 .
- the computing system 100 is further connected to other remote computing systems 124 , 126 via an external communications network 122 .
- the external communications network 122 may be the Internet or may be some other wired or wireless communications network.
- communications traffic in the form of data transmitted on the network 122 may pass between the computing system 100 and the remote computing systems.
- the communications traffic on the network 122 and within the computing system 100 will be discussed as consisting of a plurality of separate and identifiable “messages”. Examples of messages on the Internet include, for example, digital files, email messages, web pages, voice over internet protocol (VOIP) data streams, and streaming audiovisual data. Messages are transmitted in digital form as one or more packets of digital data.
- VOIP voice over internet protocol
- the embodiment in FIG. 1 also includes an integrated monitoring system 130 , which monitors communication data traffic.
- the integrated monitoring systems 130 may be implemented to monitor data traffic on the internal network 110 , data traffic received from the external network 122 , or both depending on the implementation.
- the integrated monitoring system 130 analyzes the communication traffic in order to identify messages that may pose a threat to the computing system and block or quarantine any such messages identified.
- Such threats include any unwanted or undesirable occurrence related to data traffic such as, for example, spam, viruses, denial of service attacks, unauthorized attempts to infiltrate the computing system, etc. While some threats may be actual threats of harm or damage to the system, others may simply be inconvenient, annoying or unwanted events and not pose any risk of damage to the computing system.
- the integrated monitoring system 130 will be discussed in greater detail with reference to FIG. 2 below.
- FIG. 1 shows the integrated monitoring system 130 connected to the internal network 110 .
- the integrated monitoring system 130 may be connected to the internal and external networks in many different ways and still perform its security functions.
- the integrated monitoring system 130 is implemented as a gateway between the external communication network 122 and the internal communication network 110 . Messages destined for the computing system 100 are screened by the integrated monitoring system 130 before being passed on to the internal network 110 .
- all messages carried on the internal network regardless of whether they originate from a computing device 112 , a server 102 , 104 , 106 or the external network 122 , pass through the integrated monitoring system 130 .
- FIG. 2 illustrates the functional components of an embodiment of an integrated monitoring system 200 for a computing system.
- the integrated monitoring system 200 includes multiple monitor modules 202 , 204 , 206 , 208 , 210 , and a security system integrator (SSI) 212 .
- the SSI receives data reported from the monitor modules and may issue commands to at least some of the monitor modules.
- Embodiments of the SSI 212 may include such components as an analysis module 216 that analyzes the contents of an event database 214 , an alerting module 218 that transmits security alerts (such as to system administrators and users), a command and control module 220 that provides an interface between the SSI 212 and the monitor modules 202 , 204 , 206 , 208 , 210 , a communication module 224 that supports the reporting of the contents of the event database 214 to other locations, and a log database 222 that stores a log record of actions taken by the integrated monitoring system 200 over time.
- an analysis module 216 that analyzes the contents of an event database 214
- an alerting module 218 that transmits security alerts (such as to system administrators and users)
- a command and control module 220 that provides an interface between the SSI 212 and the monitor modules 202 , 204 , 206 , 208 , 210
- a communication module 224 that supports the reporting of the contents of the event database 214 to other locations
- the integrated monitoring system 200 includes a plurality of monitor modules 202 , 204 , 206 , 208 , 210 .
- Each monitor module 202 may independently perform one or more different monitoring and security functions. The functions of some monitor modules also may overlap. In general, the monitor modules monitor and evaluate communications traffic on a communication network (internal, external or both depending on how the integrated monitoring system 200 is implemented within the computing system).
- Each of the monitor modules 202 , 204 , 206 , 208 , 210 are connected to the communication network of the computing system as necessary to perform their given function.
- monitor modules include firewalls for connection monitoring, dynamic host configuration protocol (DHCP) modules for extracting IP information from the network, intrusion detection systems (IDSs) monitor data traffic and detect attacks, intrusion detection and prevention (IDP) systems that detect and attempt to block attacks, host-based intrusion detection systems (HIDS), proxy and cache servers, forwarders, anti-spam filters, content filters, and virus filters, honey pots, and password protection modules.
- DHCP dynamic host configuration protocol
- the monitor modules monitor the communications traffic to identify messages that may pose a security threat to the computing system. Each monitor module may evaluate the communication traffic in a different way in an attempt to identify different potential threats. Upon identification of a potentially threatening message by an monitor module, the monitor module may take unilateral action to address the threat. In addition to any such unilateral action, the monitor modules also report event data related to the events that are identified.
- Each message identified as a potential security threat by one or more of the monitor modules is a single “event.” That is, if a message is identified by several different monitor modules, possibly for different reasons, as a potential threat, that message will be considered a single event, as described in greater detail below.
- Each monitor modules 202 , 204 , 206 , 208 , 210 is that they provide data related to the communications traffic on the network.
- monitor modules may generate and report data describing or otherwise related to the event. This data, referred to as event data, may be the only indication that the monitor module has identified a potential threat.
- the event data reported are dictated by the implementation of the reporting monitor module.
- Such event data may include, for example, data identifying the monitor module generating the event data, the event type, a priority associated with the event determined by the monitor module, a timestamp for the event, and one or more identifying details of the message that is the source of the event, such as the source IP address, port, URL or MAC of the message, an identifier indicating if the source is internal to the computing system, the destination IP address, port, URL or MAC of the message, an identifier indicating if the destination is internal to the computing system, and information concerning whether the message is coming from a known “bad” or “good” host.
- the event data may be provided as a simple ASCII file with a known format, as XML that include data type definitions, in an HTML file, or in any other form, as long it is known to and useable by the SSI.
- a stateful firewall monitor module that remembers the context of connections and continuously updates this state information in dynamic connection tables, may use one or more IP tables to identify known sources of threats and automatically block traffic from those IP addresses in the IP tables.
- the firewall may report event data to the SSI including the source IP address, the destination IP address, identifying information regarding the content of the message, and the date and time the message was received by the firewall.
- Another monitor module may be an IDP system.
- the IDP may include an internal set of rules for use in evaluating and blocking messages in real time.
- the IDP system may report an alert, a threat ID and description, a timestamp, and the source and destination IP addresses of the message. Additional event data may also be reported depending on the implementation.
- the monitor modules 202 , 204 , 206 , 208 , 210 report event data to a monitor module integrator (SSI) 212 .
- the event data is received by the SSI 212 and stored in an event database 214 .
- the SSI 212 maintains the event database 214 so that all event data received from the monitor modules 202 , 204 , 206 , 208 , 210 relating to a specific event (i.e. a single message) is collected and stored within a single event record in the event database.
- a new event record is created for each item of event data received.
- the event database 214 may purge event data that reach a specified age or may store data until some predetermined database size is reached.
- the event database may be structured in various ways. In one embodiment, a single Event Log Table is maintained.
- the Event Log Table is the primary repository of the event data. As described above, the event data provided by the monitor modules is stored in event records in the Event Log Table.
- various other data generated by the SSI 212 related to the event may also be included in an event record. For example, the SSI may generate unique identifiers for each event record to support future error detection or transmission operations.
- TABLE 1 includes a list of various event data, along with their descriptions, that may be included in a record, such as an event record, in the tables described above.
- EVENT DATA Event data type Description Event Priority Description of the event priority, such as Description “CRITICAL EVENT”.
- Log Source Description Description of the source of the event such as “FIREWALL”.
- Event Type Description The type of event, such as a virus contained in an attachment.
- Event Description Description of the event such as for a virus event type the name of the virus identified.
- Event Date and Time A time stamp related to the event, such as when the message was received by the computing system.
- Source IP The IP address that the event identifies as its origination point.
- Event Protocol Common network communications protocol such as TCP, UDP, ICMP, etc
- the IP port that a transmission originated from, e.g.: HTTP data generally originates from port 80
- Source URL The uniform resource locator (URL) address that the event identifies as its origination point.
- Source MAC This is the Media Access Control address for network devices (a.k.a. nodes). This is a standard unique “ID” for each physical port of network devices such as computer network interface cards, network switching equipment, etc.
- the Source MAC refers to the ID of the communication packet source device.
- Internal Source Data indicating if the origination point of the event is internal to the computing system 200.
- Blocked Source Data indicating if the origination point of the event is blocked by an existing IDS rule in the computing system 200.
- Destination IP The IP address that the event identifies as its destination.
- Destination URL The uniform resource locator (URL) address that the event identifies as its destination Destination Port
- the target IP port for a transmission, e.g.: HTTP data is generally received by port 80.
- Destination MAC This is the Media Access Control address for network devices (a.k.a. nodes). This is a standard unique “ID” for each physical port of network devices such as computer network interface cards, network switching equipment, etc.
- the Destination MAC refers to the ID of the communication packet recipient device. Internal Destination Data indicating if the destination point of the event is internal to the computing system 200.
- Auto Bad Host Data indicating the corresponding source has been manually entered as a bad host, and should therefore be blocked without further analysis (the “Auto” refers to how the default value of this column is set when not specified).
- Auto Good Host Data indicating the corresponding source has been manually entered as a good host, and should therefore be allowed without further analysis (the “Auto” refers to how the default value of this column is set when not specified).
- the SSI 212 includes an analysis module 216 .
- the analysis module 216 analyzes the event data in the event database 214 to identify trends and anomalies in the event data.
- the analysis module may use various statistical analysis techniques to determine if an event poses a greater threat than that identified by the monitor modules reporting the event data.
- the analysis module also determines if an event potentially poses a type of threat that the monitor modules are not designed to identify.
- the analysis module 216 reanalyzes the contents of the event database to determine if the new event data changes the results of its previous analysis.
- Bayes' Theorem is a statistical procedure that estimates parameters of an underlying distribution based on an observed distribution. Beginning with a prior distribution, which may be based on anything including an assessment of the relative likelihoods of parameters or the results of non-Bayesian observations, event data is collected and an observed distribution is created. Then a calculation may be made to estimate the likelihood of the observed distribution as a function of parameter values. By multiplying this likelihood function by the prior distribution, a unit probability over all possible values is obtained. This is called the posterior distribution. The mode of the distribution is then the parameter estimate, and probability intervals (the Bayesian analog of confidence intervals) can be calculated using the standard procedure.
- the Bayesian analysis may be performed on any of the event data provided by monitor modules, such as source IP addresses, to determine a likelihood that messages from a source IP address are threats.
- monitor modules such as source IP addresses
- the Bayes' Theorem analysis is discussed in greater detail in the related U.S. Utility application Ser. No. 10/768,931, entitled INTEGRATED DATA TRAFFIC MONITORING SYSTEM, filed Jan. 29, 2004, which is incorporated by reference.
- Additional analyses performed by the analysis module 216 may be designed to identify anomalies and trends in the event records. To do this, the contents of the event database are scanned and events with common data are identified. For example, the analysis will identify event records from common monitoring modules or with common data source/destinations. In addition, the scanning may also seek to identify known trends indicative of known threats. Events identified with common elements or other known issues are then weighted based on a predetermined weighting algorithm that takes into account the type, priority, monitor module and specifics of the event. The weighting algorithm produces a sum weight for these common events indicating a base severity of the threat (i.e. a threat level). The analysis module 216 then identifies what actions, if any, should be performed based on the calculated threat level.
- the results of the analysis may be that the event, and possibly any future messages having specific attributes (for example a point of origination, a destination or specific text in a subject line), should be treated differently by the integrated monitoring system 200 than they are currently being treated.
- the analysis may determined that every email coming from a certain IP address is likely to be classified as an event by one or more monitor modules and should be screened by the firewall prior to entering the computing system for analysis by the other monitor modules.
- the analysis module 216 may issue commands to other components in the SSI 212 . These commands may subsequently be passed, for example by the command and control module 220 as described below, to any connected external component, monitor module or computing system.
- the commands allow the SSI 212 to control the operation of any of the other components, modules and devices of the integrated monitoring system 200 .
- the commands issued by the SSI 212 may be as simple as a command to the firewall to add a certain IP address to one or more of its IP tables of IP addresses to block.
- Other examples of commands include commands to one or more monitor modules that create a new rule to use when evaluating network traffic, commands directing that messages with specific content be allowed to pass, be blocked or be quarantined, commands, such as to a HIDS module, to expand the list of external systems and logs that are evaluated, commands to automatically delete future messages sent to a specified computer port for a specified period of time, and commands changing the threat level assigned by monitor modules to different events. Commands may be issued to the alerting module 218 to generate alerts.
- the SSI 212 also includes an alerting module 218 .
- An analysis by the analysis module 216 may determine that a system administrator, various system users, or other designated parties should be alerted to events identified by the SSI 212 .
- the alerting module 218 identifies the parties that should be alerted and generates the alert messages with the appropriate data from the event database 214 .
- the SSI 212 also includes a command and control module 220 .
- the command and control module 220 acts as an interface between the various modules within the SSI 212 and the monitor modules 202 , 204 , 206 , 208 , 210 .
- the command and control module 220 stores information concerning how to interface with each monitor module. Using this information, the command and control module can receive a notification, such as from the analysis module 216 for example, that an action by a specific monitor module is required and generate a command for the specific monitor module that carries out the action. Because the command and control module 220 allows the SSI 212 to issue commands to any of the monitor modules capable of receiving commands, an administrator may use the SSI 212 as a central control point for the integrated monitoring system 200 .
- the SSI 212 is also provided with a communication module 224 .
- the communication module 224 supports the communication between the various other components of the SSI 212 and components and systems external to the SSI 212 .
- the communication module 224 periodically transmits any new event data received by the event database 214 to a remote computing system or external device for storage or further analysis.
- a log database 222 is maintained by the SSI 212 to track actions taken by the SSI 212 .
- the log database 222 may also store log entries recording commands received by the SSI 212 (such as from the administrator) and directed at one or more monitor modules. Other activities may be logged as well depending on the preferences of the system administrator.
- FIG. 3 illustrates a computing system 300 that includes an embodiment of an integrated monitoring system.
- the computing system 300 is a communications system that handles incoming and outgoing communications between an external communications network 330 and a protected computing network 352 (hereinafter the “protected network”) having at least one computing device 350 .
- the computer system 300 may be implemented as a software program executing on the computing device 350 or may be implemented as a separate and distinct computing device through which all incoming communications to the eternal network 330 pass.
- the computing system 300 may be implemented on one or more separate computing devices, such as a router or communication-dedicated computing device, depending on the flow rate of communication traffic that must be handled.
- the computing system 300 receives communications from a communications network 330 , such as the Internet, a telephone system, a wireless network, or any combination of communications networks, and transmits the communications to the appropriate destination within the protected network 352 it serves.
- the destination may be a specific software program executing on a computing device 350 within the network or a software program operating on the computing system 300 .
- the computing system 300 shown is capable of receiving a plurality of different types of communications.
- the computing system 300 can receive electronic mail messages (e-mail) and pass them on to a mail server 340 that is responsible for distributing e-mail to various user mailboxes.
- the computing system 300 also may receive web pages generated in response to user requests from browsers executing on computing devices 350 .
- the computing system 300 is further capable of receiving VPN communications and passes those to the VPN system.
- a firewall 304 is used to direct the different types of packets (i.e., e-mail packets, web page packets, and VPN packets) to the appropriate destination.
- the communications are received by the computing system 300 in the form of digital packets.
- a packet may constitute a complete communication or may need to be combined at the destination with other packets to create a complete communication, such as an email message or web page.
- Each packet includes various packet identification information such as the source of the packet (usually an IP address), the destination of the packet, authentication information, and other information in addition to the payload of data that contains the actual message of the communication.
- the computing system 300 includes an integrated monitoring system that screens the packets as they are received and can automatically block packets from sources that the integrated monitoring system determines from the screening to be likely sources of potential threats to the computer network.
- the integrated monitoring system includes an SSI 312 , including an event database 310 as described with reference to FIG. 2 , and a plurality of monitor modules. In the embodiment shown, there are four monitor modules that provide event data to the SSI 312 : an IDS module 302 , the firewall 304 , a virus detection module 306 , and a VPN authentication module 308 .
- the embodiment shown also includes additional monitor modules that may or may not provide event data to the SSI 312 : a spam detection module 320 ; and a web content module 322 .
- the IDS module 302 screens all incoming communications.
- the IDS module 302 uses a set of rules, referred to as intrusion detection (ID) rules to screen each packet as it is received from the communications network.
- ID intrusion detection
- the IDS module 302 maintains the ID rules in a database or in one or files (not shown) and is capable of deleting rules and receiving new or changed rules as directed by a system administrator or by the SSI 312 .
- the IDS Upon receipt of a packet from the communication network 330 , the IDS compares the information in the packet with the current ID screening and blocking rules and either deletes the packet or passes it on to the firewall as will be described in greater detail with reference to FIG. 5 .
- the IDS module 302 deletes a packet (i.e., a packet fails one of the ID rules)
- the IDS module 302 generates event data, which are transmitted to the event data database 310 .
- the IDS module also implements the blocking of incoming communications based on the source of the communications.
- the IDS module can be considered, and indeed is often implemented, as two modules: a screening or monitoring module and a blocking module.
- the IDS module 302 could be similarly implemented as two independent modules.
- IDS rules in this specification refers generally to rules that block incoming packets based on their source as these rules, in this embodiment, would be implemented by the blocking component of the IDS.
- IDS rules are distinct from the screening criteria used by the IDS module, as well as the other modules' screening criteria in this embodiment.
- the firewall 304 is responsibly for separating packets by type and passing them to their appropriate destinations. In addition, the firewall 304 also performs a screening of the packets using its own set of firewall rules as will be discussed in greater detail with reference to FIG. 7 . In addition, whenever the firewall 304 deletes a packet (i.e., a packet fails one of the ID rules), the IDS module 302 generates event data which it transmits to the event data database 310 .
- Packets identified as e-mail packets are passed by the firewall 304 to an e-mail queue 324 . While in the e-mail queue 324 , the virus detection module 306 and spam detection module 320 screen the e-mail packets for viruses and spam respectively. Such screening may require receiving all the packets that make up a specific communication, before the screening may be performed.
- the screening criteria for the modules 306 and 320 are usually kept in one or more databases or files that are maintained by the computing system administrator. Packets that pass the screening are transmitted to the appropriate destination, such as the computer network mail server as shown. Packets or complete communications that fail the screening may be partially or completely deleted, quarantined, identified to the recipient depending on how the modules are directed to handle such failures.
- the virus detection module 306 generates event data for each packet or complete communication that fails the virus screening. This event data is transmitted to the event database in the SSI 312 .
- Packets identified as web page packets are passed by the firewall 304 to a web proxy 326 .
- the web proxy 326 stores the web page packets so that a web content filter 328 may screen the web pages for inappropriate content based on web content rules provided by the administrator or end user. Such screening may require receiving all the packets that make up a web page, before the screening may be performed. Alternatively, some screening may be performed on individual packets as they arrive, while other screening is performed after receipt of the complete web page element.
- the web content rules may be stored in a separate file or database and maintained by the administrator. If a web page passes the screening, the web page is transmitted to its destination computing device 350 . If a web page fails the screening, it may be deleted and a substitute page may be sent in its stead.
- Packets identified as VPN connection packets are passed by the firewall 304 to a VPN concentrator 328 .
- the VPN concentrator 328 determines whether to grant or reject access to the VPN 329 .
- a VPN authentication module 308 is provided to authenticate VPN connection packets. The authentication process is described in greater detail below with reference to FIG. 10 .
- the VPN authentication module 308 or in an alternative embodiment the VPN concentrator 328 , generates event data for packets or VPN connection communications that cannot be authenticated.
- the event data is transmitted to the SSI 312 for analysis and storage in the event database 310 .
- the computing system 300 includes a network directory service 342 that is used to authenticate destinations and users known to the system.
- a different network directory service 342 may be provided for each type of destination and packet or a single integrated network directory service 342 may be used.
- the computing system 300 may be part of a multi-system implementation as described in co-pending U.S. Utility application Ser. No. 10/768,931, filed Jan. 29, 2004.
- the computing system 300 is in communication with a remote computing system (not shown), either via the communications network 330 or a dedicated connection (not shown), that maintains a security system master integrated (SSMI) as described in the co-pending application.
- the computing system 300 transmits some or all of the event data stored in the event database 310 to the SSMI for analysis.
- the SSMI which also collects event data from other computing systems at other sites, analyzes the collected set of event data.
- the SSMI may perform the some or all of the analyses described below with reference to the SSI 312 and may perform additional analyses on the collected multi-system event data and generate and return rules to the SSI 312 for implementation by the computing system 300 .
- FIG. 4 illustrates the main logical operations of the integrated monitoring system of FIG. 3 performed before a communication packet is transferred into the protected network 352 .
- the first operation performed on communication packets received by the monitoring system is an IDS analysis operation 402 , which is discussed in greater detail with reference to FIG. 5 .
- the IDS blocking analysis may result in blocking the incoming packet or transferring it to the firewall.
- the IDS screening analysis may or may not result in the generation of event data.
- a firewall analysis operation 404 is performed on the communication packet.
- the firewall analysis operation 404 is discussed with greater detail with reference to FIG. 6 .
- a communications packet that passes the firewall analysis operation 404 is then transferred to an appropriate analysis based on the type of the communication packet (i.e., e-mail, VPN, or web page packets).
- E-mail packets are transferred to an e-mail analysis operation 406 , which is discussed in greater detail with reference to FIG. 7 .
- Web page packets are transferred to a web content analysis operation 408 , which is discussed in greater detail with reference to FIG. 8 .
- VPN packets are transferred to a VPN analysis operation 410 , which is discussed in greater detail with reference to FIG. 9 .
- a packet that passes its appropriate analysis based on its type is then allowed to enter the protected network 352 for delivery to its destination.
- the analysis operations 402 , 404 , 406 , 408 , 410 described above are referred to as packet analysis operations because they analyze communication packets against some pre-determined criteria.
- the packet analysis operations 402 , 404 , 406 , 408 , 410 also generate event data for packets that fail an analysis.
- the integrated monitoring system also analyzes the event data in an event data analysis operation 412 .
- the event data analysis operation 412 automatically generates new or revised criteria for use by one or more of the packet analysis operations based on the event data received and an event data rule set.
- the event data analysis operation 412 is discussed in greater detail with reference to FIG. 10 .
- FIGS. 5-10 describe each of the major analysis operations in FIG. 4 in greater detail.
- the descriptions are given with reference to the specific embodiment of the computing system 300 shown in FIG. 3 that monitors e-mail, VPN and web content communications for ease of understanding.
- the scope of the invention is not limited to that specific embodiment and that other embodiments of computing systems for monitoring any combination different types of digitized communication data are contemplated.
- FIG. 5 illustrates the logical operations of the IDS analysis operation 402 .
- packets are received from the communication network 330 and stored in an input buffer on the computing system 300 .
- the IDS analysis operation 402 starts when a communication packet is read from the input buffer by the IDS module 302 in a receive packet operation 502 .
- a packet read from the input buffer is then analyzed in an IDS rules analysis operation 504 .
- the IDS rules analysis operation 504 determines if there are any IDS rules that indicate that the communication packet should be barred from entering the protected network 352 based on the information available in the packet.
- the IDS rules analysis operation 504 includes retrieving or otherwise accessing a pre-determined set of IDS blocking and screening rules.
- the IDS rules may be maintained in memory in the IDS module or may be stored in a remote database and may need to be retrieved as part of the IDS rules analysis operation 504 .
- the IDS rules analysis operation 504 compares the information in the communication packet against the rules of the IDS rules set. This may include reading some or all of the information from the communication packet such as date and time the packet was received, the source of the packet, the destination of the packet, and the payload of the packet. Information may be read from the packet automatically or may be read in response to a specific IDS rule.
- IDS screening rules are generally known in the art and include rules that determine if the packet is of a known type or not, if the packet is part of a request for information from within the protected network, if the packet is part of a login request, if the packet is part of a remote procedure call, if the packet is directed at an unusual port, if the packet is an administrative access request, and if the packet is requesting access to a potentially vulnerable web application.
- a communication packet that passes the IDS rule analysis is transferred to the firewall module in a transfer packet to firewall module operation 506 .
- the packet “fails” the IDS rules analysis operation 504 .
- a generate event data operation 508 is performed.
- the generate event data operation 508 includes collecting certain information from the failed packet. This information includes at least the source of the packet and may include some or all of the event data described in Table 1 that is directly available from the packet.
- the event data may also identify the IDS rule or rules that the packet failed and may identify the IDS module as the module that failed the packet.
- the generate event data operation 508 also includes assigning a priority to the failed packet.
- a priority is a numerical identifier that indicates the presumed relative threat of the packet to the protected network.
- a priority 1 event is a packet that, in whole or in part, is an actual attack on the protected network
- a priority 2 event is an attempt to break into (intrude) the protected network
- a priority 3 event is a reconnaissance or probing of the protected network.
- fewer or more priority levels may be used to differentiate different threats or perceived threats.
- the priority assigned may be dictated by the IDS rule that the packet failed. If the packet fails more than one IDS rule, the packet may be assigned the highest priority regardless of the priorities that would be assigned by the failing rules. Alternatively, the packet may be assigned the highest priority directed by the failing rules (e.g., if a packet fails two rules, one that assigns failing packets as priority 3 events and one that assigns failing packets as priority 2 events, the packet is assigned a priority of 2).
- a priority assigned may be dictated the number of IDS rules that the packet failed.
- a priority is assigned that indicates that the IDS failed the packet or indicates which IDS rule or group of IDS rules failed the packet.
- an event data message is created and transmitted to the SSI 312 in a transmit event data operation 510 .
- Failure of a packet by the IDS rule analysis operation 504 also results in a delete packet operation 512 .
- This operation 512 deletes the packet from the computer system 300 , thereby preventing the packet from reaching its destination and freeing up resources for analysis of later received packets.
- deleting the packet may include saving a copy of the packet to a deleted packet database for further analysis.
- the delete packet operation 512 could be performed before the transmit event data operation 510 .
- the IDS analysis operational flow ends in an end operation 514 and the IDS module either reads the next packet from the input buffer or goes into a standby mode waiting for the next communication packet to be received by the buffer.
- FIG. 6 illustrates an embodiment of the logical operations of a firewall analysis operation 404 .
- the flow starts when a packet is received from the IDS module in a receive packet operation 602 .
- a firewall rule analysis operation 604 After receipt of a packet passed by the IDS, a firewall rule analysis operation 604 is performed.
- the firewall rule analysis operation 604 determines if there are any firewall rules that indicate that the communication packet should be barred from entering the protected network 352 based on the information available in the packet.
- the firewall rules analysis operation 604 includes retrieving or otherwise accessing a pre-determined set of firewall rules.
- the firewall rules may be maintained in memory in the firewall module or may be stored in a remote database and may need to be retrieved as part of the firewall rules analysis operation 604 .
- the firewall rules analysis operation 604 compares the information in the communication packet against the rules of the firewall rules set. This may include reading some or all of the information from the communication packet such as date and time the packet was received, the source of the packet, the destination of the packet, and the payload of the packet. Information may be read from the packet automatically or may be read in response to a specific firewall rule.
- the firewall rules analysis operation 604 also identifies the type (i.e., in this embodiment e-mail, VPN, or web page) of the communication packet received. For embodiments
- a communication packet “passes” the firewall rule analysis operation 604 if there are no firewall rules that indicate that the communication packet should be barred from entering the protected network 352 and the packet's type can be identified. Thus, a packet that passes all the other firewall rules but for which a type cannot be identified fail the firewall rule analysis operation 604 .
- a communication packet that passes the firewall rules analysis is transferred to the appropriate module based on its type in a transfer to next module operation 606 and the operational flow ends 614 as discussed below.
- a packet “fails” the firewall rules analysis operation 604 if the set of firewall rules contains at least one rule that indicates that the communication packet should be prevented from entering the protected network.
- a packet also fails the firewall rules analysis operation 604 if its type cannot be identified by the firewall.
- a generate event data operation 608 is performed.
- the generate event data operation 608 includes collecting certain information from the failed packet. This information includes at least the source of the packet and may include some or all of the event data described in Table 1 that is directly available from the packet.
- the event data may also identify the firewall rule or rules that the packet failed and may identify the firewall module as the module that failed the packet.
- the generate event data operation 608 may also include assigning a priority to the packet.
- the priority may be dictated based on the firewall rule or rules that the packet failed. Alternatively, all packets failing the firewall may be assigned the same priority. For example, in an embodiment of the present invention all packets failing the firewall rules analysis operation 604 are assigned the intermediate priority of 2.
- an event data message is created and transmitted to the SSI 312 in a transmit event data operation 610 . If a priority was assigned in the generate event data operation 608 , then the priority may be included with the other event data in the event data message.
- the delete operation 612 deletes the packet from the computer system 300 , thereby preventing the packet from reaching its destination and freeing up resources for analysis of later received packets.
- deleting the packet may include saving a copy of the packet to a deleted packet database for further analysis.
- the operational flow ends 614 and the firewall module either reads the next packet received or goes into a standby mode waiting for the next communication packet to be received from the IDS module.
- FIG. 7 illustrates an embodiment of the logical operations of an e-mail analysis operation 406 .
- the flow starts when an e-mail packet is received from the firewall module in a receive packet operation 702 . Packets received from the firewall module are placed in an e-mail queue. Depending on the implementation, some screening performed during the e-mail analysis operation 406 may be performed on individual packets are they are received, while other screening may be performed on complete e-mails only after all the packets are received.
- an e-mail authentication operation 704 is performed which determines if the recipient identified by the e-mail is known to the e-mail system. This operation 704 may include checking the identified recipient against a database maintained by a local network directory service (such as a database maintained on a lightweight directory access protocol, or LDAP, server).
- a local network directory service such as a database maintained on a lightweight directory access protocol, or LDAP, server.
- a return e-mail generated to the e-mail sender in a return to sender operation 706 is performed that deletes the e-mail from the memory of the computing system 300 .
- a delete e-mail operation 730 is performed that deletes the e-mail from the memory of the computing system 300 .
- a virus analysis operation 708 is performed on the e-mail.
- the virus analysis operation 708 compares the content of the e-mail against a database of virus definitions.
- the database of virus definitions may be maintained by the virus detection module or may be stored in a remote database.
- An e-mail passes the virus analysis operation 708 if no virus is found that matches the definitions in the virus definition database.
- a spam analysis operation 710 is performed on the e-mail by the spam detection module 320 .
- the spam analysis operation 710 compares the e-mail to a predetermined set of spam rules.
- the spam rules may be maintained in the spam detection module 320 or may be maintained in a remote spam rules database and accessed by the spam detection module 320 as needed.
- E-mails that pass the spam analysis operation 710 are transferred to the mail system in the protected network 352 in a transfer operation 724 after which operational flow ends in an end operation 722 as described below.
- E-mails that fail the spam analysis operation 710 are processed in a spam processing operation 712 after which operational flow ends 722 as described below.
- the spam processing operation 712 may delete the e-mail or transmit the e-mail to a specific e-mail directory (within the protected network 352 or on the computing system 300 ). What processing occurs in the spam processing operation 712 may be dictated by the administrator or may be determined individually be each recipient.
- the generate event data operation 714 includes collecting certain information from the failed e-mail. This information includes at least the source of the e-mail and may include some or all of the event data described in Table 1 that is directly available from the e-mail. The event data may also identify the virus or viruses that the e-mail contained and may identify the virus detection module as the module that failed the packet.
- the generate event data operation 714 may also include assigning a priority to the packet.
- the priority may be dictated based on the virus or viruses that the e-mail contained. Alternatively, all e-mails containing a virus may be assigned the same priority.
- an event data message is created and transmitted to the SSI 312 in a transmit event data operation 716 . If a priority was assigned in the generate event data operation 714 , then the priority may be included with the other event data in the event data message.
- An e-mail that fails the virus analysis operation 708 is processed in an infected e-mail processing operation 718 .
- the infected e-mail processing operation 718 may include deleting the e-mail, disinfecting the e-mail and subsequently transferring the to the mail system in the protected network 352 , or quarantining the e-mail as directed by the administrator of the computing system 300 .
- End operation 722 either causes the e-mail analysis operation 404 to be repeated on the next e-mail in the queue if the queue is not empty or causes the system to go into a standby mode waiting for the next communication packet to be received from the firewall module.
- FIG. 8 illustrates an embodiment of the logical operations of a web content analysis operation 408 .
- the flow starts when a web page packet is received from the firewall module in a receive packet operation 802 .
- Web page packets received from the firewall module are stored in the web proxy 326 .
- an authentication operation 804 is performed which determines if the recipient identified by the web page element is known to the web proxy. This operation 804 may include checking the identified recipient against a database maintained by a local network directory service (such as a database maintained on a lightweight directory access protocol, or LDAP, server).
- a local network directory service such as a database maintained on a lightweight directory access protocol, or LDAP, server.
- a delete operation 805 is performed that deletes the web page element from the web proxy 326 and the operational flow then ends with an end operation 822 as described below.
- a content analysis operation 806 is performed on the web page element.
- the content rules analysis operation 806 compares the content of the web page element against a set of content rules.
- the set of content rules is maintained in a database either within the web content module 322 or maintained in a remote location accessible to the web content module 322 .
- a web page element “passes” the content rules analysis operation 806 if no content rule is found in the database that bars the delivery of the content element.
- a web page element that passes the content rules analysis operation 806 is transmitted to the identified recipient within the protected network 352 in a transmit to requestor operation 810 after which operation flow ends in the end operation 822 .
- the web page element “fails” the analysis and is deleted and a content error page is transmitted to the destination of the web page element (i.e., the web page requestor) in a content error operation 808 .
- the generate event data operation 812 includes collecting certain information from the failed web page element. This information includes at least the source of the web page element and may include some or all of the event data described in Table 1 that is directly available from the web page element. The event data may also identify the content rule or rules that the web page element failed and may identify the web content module as the module that failed the element.
- the generate event data operation 812 may also include assigning a priority to the web page element.
- the priority may be dictated based on the rule that the web page failed. Alternatively, all web page elements that fail may be assigned the same priority.
- an event data message is created and transmitted to the SSI 312 in a transmit event data operation 814 . If a priority was assigned in the generate event data operation 812 , then the priority may be included with the other event data in the event data message.
- the operational flow ends with an end operation 822 that returns the web proxy to a standby mode or begins the web content analysis operation 408 on the next web page element in the web proxy.
- FIG. 9 illustrates the logical operations of the VPN analysis operation 410 .
- the operational flow starts when a VPN connection request is received from the firewall module in a receive packet operation 902 .
- VPN connection requests received from the firewall module are stored in the VPN concentrator 328 until they are either deleted or passed to the VPN within the protected network 352 .
- a VPN connection request received by the VPN concentrator is analyzed in an authentication operation 904 which determines if the user identified as the author of the VPN connection request is a valid network user known to VPN.
- This operation 904 may include checking the identified user against a database maintained by a local network directory service (such as a database maintained on a lightweight directory access protocol, or LDAP, server).
- a local network directory service such as a database maintained on a lightweight directory access protocol, or LDAP, server.
- the VPN connection request is authenticated and the connection to the VPN within the protected network is completed in a connect to VPN operation 906 , after which the operational flow then ends with an end operation 922 as described below.
- all subsequent VPN traffic is still analyzed the SSI 312 the same way as regular, non-VPN communications (i.e., through the IDS module, the firewall module, etc.).
- the generate event data operation 908 includes collecting certain information from the failed VPN connection request. This information includes at least the source of the VPN connection request and may include some or all of the event data described in Table 1 that is directly available from the packet. The event data may also identify the VPN concentrator as the module that failed the packet.
- the generate event data operation 908 may also include assigning a priority to the web page element.
- the priority may be dictated based on some analysis performed by the VPN concentrator or all VPN connection requests that are failed may be assigned the same priority.
- an event data message is created and transmitted to the SSI 312 in a transmit event data operation 910 . If a priority was assigned in the generate event data operation 908 , then the priority may be included with the other event data in the event data message.
- a delete VPN connection request packet operation 912 Failure of a packet by the authentication operation 904 also results in a delete VPN connection request packet operation 912 .
- the delete operation 912 occurs after the transmit event data operation 910 , although alternative embodiments are also contemplated.
- the delete operation 912 deletes the packet from the computer system 300 , thereby preventing the packet from reaching its destination and freeing up resources for analysis of later received packets.
- deleting the packet may include saving a copy of the packet to a deleted packet database for further analysis.
- the operational flow ends with an end operation 522 that returns the VPN concentrator to a standby mode or begins the authentication operation 904 on the next VPN connection request in the VPN concentrator if a second VPN packet is pending.
- FIG. 10 illustrates the logical operations of the event data analysis operation 412 .
- the operational flow starts when an event data message containing event data is received from a module in a receive event data operation 1002 .
- an initial priority operation 1004 is performed to determine the event data includes an assigned priority. If the event data in the message includes a priority assigned by the module that transmitted the event data, then the initial priority of the event is the assigned priority. If there is no assigned priority, then the initial priority operation 1004 assigns an initial priority to the event data. The assignment is made based on the information in the event data such as the module generating the event data, the reason for failure of the packet, or the type of packet.
- all packets failed by the firewall module are assigned an initial priority of 2 and packets failed by the IDS module are assigned an initial priority of 1, 2 or 3 depending on the IDS rule or rules that the packet failed.
- the rule or rules may be identified in the event data or the IDS rules analysis operation 504 may be repeated on the event data by the SSI 312 to identify the rule or rules as part of the assignment.
- all packets failed by the virus detection module or the VPN concentrator are assigned an initial priority of 4.
- a generate rule operation 1008 is performed in which a priority 1 IDS rule is generated and transmitted to the IDS module for addition to the set of IDS rules maintained by the IDS.
- the generate rule operation 1008 is discussed in greater detail below.
- a search operation 1012 searches the event database for an event record identifying the same packet source as that identified in the event data received in the receive event data operation 1002 . If an event record is found with the same packet source, then an upgrade priority operation 1014 changes the priority of the event data to priority 1 and control transfers to the generate priority 1 rule operation 1008 previously discussed. However, if the search operation 1012 does not find an event record with the same source as that of the identified in the event data received in the receive event data operation 1002 , then control transfers to the generate rule operation 1008 discussed below.
- An embodiment of the search operation 1012 may also include performing a Bayesian analysis on the results of the search to verify that an upgrade in priority is warranted given the level of security desired by the administrator of the computing system 300 . Such an analysis may be focused on reducing the number of false positives or increasing the relative percentage of true positives depending on the security preferences.
- a virus event operation 1016 determines if the event data message received in receive operation 1002 was generated by the virus detection module. If the event data message was not generated by the virus detection module, then control transfers to the save event data operation 1010 .
- a virus attack detection operation 1018 searches the event database event records indicating infected e-mails were previously received from the same source as the event data received in receive operation 1002 .
- a virus attack is presumed if a predetermined number of e-mails from the same source failed the virus detection module within a predetermined period of time. The number of e-mails and period used may be predetermined by the administrator of the computing system 300 .
- a virus attack is presumed if three or more virus-containing e-mails are received from the same source within a one-minute period.
- the SSI 312 makes the attack determination by searching the event database for records indicating receipt of the predetermined number of virus-containing e-mails within the period. If the virus attack detection operation 1018 finds that the virus attack criteria is not met, then operation flow transfers to the save event data operation 1010 .
- the priority of the event data is upgraded to a priority of 3 in a priority level 3 upgrade operation 1020 .
- the operation flow is transferred to the search operation 1012 described above.
- the generate rule operation 1008 generates a rule for use by one or more modules in the computer system 300 .
- the generate rule operation 1008 will be described in terms of generating an IDS rule that will be used by the IDS module in subsequent IDS analyses 402 .
- the generate rule operation 1008 may also generate rules specifically for use by any of the other modules.
- Such rule generation could be based on the type of communication or on the an IDS rule consistent with the final priority assigned by the SSI 312 to the event data received in an event data message.
- the generate rule operation 1008 if the event data received is assigned a priority of 1, then the generate rule operation 1008 generates a priority 1 IDS rule.
- the generate rule operation 1008 if the event data received is assigned a priority of 2, then the generate rule operation 1008 generates a priority 2 IDS rule and if the event data received is assigned a priority of 3, then the generate rule operation 1008 generates a priority 3 IDS rule.
- a priority 1 IDS rule is a rule that causes the IDS module to delete all packets received from the source identified in the event data for some predetermined blocking period, such as 24 hours, from the receipt of the packet that caused the event data to be generated.
- a priority 2 IDS rule is a rule that causes the IDS module to delete all packets received from the source identified in the event data for some predetermined blocking period less than that of the priority 1 IDS rule, such as 4 hours, from the receipt of the packet generating the event data.
- a priority 3 IDS rule is a rule that causes the IDS module to delete all packets received from the packet source identified in the event data for some predetermined period less than that of the priority 2 IDS rule, such as 1 hour, from the receipt of the packet generating the event data.
- the IDS rule generated may identify the source, such as the source IP address, and an expiration date and time for the IDS rule calculated based on the appropriate blocking period.
- the IDS rule generated by the generate rule operation 1008 is added to the IDS rule database by a transmit new IDS rule operation 1022 .
- the transmit new IDS rule operation 1022 may entail writing the new IDS rule directly to the IDS rule database or, if the IDS rule database is maintained by the IDS, may include transmitting the generated IDS rule to the IDS module for addition to the IDS rule database.
- the new IDS rule is ultimately added to the set of IDS rules used by the IDS module in the IDS rules analysis operation 504 .
- the new IDS rules are generated for the IDS module in real time as packets are received and evaluated by the monitoring modules.
- a save event data operation 1010 is performed that saves the event data received in the receive event data operation 1002 into a new event record. Some or all of the event data provided in the event data message may be saved in the new record. In addition, the final priority assigned to the event data is also saved in the event record.
- the save event data operation 1010 may also cause to be saved a log of the actions taken by the SSI 312 in response to receipt of the event data, such as a log identifying the generation of an IDS rule and transmission of a notification message in response to a rule generation.
- the operational flow ends in an end operation 1024 which causes the SSI 312 to either repeat the event data analysis operation 412 on the next event data message pending analysis or enter a standby mode until the next event data message is received.
- the save event data operation 1010 may include transmitting the event data with its site-generated priority to the SSMI for additional analysis with the benefit of the event data received from other computing systems.
- the operational flow described with reference to FIG. 10 is one embodiment of an event data analysis operation 412 that receives event data from a plurality of monitoring modules and, based on an analysis of the event data in real time, automatically generates one or more rules for the monitoring modules.
- an event data analysis operation 412 that receives event data from a plurality of monitoring modules and, based on an analysis of the event data in real time, automatically generates one or more rules for the monitoring modules.
- FIG. 10 only generated rules for the IDS module, the scope of application is not limited. Alternative embodiments are possible and contemplated that generate rules for the other monitoring modules and also for monitoring modules that are not described in FIG. 3 .
- event data received from a web content filter that failed a web page element being retrieved by a computing device in the protected network In an embodiment, all web page content failure events are assigned a priority of 2 by the web content filter.
- the event data would be received by the SSI 312 in the received event data operation 1002 .
- the initial priority operation 1004 would identify the event data as having an event priority of 2 and the search operation 1012 would search the database 310 for any other event records from the same IP address as the failed web page element.
- the search 1012 found at least one other event record in the event database 310 indicates the source of the failing communication was the same IP address as the failed web page element.
- the upgrade priority operation 1014 changes the priority of the event data to a priority of 1 and a priority 1 rule is generated in the generate rule operation 1008 .
- the transmit rule operation 1022 then transmits the new rule to the IDS blocking rule database. In the embodiment, this is achieved by either revising an expiration time of an existing IDS rule that blocks the web page element's source to 24 hours from the web page element's receipt or by adding a new rule to the rule database that blocks packets from the web page element's source for 24 hours from the time of receipt of the web page element.
- the event data including the newly assigned priority of 1 are then saved in the save event data operation 1010 and the SSI's 312 processing of that event ends.
Abstract
The present invention includes an integrated data traffic monitoring system monitoring data traffic received from a communication network and destined for a protected network. The monitoring system includes a security appliance and one or more security and monitoring technologies such as hardware and open source and proprietary software products. The security appliance and the security and monitoring technologies may be implemented as separate and distinct modules or combined into a single security appliance. The security and monitoring technologies monitor network data traffic on, or directed to, the protected network. The monitoring system collects data from each of the technologies into an event database and, based on the data, automatically generates rules directing one or more of the technologies to prevent subsequent communications traffic from specific sources from entering the protected network.
Description
- This application claims priority of U.S. Provisional Application Ser. No. 60/538,960, entitled INTEGRATED DATA TRAFFIC MONITORING SYSTEM, filed Jan. 23, 2004 (also identified by attorney docket no. 14584.0004USP1), and U.S. Utility application Ser. No. 10/768,931, entitled INTEGRATED DATA TRAFFIC MONITORING SYSTEM, filed Jan. 29, 2004, which are hereby incorporated by reference.
- This application relates generally to monitoring data traffic related to computing systems, and more particularly to an integrated system for monitoring data traffic.
- Security is now a very important aspect of any computing system connected to the Internet. In order to provide protection from different types of security threats, a typical computing system may employ a significant number of technologies to monitor the computing system and, in some cases, perform actions to protect the computing system from identified threats or potential threats. These technologies will be referred generally throughout this specification as monitor modules. Some common monitor modules and their functions include:
-
- Stateful Firewall—An industry standard method of network connection monitoring, control and protection
- Application Awareness—Inspecting network connections for proper application behavior protecting a network from common application vulnerabilities
- DHCP—Provides IP address and other network parameters to network users
- IDS—Intrusion Detection System, detects attacks
- IDP—Intrusion Detection and Prevention, detects and prevents attacks
- HIDS—Host-based Intrusion Detection systems, detects attacks and changes on the security device itself
- Service Proxy and Cache Server—Isolates users from the Internet, controls their access and improves speed of Internet use
- Email Forwarder with Masking—Isolates and controls incoming or outbound Email
- WEB Forwarder with Masking—Isolates, protects and controls incoming or outbound WEB service requests
- Anti-SPAM—Prevents the majority of unsolicited Email requests
- Web Content Filter—Protects organizations from access to or from unacceptable WEB sites and content
- Anti-Virus Filter—Examines incoming Email and other services for the presence of viruses and removes them
- Email Content Filter—Controls the content of Email messages to protect against SPAM and unacceptable content
- Multiple DMZ—The ability to segregate a customer's network into isolated “De-Militarized Zones”, provides protection by isolation
- VPN Concentrator—Allows for connection from anywhere in the world to a “Virtual Private Network” that from a remote site appears as a single network segment
- VPN Initiator—Connects to other VPN concentrators
- Site-to-Site VPN with Full Mesh Option—Allows for the creation of large private network utilizing inexpensive public Internet connections. Useful for companies with small branch or remote offices/locations
- Encryption at All Levels—All data transferred or stored in an encrypted or encoded format
- Honey Pot—A method to trap intruders and to track attackers
- SSH/SSHD—A secure method of communicating and managing security appliances and services
- Automatic Updates Via WEB—Self-maintaining, correcting, updating and reporting mechanisms
- HA/Cluster Implementation—High-availability redundant capability that can grow as required depending on performance requirements
- Common Web-Enabled Management Interface—All technologies and services are managed by a common WEB based interface
- SAMBA, LDAP Support—Windows network file system and user awareness
- Full Identification, Authentication and Authorization (AAA) Support—Method to ensure proper user access and logging of user connection to network resources
- Multi Factor Identification Required for Device Management—More extensive methods used for administrative access to security devices for management and control.
- SNMP Device Inspection and Control—The ability to query and control devices such as routers, switches, printers, workstations and printers to gather detailed network information without the need for a device specific resident client.
- Clear Text Password Detection—The ability to detect, log and report the use of internal or external usernames and passwords that are not encrypted (clear text).
- Monitor modules such as those described above each perform a different monitoring and/or security function and are usually provided as a separate and distinct application (or device, depending on the implementation) on the computing system. Because computing system administrators wish to select and employ only those monitor modules deemed necessary, most monitor modules are designed to be standalone modules that function independently of the existence of other monitor modules. Therefore, each monitor module independently generates and tracks various data as necessary to perform its function, regardless of whether the same data is being tracked or generated by other monitor modules.
- In addition, because the developer of a monitor module cannot rely on the existence of other monitor modules or even a common data format for data generated by other data systems, most monitor modules are not designed to interface with other monitor modules or even provide data in a format useful to other monitor modules. Therefore, monitor modules are not capable of taking advantage of information known to other monitor modules or reacting to actions being performed by other monitor modules.
- For example, an anti-virus filter might include a file of known viruses that it uses when screening message traffic received by the computing system. Any messages containing files that include a virus identified in the known virus file is deleted, quarantined, or otherwise acted on by the virus filter without input from, or knowledge of, the other monitor modules. Similarly, an anti-spam filter may include a list of words or other information that it uses to screen out messages received by an e-mail application. These monitor modules may report data to an administrator of the computing system indicating that viruses or spam have been detected or that actions have been taken, but the other monitor modules on the computing system are unaware of and make their own decisions independent of any such knowledge or actions. It is left to the administrator to determine from the data if another monitor module needs to be provided with this new data to more effectively perform its function.
- Each disparate monitor module has its own requirements for evaluating messages received from the communication network. In the case of an anti-virus filter, the entire message is typically received before the filter makes its analysis. The same is true for the anti-spam filter. A firewall, on the other hand, can delete the packets that make up a communication as the packets arrive, preventing them from ever being passed into the computing system proper. However, the firewall has no way of predicting that a given message or communication contains a virus, is spam, is an attempt to take over the computer, or represents some other threat, so such threats are passed into the computer to be screened by the other monitor modules.
- Because the monitor modules do not share information, the fact that threats are identified by one monitor module, does not benefit any of the other monitor modules. Take, for example, a situation where a remote computer is attempting to take control of a computing system. The first effort may be to infect the computing system with one of a number of viruses that allow remote control of the computing system, by sending virus-laden messages to the computing system. If the virus software catches all of the viruses, then an attempt may be made to log into the computing system as a user. If the clear text password detection system foils this attempt, an attempt may then be made to reconfigure the computing system to allow public access to restricted material, thereby testing the HIDS system. This scenario shows that if the remote computer keeps looking for weaknesses long enough, it is likely something will be found. As the monitor modules do not interface with each other, the password detection system does not have the benefit of the knowledge that there have already been repeated infection attempts from the remote computer. Similarly, the HIDS system does not know that the remote computer was the source numerous, different, and concerted attempts to take over control of the computer.
- The monitor modules often report data related to identified threats and the actions taken in response to an administrator. However, it is up to the administrator to read the disparate reports and notifications and attempt to identify trends indicative of a more significant threat to the computing system. In the scenario described above it is left to the administrator to view the data from each of the monitor modules, correlate the data, determine an appropriate coordinated response by the computing system, and implement the response. Depending on the level of communications traffic and size of the computing systems, this may involve the analysis of huge amounts of data stored in multiple data logs, each in different formats and containing different types of information. The administrator may have difficulties correlating data from one monitor module to data from another monitor module, not to mention difficulties in identifying trends in the collected data.
- The scenario described above used a relatively simple example where all the attacks are coming from one remote computer. Other scenarios are possible where the attacks have other, but less obvious, common characteristics such as they all have the same destination, subject line or some other attribute. Such information may not even be tracked by each monitor module and may only be determinable upon review of a collected and correlated set of data from all the monitor modules.
- Administrators have a further challenge in that most attacks occur quickly. Often, by the time the administrator has determined from the data provided by the various monitor modules that a concerted attack on multiple fronts is occurring, it has either succeeded or failed. Administrators cannot analyze the data provided in time necessary to provide effective feedback to the various monitor modules.
- In reality, even though a plethora of threat data exists and is being reported in real time, it is typically used after the fact to determine what occurred after a successful attack.
- The present invention includes an integrated monitoring system monitoring communications received from an external communication network. The integrated monitoring system may be implemented on one or more computing systems that handle incoming and outgoing communications between the external communications network and a protected computing network (the “protected network”) having at least one computing device.
- The integrated monitoring system receives communications from the communications network, such as the Internet, a telephone system, a wireless network, or any combination of communications networks, screens the communications for threats, and transmits safe communications to the appropriate destination within the protected network it serves while deleting communications that represent potential threats to the protected system.
- The integrated security system includes a plurality of monitoring modules for screening a plurality of different types of communications, such as e-mail messages, VPN communications, and web page traffic. Based on event data generated by the monitoring modules upon determination of a potential threat, new rules are automatically developed by the integrated security system and implemented using one or more of the monitoring modules.
- In accordance with other aspects, the present invention relates to a method of automatically generating rules for use by a monitoring module. The method includes analyzing a data packet received from a communication network by the monitoring module using a predetermined set of rules. The data packet includes information identifying the packet's source (e.g., a source IP address) and the packet's destination. In response to the packet failing the analyzing operation, the method searches an event database for events associated with the source of the packet. If the event database contains an event record associated with the source of the packet, a new rule is generated to block subsequent packets from the source of the packet for a predetermined period of time. The new rule is then added to the set of rules used by the monitoring module.
-
FIG. 1 illustrates an integrated monitoring system in accordance with an embodiment of the present invention. -
FIG. 2 illustrates some of the functional components of an embodiment of an integrated monitoring system for a computing system. -
FIG. 3 illustrates a detailed embodiment of an exemplary implementation of an integrated monitoring system. -
FIG. 4 shows, at a high level, an embodiment of the logical operations of the integrated monitoring system ofFIG. 3 . -
FIG. 5 illustrates an embodiment of the logical operations of the IDS analysis operation ofFIG. 4 . -
FIG. 6 illustrates an embodiment of the logical operations of the firewall analysis operation ofFIG. 4 . -
FIG. 7 illustrates an embodiment of the logical operations of the e-mail analysis operation ofFIG. 4 . -
FIG. 8 illustrates an embodiment of the logical operations of the web content analysis operation ofFIG. 4 . -
FIG. 9 illustrates an embodiment of the logical operations of the VPN analysis operation ofFIG. 4 . -
FIG. 10 illustrates an embodiment of the logical operations of the event data analysis operation ofFIG. 4 . - Various embodiments of the present invention will be described in detail with reference to the drawings, wherein like reference numerals represent like parts and assemblies throughout the several views. Reference to various embodiments does not limit the scope of the invention, which is limited only by the scope of the claims attached hereto. Additionally, any examples set forth in this specification are not intended to be limiting and merely set forth some of the many possible embodiments for the claimed invention.
- In one possible embodiment, a computing system may include a single computing device or multiple, connected computing devices. Computing devices are electronic devices that perform functions using a combination of hardware and/or software. Computing devices may include such hardware as a processor, computer readable storage media (including, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by the system), and one or more communication devices suitable for transmitting and receiving data over communication media. In addition, computing devices may also include software, firmware or a combination of the two stored on the computer readable media. Examples of computing devices include personal computers, handheld computing devices, mobile communication devices, cellular telephones, networked appliances, computer servers, and mainframes and any other programmable device that is exposed to and receives data traffic.
- Communication media includes any medium capable of carrying data or information such as computer-readable instructions, data structures, and program modules, whether such data is embodied in a modulated data signal such as a carrier wave or other transport mechanism. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media.
- Computing devices may be implemented using different software operating systems and programming languages. Examples of operating systems include Microsoft Windows XP, Macintosh OS X, OS2, Unix- and Linux-based operating systems, and Microsoft Windows CE. Examples of programming languages suitable for developing software embodiments include C, C++, Java, Visual Basic, Perl, and markup languages such as XML, HTML, and XAML. Selection of operating systems and software languages is often more an issue of user and developer preferences or convenience.
- Computing devices may be described in terms of the logical operations performed by the devices. The logical operations of the following various embodiments are implemented (1) as a sequence of computer implemented acts running on a computing system and/or (2) as interconnected machine logic circuits or circuit modules within the computing system. The implementation is a matter of choice dependent on the performance requirements of the computing system implementing the invention. Accordingly, the logical operations making up the embodiments described herein are referred to variously as operations, structural devices, acts or modules. It will be recognized by one skilled in the art that these operations, structural devices, acts and modules may be implemented in software, in firmware, in special purpose digital logic, and any combination thereof without deviating from the spirit and scope of the present invention as recited within the claims attached hereto.
-
FIG. 1 illustrates anexemplary computing system 100 that implements an embodiment of an integrated monitoring system 120. Theexemplary computing system 100 as shown includes anemail server 102, aweb server 104 and anintranet server 106. The servers are further connected to an internal communication network 108, such as an intranet. The internal communications network 108 connects the various computing devices and components internal to thecomputing system 100. In the embodiment shown, the internal network 108 is connected to theservers additional computing devices 112. Thecomputing system 100 is further connected to otherremote computing systems external communications network 122. Theexternal communications network 122 may be the Internet or may be some other wired or wireless communications network. - In the environment shown in
FIG. 1 , communications traffic in the form of data transmitted on thenetwork 122 may pass between thecomputing system 100 and the remote computing systems. In addition, there also may be communication traffic passing between various elements within thecomputing system 100. The communications traffic on thenetwork 122 and within thecomputing system 100 will be discussed as consisting of a plurality of separate and identifiable “messages”. Examples of messages on the Internet include, for example, digital files, email messages, web pages, voice over internet protocol (VOIP) data streams, and streaming audiovisual data. Messages are transmitted in digital form as one or more packets of digital data. - The embodiment in
FIG. 1 also includes an integratedmonitoring system 130, which monitors communication data traffic. Theintegrated monitoring systems 130 may be implemented to monitor data traffic on theinternal network 110, data traffic received from theexternal network 122, or both depending on the implementation. Theintegrated monitoring system 130 analyzes the communication traffic in order to identify messages that may pose a threat to the computing system and block or quarantine any such messages identified. Such threats include any unwanted or undesirable occurrence related to data traffic such as, for example, spam, viruses, denial of service attacks, unauthorized attempts to infiltrate the computing system, etc. While some threats may be actual threats of harm or damage to the system, others may simply be inconvenient, annoying or unwanted events and not pose any risk of damage to the computing system. Theintegrated monitoring system 130 will be discussed in greater detail with reference toFIG. 2 below. -
FIG. 1 shows theintegrated monitoring system 130 connected to theinternal network 110. However, it should be noted that theintegrated monitoring system 130 may be connected to the internal and external networks in many different ways and still perform its security functions. For example, in one embodiment theintegrated monitoring system 130 is implemented as a gateway between theexternal communication network 122 and theinternal communication network 110. Messages destined for thecomputing system 100 are screened by the integratedmonitoring system 130 before being passed on to theinternal network 110. In an alternative embodiment, all messages carried on the internal network, regardless of whether they originate from acomputing device 112, aserver external network 122, pass through the integratedmonitoring system 130. -
FIG. 2 illustrates the functional components of an embodiment of anintegrated monitoring system 200 for a computing system. Theintegrated monitoring system 200 includesmultiple monitor modules SSI 212 may include such components as ananalysis module 216 that analyzes the contents of anevent database 214, analerting module 218 that transmits security alerts (such as to system administrators and users), a command andcontrol module 220 that provides an interface between theSSI 212 and themonitor modules communication module 224 that supports the reporting of the contents of theevent database 214 to other locations, and alog database 222 that stores a log record of actions taken by the integratedmonitoring system 200 over time. Each of these components is discussed in greater detail below. - The
integrated monitoring system 200 includes a plurality ofmonitor modules monitor module 202 may independently perform one or more different monitoring and security functions. The functions of some monitor modules also may overlap. In general, the monitor modules monitor and evaluate communications traffic on a communication network (internal, external or both depending on how the integratedmonitoring system 200 is implemented within the computing system). Each of themonitor modules - The monitor modules monitor the communications traffic to identify messages that may pose a security threat to the computing system. Each monitor module may evaluate the communication traffic in a different way in an attempt to identify different potential threats. Upon identification of a potentially threatening message by an monitor module, the monitor module may take unilateral action to address the threat. In addition to any such unilateral action, the monitor modules also report event data related to the events that are identified.
- Each message identified as a potential security threat by one or more of the monitor modules is a single “event.” That is, if a message is identified by several different monitor modules, possibly for different reasons, as a potential threat, that message will be considered a single event, as described in greater detail below.
- Each
monitor modules - The event data reported, of course, are dictated by the implementation of the reporting monitor module. Such event data may include, for example, data identifying the monitor module generating the event data, the event type, a priority associated with the event determined by the monitor module, a timestamp for the event, and one or more identifying details of the message that is the source of the event, such as the source IP address, port, URL or MAC of the message, an identifier indicating if the source is internal to the computing system, the destination IP address, port, URL or MAC of the message, an identifier indicating if the destination is internal to the computing system, and information concerning whether the message is coming from a known “bad” or “good” host. The event data may be provided as a simple ASCII file with a known format, as XML that include data type definitions, in an HTML file, or in any other form, as long it is known to and useable by the SSI.
- For example, a stateful firewall monitor module that remembers the context of connections and continuously updates this state information in dynamic connection tables, may use one or more IP tables to identify known sources of threats and automatically block traffic from those IP addresses in the IP tables. In the event that messages from IP addresses in the IP tables are identified and blocked by the firewall, the firewall may report event data to the SSI including the source IP address, the destination IP address, identifying information regarding the content of the message, and the date and time the message was received by the firewall.
- Another monitor module may be an IDP system. The IDP may include an internal set of rules for use in evaluating and blocking messages in real time. Upon detection of a threat, the IDP system may report an alert, a threat ID and description, a timestamp, and the source and destination IP addresses of the message. Additional event data may also be reported depending on the implementation.
- In the embodiment, the
monitor modules SSI 212 and stored in anevent database 214. In one embodiment, theSSI 212 maintains theevent database 214 so that all event data received from themonitor modules event database 214 may purge event data that reach a specified age or may store data until some predetermined database size is reached. - The event database may be structured in various ways. In one embodiment, a single Event Log Table is maintained. The Event Log Table is the primary repository of the event data. As described above, the event data provided by the monitor modules is stored in event records in the Event Log Table. In addition, various other data generated by the
SSI 212 related to the event may also be included in an event record. For example, the SSI may generate unique identifiers for each event record to support future error detection or transmission operations. - TABLE 1, below, includes a list of various event data, along with their descriptions, that may be included in a record, such as an event record, in the tables described above.
TABLE 1 EVENT DATA Event data type Description Event Priority Description of the event priority, such as Description “CRITICAL EVENT”. Log Source Description Description of the source of the event, such as “FIREWALL”. Event Type Description The type of event, such as a virus contained in an attachment. Event Description Description of the event, such as for a virus event type the name of the virus identified. Event Date and Time A time stamp related to the event, such as when the message was received by the computing system. Source IP The IP address that the event identifies as its origination point. Event Protocol Common network communications protocol such as TCP, UDP, ICMP, etc Source Port The IP port that a transmission originated from, e.g.: HTTP data generally originates from port 80 Source URL The uniform resource locator (URL) address that the event identifies as its origination point. Source MAC This is the Media Access Control address for network devices (a.k.a. nodes). This is a standard unique “ID” for each physical port of network devices such as computer network interface cards, network switching equipment, etc. The Source MAC refers to the ID of the communication packet source device. Internal Source Data indicating if the origination point of the event is internal to the computing system 200.Blocked Source Data indicating if the origination point of the event is blocked by an existing IDS rule in the computing system 200.Blocked Destination Data identifying a destination within the protected network that is blocked by the administrator from receiving communications. Destination IP The IP address that the event identifies as its destination. Destination URL The uniform resource locator (URL) address that the event identifies as its destination Destination Port The target IP port for a transmission, e.g.: HTTP data is generally received by port 80. Destination MAC This is the Media Access Control address for network devices (a.k.a. nodes). This is a standard unique “ID” for each physical port of network devices such as computer network interface cards, network switching equipment, etc. The Destination MAC refers to the ID of the communication packet recipient device. Internal Destination Data indicating if the destination point of the event is internal to the computing system 200.Auto Bad Host Data indicating the corresponding source has been manually entered as a bad host, and should therefore be blocked without further analysis (the “Auto” refers to how the default value of this column is set when not specified). Auto Good Host Data indicating the corresponding source has been manually entered as a good host, and should therefore be allowed without further analysis (the “Auto” refers to how the default value of this column is set when not specified). - The
SSI 212 includes ananalysis module 216. Theanalysis module 216 analyzes the event data in theevent database 214 to identify trends and anomalies in the event data. The analysis module may use various statistical analysis techniques to determine if an event poses a greater threat than that identified by the monitor modules reporting the event data. The analysis module also determines if an event potentially poses a type of threat that the monitor modules are not designed to identify. Upon each receipt of new event data, theanalysis module 216 reanalyzes the contents of the event database to determine if the new event data changes the results of its previous analysis. - One example of an analysis performed by the
analysis module 216 is a Bayes' Theorem, or Bayesian, analysis. A Bayesian analysis is a statistical procedure that estimates parameters of an underlying distribution based on an observed distribution. Beginning with a prior distribution, which may be based on anything including an assessment of the relative likelihoods of parameters or the results of non-Bayesian observations, event data is collected and an observed distribution is created. Then a calculation may be made to estimate the likelihood of the observed distribution as a function of parameter values. By multiplying this likelihood function by the prior distribution, a unit probability over all possible values is obtained. This is called the posterior distribution. The mode of the distribution is then the parameter estimate, and probability intervals (the Bayesian analog of confidence intervals) can be calculated using the standard procedure. In embodiments, the Bayesian analysis may be performed on any of the event data provided by monitor modules, such as source IP addresses, to determine a likelihood that messages from a source IP address are threats. The Bayes' Theorem analysis is discussed in greater detail in the related U.S. Utility application Ser. No. 10/768,931, entitled INTEGRATED DATA TRAFFIC MONITORING SYSTEM, filed Jan. 29, 2004, which is incorporated by reference. - Additional analyses performed by the
analysis module 216 may be designed to identify anomalies and trends in the event records. To do this, the contents of the event database are scanned and events with common data are identified. For example, the analysis will identify event records from common monitoring modules or with common data source/destinations. In addition, the scanning may also seek to identify known trends indicative of known threats. Events identified with common elements or other known issues are then weighted based on a predetermined weighting algorithm that takes into account the type, priority, monitor module and specifics of the event. The weighting algorithm produces a sum weight for these common events indicating a base severity of the threat (i.e. a threat level). Theanalysis module 216 then identifies what actions, if any, should be performed based on the calculated threat level. Upon completion of an analysis by theanalysis module 216, the results of the analysis may be that the event, and possibly any future messages having specific attributes (for example a point of origination, a destination or specific text in a subject line), should be treated differently by the integratedmonitoring system 200 than they are currently being treated. For example, the analysis may determined that every email coming from a certain IP address is likely to be classified as an event by one or more monitor modules and should be screened by the firewall prior to entering the computing system for analysis by the other monitor modules. In these cases, theanalysis module 216 may issue commands to other components in theSSI 212. These commands may subsequently be passed, for example by the command andcontrol module 220 as described below, to any connected external component, monitor module or computing system. - In general, the commands allow the
SSI 212 to control the operation of any of the other components, modules and devices of the integratedmonitoring system 200. The commands issued by theSSI 212 may be as simple as a command to the firewall to add a certain IP address to one or more of its IP tables of IP addresses to block. Other examples of commands include commands to one or more monitor modules that create a new rule to use when evaluating network traffic, commands directing that messages with specific content be allowed to pass, be blocked or be quarantined, commands, such as to a HIDS module, to expand the list of external systems and logs that are evaluated, commands to automatically delete future messages sent to a specified computer port for a specified period of time, and commands changing the threat level assigned by monitor modules to different events. Commands may be issued to thealerting module 218 to generate alerts. - The
SSI 212 also includes analerting module 218. An analysis by theanalysis module 216 may determine that a system administrator, various system users, or other designated parties should be alerted to events identified by theSSI 212. In these cases thealerting module 218 identifies the parties that should be alerted and generates the alert messages with the appropriate data from theevent database 214. - The
SSI 212 also includes a command andcontrol module 220. The command andcontrol module 220 acts as an interface between the various modules within theSSI 212 and themonitor modules control module 220 stores information concerning how to interface with each monitor module. Using this information, the command and control module can receive a notification, such as from theanalysis module 216 for example, that an action by a specific monitor module is required and generate a command for the specific monitor module that carries out the action. Because the command andcontrol module 220 allows theSSI 212 to issue commands to any of the monitor modules capable of receiving commands, an administrator may use theSSI 212 as a central control point for theintegrated monitoring system 200. - The
SSI 212 is also provided with acommunication module 224. Thecommunication module 224 supports the communication between the various other components of theSSI 212 and components and systems external to theSSI 212. In some embodiments, thecommunication module 224 periodically transmits any new event data received by theevent database 214 to a remote computing system or external device for storage or further analysis. - A
log database 222 is maintained by theSSI 212 to track actions taken by theSSI 212. Thelog database 222 may also store log entries recording commands received by the SSI 212 (such as from the administrator) and directed at one or more monitor modules. Other activities may be logged as well depending on the preferences of the system administrator. -
FIG. 3 illustrates acomputing system 300 that includes an embodiment of an integrated monitoring system. Thecomputing system 300 is a communications system that handles incoming and outgoing communications between anexternal communications network 330 and a protected computing network 352 (hereinafter the “protected network”) having at least onecomputing device 350. In a protectednetwork 352 that consists of asingle computing device 350, thecomputer system 300 may be implemented as a software program executing on thecomputing device 350 or may be implemented as a separate and distinct computing device through which all incoming communications to theeternal network 330 pass. In an embodiment in which thecomputing system 300 serves a protectednetwork 352 having a plurality ofcomputing devices 350, thecomputing system 300 may be implemented on one or more separate computing devices, such as a router or communication-dedicated computing device, depending on the flow rate of communication traffic that must be handled. - The
computing system 300 receives communications from acommunications network 330, such as the Internet, a telephone system, a wireless network, or any combination of communications networks, and transmits the communications to the appropriate destination within the protectednetwork 352 it serves. The destination may be a specific software program executing on acomputing device 350 within the network or a software program operating on thecomputing system 300. - The
computing system 300 shown is capable of receiving a plurality of different types of communications. Thecomputing system 300 can receive electronic mail messages (e-mail) and pass them on to amail server 340 that is responsible for distributing e-mail to various user mailboxes. Thecomputing system 300 also may receive web pages generated in response to user requests from browsers executing oncomputing devices 350. Thecomputing system 300 is further capable of receiving VPN communications and passes those to the VPN system. In the embodiment shown, afirewall 304 is used to direct the different types of packets (i.e., e-mail packets, web page packets, and VPN packets) to the appropriate destination. - The communications are received by the
computing system 300 in the form of digital packets. A packet may constitute a complete communication or may need to be combined at the destination with other packets to create a complete communication, such as an email message or web page. Each packet includes various packet identification information such as the source of the packet (usually an IP address), the destination of the packet, authentication information, and other information in addition to the payload of data that contains the actual message of the communication. - The
computing system 300 includes an integrated monitoring system that screens the packets as they are received and can automatically block packets from sources that the integrated monitoring system determines from the screening to be likely sources of potential threats to the computer network. The integrated monitoring system includes anSSI 312, including anevent database 310 as described with reference toFIG. 2 , and a plurality of monitor modules. In the embodiment shown, there are four monitor modules that provide event data to the SSI 312: anIDS module 302, thefirewall 304, avirus detection module 306, and aVPN authentication module 308. The embodiment shown also includes additional monitor modules that may or may not provide event data to the SSI 312: aspam detection module 320; and aweb content module 322. - The
IDS module 302 screens all incoming communications. TheIDS module 302 uses a set of rules, referred to as intrusion detection (ID) rules to screen each packet as it is received from the communications network. TheIDS module 302 maintains the ID rules in a database or in one or files (not shown) and is capable of deleting rules and receiving new or changed rules as directed by a system administrator or by theSSI 312. Upon receipt of a packet from thecommunication network 330, the IDS compares the information in the packet with the current ID screening and blocking rules and either deletes the packet or passes it on to the firewall as will be described in greater detail with reference toFIG. 5 . In addition, whenever theIDS module 302 deletes a packet (i.e., a packet fails one of the ID rules), theIDS module 302 generates event data, which are transmitted to theevent data database 310. - In the embodiment shown, the IDS module also implements the blocking of incoming communications based on the source of the communications. Thus, the IDS module can be considered, and indeed is often implemented, as two modules: a screening or monitoring module and a blocking module. For the balance of this specification, no differentiation will be made between the two modules within the
IDS module 302. However, one skilled in the art will understand that theIDS module 302 could be similarly implemented as two independent modules. Furthermore, the term IDS rules in this specification refers generally to rules that block incoming packets based on their source as these rules, in this embodiment, would be implemented by the blocking component of the IDS. As such, IDS rules are distinct from the screening criteria used by the IDS module, as well as the other modules' screening criteria in this embodiment. - The
firewall 304, as mentioned above, is responsibly for separating packets by type and passing them to their appropriate destinations. In addition, thefirewall 304 also performs a screening of the packets using its own set of firewall rules as will be discussed in greater detail with reference toFIG. 7 . In addition, whenever thefirewall 304 deletes a packet (i.e., a packet fails one of the ID rules), theIDS module 302 generates event data which it transmits to theevent data database 310. - Packets identified as e-mail packets are passed by the
firewall 304 to ane-mail queue 324. While in thee-mail queue 324, thevirus detection module 306 andspam detection module 320 screen the e-mail packets for viruses and spam respectively. Such screening may require receiving all the packets that make up a specific communication, before the screening may be performed. The screening criteria for themodules virus detection module 306 generates event data for each packet or complete communication that fails the virus screening. This event data is transmitted to the event database in theSSI 312. - Packets identified as web page packets are passed by the
firewall 304 to aweb proxy 326. Theweb proxy 326 stores the web page packets so that aweb content filter 328 may screen the web pages for inappropriate content based on web content rules provided by the administrator or end user. Such screening may require receiving all the packets that make up a web page, before the screening may be performed. Alternatively, some screening may be performed on individual packets as they arrive, while other screening is performed after receipt of the complete web page element. The web content rules may be stored in a separate file or database and maintained by the administrator. If a web page passes the screening, the web page is transmitted to itsdestination computing device 350. If a web page fails the screening, it may be deleted and a substitute page may be sent in its stead. - Packets identified as VPN connection packets are passed by the
firewall 304 to aVPN concentrator 328. The VPN concentrator 328 determines whether to grant or reject access to theVPN 329. AVPN authentication module 308 is provided to authenticate VPN connection packets. The authentication process is described in greater detail below with reference toFIG. 10 . TheVPN authentication module 308, or in an alternative embodiment theVPN concentrator 328, generates event data for packets or VPN connection communications that cannot be authenticated. The event data is transmitted to theSSI 312 for analysis and storage in theevent database 310. - The
computing system 300 includes anetwork directory service 342 that is used to authenticate destinations and users known to the system. A differentnetwork directory service 342 may be provided for each type of destination and packet or a single integratednetwork directory service 342 may be used. - The
computing system 300 may be part of a multi-system implementation as described in co-pending U.S. Utility application Ser. No. 10/768,931, filed Jan. 29, 2004. In the multi-system implementation, thecomputing system 300 is in communication with a remote computing system (not shown), either via thecommunications network 330 or a dedicated connection (not shown), that maintains a security system master integrated (SSMI) as described in the co-pending application. Thecomputing system 300 transmits some or all of the event data stored in theevent database 310 to the SSMI for analysis. The SSMI, which also collects event data from other computing systems at other sites, analyzes the collected set of event data. The SSMI may perform the some or all of the analyses described below with reference to theSSI 312 and may perform additional analyses on the collected multi-system event data and generate and return rules to theSSI 312 for implementation by thecomputing system 300. - Turning now the operation of the
computing system 300,FIG. 4 illustrates the main logical operations of the integrated monitoring system ofFIG. 3 performed before a communication packet is transferred into the protectednetwork 352. The first operation performed on communication packets received by the monitoring system is anIDS analysis operation 402, which is discussed in greater detail with reference toFIG. 5 . The IDS blocking analysis may result in blocking the incoming packet or transferring it to the firewall. In addition, the IDS screening analysis may or may not result in the generation of event data. - If a communication packet passes the
IDS analysis operation 402, afirewall analysis operation 404 is performed on the communication packet. Thefirewall analysis operation 404 is discussed with greater detail with reference toFIG. 6 . - A communications packet that passes the
firewall analysis operation 404 is then transferred to an appropriate analysis based on the type of the communication packet (i.e., e-mail, VPN, or web page packets). E-mail packets are transferred to ane-mail analysis operation 406, which is discussed in greater detail with reference toFIG. 7 . Web page packets are transferred to a webcontent analysis operation 408, which is discussed in greater detail with reference toFIG. 8 . VPN packets are transferred to aVPN analysis operation 410, which is discussed in greater detail with reference toFIG. 9 . A packet that passes its appropriate analysis based on its type is then allowed to enter the protectednetwork 352 for delivery to its destination. - The
analysis operations packet analysis operations - The integrated monitoring system also analyzes the event data in an event
data analysis operation 412. The eventdata analysis operation 412 automatically generates new or revised criteria for use by one or more of the packet analysis operations based on the event data received and an event data rule set. The eventdata analysis operation 412 is discussed in greater detail with reference toFIG. 10 . -
FIGS. 5-10 describe each of the major analysis operations inFIG. 4 in greater detail. The descriptions are given with reference to the specific embodiment of thecomputing system 300 shown inFIG. 3 that monitors e-mail, VPN and web content communications for ease of understanding. However, one skilled in the art will recognize that the scope of the invention is not limited to that specific embodiment and that other embodiments of computing systems for monitoring any combination different types of digitized communication data are contemplated. -
FIG. 5 illustrates the logical operations of theIDS analysis operation 402. In an embodiment, packets are received from thecommunication network 330 and stored in an input buffer on thecomputing system 300. TheIDS analysis operation 402 starts when a communication packet is read from the input buffer by theIDS module 302 in a receivepacket operation 502. - A packet read from the input buffer is then analyzed in an IDS rules
analysis operation 504. The IDS rulesanalysis operation 504 determines if there are any IDS rules that indicate that the communication packet should be barred from entering the protectednetwork 352 based on the information available in the packet. The IDS rulesanalysis operation 504 includes retrieving or otherwise accessing a pre-determined set of IDS blocking and screening rules. The IDS rules may be maintained in memory in the IDS module or may be stored in a remote database and may need to be retrieved as part of the IDS rulesanalysis operation 504. - The IDS rules
analysis operation 504 compares the information in the communication packet against the rules of the IDS rules set. This may include reading some or all of the information from the communication packet such as date and time the packet was received, the source of the packet, the destination of the packet, and the payload of the packet. Information may be read from the packet automatically or may be read in response to a specific IDS rule. IDS screening rules are generally known in the art and include rules that determine if the packet is of a known type or not, if the packet is part of a request for information from within the protected network, if the packet is part of a login request, if the packet is part of a remote procedure call, if the packet is directed at an unusual port, if the packet is an administrative access request, and if the packet is requesting access to a potentially vulnerable web application. - A communication packet “passes” the IDS
rule analysis operation 504 if there are no IDS rules that indicate that the communication packet should be barred from entering the protectednetwork 352. A communication packet that passes the IDS rule analysis is transferred to the firewall module in a transfer packet tofirewall module operation 506. - However, if the set of IDS rules contains at least one rule that indicates that the communication packet should be prevented from entering the protected network, the packet “fails” the IDS rules
analysis operation 504. Upon determination that a packet has failed the IDS rules analysis operation, a generateevent data operation 508 is performed. The generateevent data operation 508 includes collecting certain information from the failed packet. This information includes at least the source of the packet and may include some or all of the event data described in Table 1 that is directly available from the packet. The event data may also identify the IDS rule or rules that the packet failed and may identify the IDS module as the module that failed the packet. - In the embodiment shown, the generate
event data operation 508 also includes assigning a priority to the failed packet. A priority is a numerical identifier that indicates the presumed relative threat of the packet to the protected network. In one embodiment, there are three priorities, or priority levels, ranging from a highest priority (priority level “1”) to a lowest priority for failing packets (“3”) with there being one intermediate priority (“2”). In general, apriority 1 event is a packet that, in whole or in part, is an actual attack on the protected network, apriority 2 event is an attempt to break into (intrude) the protected network, and apriority 3 event is a reconnaissance or probing of the protected network. In alternative embodiments, fewer or more priority levels may be used to differentiate different threats or perceived threats. - The priority assigned may be dictated by the IDS rule that the packet failed. If the packet fails more than one IDS rule, the packet may be assigned the highest priority regardless of the priorities that would be assigned by the failing rules. Alternatively, the packet may be assigned the highest priority directed by the failing rules (e.g., if a packet fails two rules, one that assigns failing packets as
priority 3 events and one that assigns failing packets aspriority 2 events, the packet is assigned a priority of 2). - Other methods of assigning a priority to a packet are also contemplated. For example, the priority assigned may be dictated the number of IDS rules that the packet failed. In another embodiment, a priority is assigned that indicates that the IDS failed the packet or indicates which IDS rule or group of IDS rules failed the packet.
- After the event data is generated, an event data message is created and transmitted to the
SSI 312 in a transmitevent data operation 510. - Failure of a packet by the IDS
rule analysis operation 504 also results in adelete packet operation 512. Thisoperation 512 deletes the packet from thecomputer system 300, thereby preventing the packet from reaching its destination and freeing up resources for analysis of later received packets. In an embodiment, deleting the packet may include saving a copy of the packet to a deleted packet database for further analysis. One skilled in the art will recognize that the exact order of the operations described above with respect to the IDS analysis may be varied and that thedelete packet operation 512 could be performed before the transmitevent data operation 510. - Upon completion of the above-described IDS analysis operations, the IDS analysis operational flow ends in an
end operation 514 and the IDS module either reads the next packet from the input buffer or goes into a standby mode waiting for the next communication packet to be received by the buffer. -
FIG. 6 illustrates an embodiment of the logical operations of afirewall analysis operation 404. The flow starts when a packet is received from the IDS module in a receivepacket operation 602. - After receipt of a packet passed by the IDS, a firewall
rule analysis operation 604 is performed. The firewallrule analysis operation 604 determines if there are any firewall rules that indicate that the communication packet should be barred from entering the protectednetwork 352 based on the information available in the packet. The firewall rulesanalysis operation 604 includes retrieving or otherwise accessing a pre-determined set of firewall rules. The firewall rules may be maintained in memory in the firewall module or may be stored in a remote database and may need to be retrieved as part of the firewall rulesanalysis operation 604. - The firewall rules
analysis operation 604 compares the information in the communication packet against the rules of the firewall rules set. This may include reading some or all of the information from the communication packet such as date and time the packet was received, the source of the packet, the destination of the packet, and the payload of the packet. Information may be read from the packet automatically or may be read in response to a specific firewall rule. - The firewall rules
analysis operation 604 also identifies the type (i.e., in this embodiment e-mail, VPN, or web page) of the communication packet received. For embodiments - A communication packet “passes” the firewall
rule analysis operation 604 if there are no firewall rules that indicate that the communication packet should be barred from entering the protectednetwork 352 and the packet's type can be identified. Thus, a packet that passes all the other firewall rules but for which a type cannot be identified fail the firewallrule analysis operation 604. - A communication packet that passes the firewall rules analysis is transferred to the appropriate module based on its type in a transfer to
next module operation 606 and the operational flow ends 614 as discussed below. - A packet “fails” the firewall rules
analysis operation 604 if the set of firewall rules contains at least one rule that indicates that the communication packet should be prevented from entering the protected network. A packet also fails the firewall rulesanalysis operation 604 if its type cannot be identified by the firewall. Upon determination that a packet has failed the firewall rulesanalysis operation 604, a generateevent data operation 608 is performed. The generateevent data operation 608 includes collecting certain information from the failed packet. This information includes at least the source of the packet and may include some or all of the event data described in Table 1 that is directly available from the packet. The event data may also identify the firewall rule or rules that the packet failed and may identify the firewall module as the module that failed the packet. - The generate
event data operation 608 may also include assigning a priority to the packet. The priority may be dictated based on the firewall rule or rules that the packet failed. Alternatively, all packets failing the firewall may be assigned the same priority. For example, in an embodiment of the present invention all packets failing the firewall rulesanalysis operation 604 are assigned the intermediate priority of 2. - After the event data is generated, an event data message is created and transmitted to the
SSI 312 in a transmitevent data operation 610. If a priority was assigned in the generateevent data operation 608, then the priority may be included with the other event data in the event data message. - Failure of a packet by the firewall rules
analysis operation 604 also results in adelete packet operation 612. Thedelete operation 612 deletes the packet from thecomputer system 300, thereby preventing the packet from reaching its destination and freeing up resources for analysis of later received packets. In an embodiment, deleting the packet may include saving a copy of the packet to a deleted packet database for further analysis. One skilled in the art will recognize that the exact order of the operations described above with respect to the firewall analysis is exemplary only and that the operations may be reordered or modified without changing the fundamental function of thefirewall analysis operation 404. - Upon completion of the
firewall analysis operation 404, the operational flow ends 614 and the firewall module either reads the next packet received or goes into a standby mode waiting for the next communication packet to be received from the IDS module. -
FIG. 7 illustrates an embodiment of the logical operations of ane-mail analysis operation 406. The flow starts when an e-mail packet is received from the firewall module in a receivepacket operation 702. Packets received from the firewall module are placed in an e-mail queue. Depending on the implementation, some screening performed during thee-mail analysis operation 406 may be performed on individual packets are they are received, while other screening may be performed on complete e-mails only after all the packets are received. - After receipt of a packet passed by the firewall, an
e-mail authentication operation 704 is performed which determines if the recipient identified by the e-mail is known to the e-mail system. Thisoperation 704 may include checking the identified recipient against a database maintained by a local network directory service (such as a database maintained on a lightweight directory access protocol, or LDAP, server). - If an e-mail cannot be authenticated, a return e-mail generated to the e-mail sender in a return to
sender operation 706. After the return tosender operation 706, a delete e-mail operation 730 is performed that deletes the e-mail from the memory of thecomputing system 300. After the delete operation 730, the operation flow ends withend operation 722 as described below. - If an e-mail is authenticated, i.e., the e-mail identifies a recipient known to the local network directory service, a
virus analysis operation 708 is performed on the e-mail. Thevirus analysis operation 708 compares the content of the e-mail against a database of virus definitions. The database of virus definitions may be maintained by the virus detection module or may be stored in a remote database. An e-mail passes thevirus analysis operation 708 if no virus is found that matches the definitions in the virus definition database. - If the e-mail passes the
virus analysis operation 708, aspam analysis operation 710 is performed on the e-mail by thespam detection module 320. Thespam analysis operation 710 compares the e-mail to a predetermined set of spam rules. The spam rules may be maintained in thespam detection module 320 or may be maintained in a remote spam rules database and accessed by thespam detection module 320 as needed. - E-mails that pass the spam analysis operation 710 (i.e., e-mails that are determined to not be spam) are transferred to the mail system in the protected
network 352 in atransfer operation 724 after which operational flow ends in anend operation 722 as described below. - E-mails that fail the
spam analysis operation 710 are processed in aspam processing operation 712 after which operational flow ends 722 as described below. Thespam processing operation 712 may delete the e-mail or transmit the e-mail to a specific e-mail directory (within the protectednetwork 352 or on the computing system 300). What processing occurs in thespam processing operation 712 may be dictated by the administrator or may be determined individually be each recipient. - Returning now to the
virus analysis operation 708, if an e-mail fails thevirus analysis operation 708 it has been determined to contain a virus based on one or more of the definitions in the virus definition database. Upon determination that a packet has failed thevirus analysis operation 708, a generateevent data operation 714 is performed. The generateevent data operation 714 includes collecting certain information from the failed e-mail. This information includes at least the source of the e-mail and may include some or all of the event data described in Table 1 that is directly available from the e-mail. The event data may also identify the virus or viruses that the e-mail contained and may identify the virus detection module as the module that failed the packet. - The generate
event data operation 714 may also include assigning a priority to the packet. The priority may be dictated based on the virus or viruses that the e-mail contained. Alternatively, all e-mails containing a virus may be assigned the same priority. - After the event data is generated, an event data message is created and transmitted to the
SSI 312 in a transmitevent data operation 716. If a priority was assigned in the generateevent data operation 714, then the priority may be included with the other event data in the event data message. - An e-mail that fails the
virus analysis operation 708 is processed in an infectede-mail processing operation 718. The infectede-mail processing operation 718 may include deleting the e-mail, disinfecting the e-mail and subsequently transferring the to the mail system in the protectednetwork 352, or quarantining the e-mail as directed by the administrator of thecomputing system 300. - After an infected e-mail is processed and the generated event data is transmitted to the
SSI 312, the operational flow ends withend operation 722.End operation 722 either causes thee-mail analysis operation 404 to be repeated on the next e-mail in the queue if the queue is not empty or causes the system to go into a standby mode waiting for the next communication packet to be received from the firewall module. -
FIG. 8 illustrates an embodiment of the logical operations of a webcontent analysis operation 408. The flow starts when a web page packet is received from the firewall module in a receivepacket operation 802. Web page packets received from the firewall module are stored in theweb proxy 326. - After receipt of a complete web page content element such as an .HTML page, image file, applet, etc., (hereinafter “a web page element”), passed by the firewall module, an
authentication operation 804 is performed which determines if the recipient identified by the web page element is known to the web proxy. Thisoperation 804 may include checking the identified recipient against a database maintained by a local network directory service (such as a database maintained on a lightweight directory access protocol, or LDAP, server). - If a web page element cannot be authenticated, a
delete operation 805 is performed that deletes the web page element from theweb proxy 326 and the operational flow then ends with anend operation 822 as described below. - However, if a web906 page element is authenticated, i.e., the web page element identifies a recipient known to the local network directory service, a
content analysis operation 806 is performed on the web page element. The content rulesanalysis operation 806 compares the content of the web page element against a set of content rules. The set of content rules is maintained in a database either within theweb content module 322 or maintained in a remote location accessible to theweb content module 322. - A web page element “passes” the content rules
analysis operation 806 if no content rule is found in the database that bars the delivery of the content element. A web page element that passes the content rulesanalysis operation 806 is transmitted to the identified recipient within the protectednetwork 352 in a transmit torequestor operation 810 after which operation flow ends in theend operation 822. - If a barring rule is found, the web page element “fails” the analysis and is deleted and a content error page is transmitted to the destination of the web page element (i.e., the web page requestor) in a
content error operation 808. - After the
content error operation 808, a generateevent data operation 812 is performed. The generateevent data operation 812 includes collecting certain information from the failed web page element. This information includes at least the source of the web page element and may include some or all of the event data described in Table 1 that is directly available from the web page element. The event data may also identify the content rule or rules that the web page element failed and may identify the web content module as the module that failed the element. - The generate
event data operation 812 may also include assigning a priority to the web page element. The priority may be dictated based on the rule that the web page failed. Alternatively, all web page elements that fail may be assigned the same priority. - After the event data is generated, an event data message is created and transmitted to the
SSI 312 in a transmitevent data operation 814. If a priority was assigned in the generateevent data operation 812, then the priority may be included with the other event data in the event data message. - After a failed web page element is deleted and the generated event data is transmitted to the
SSI 312, the operational flow ends with anend operation 822 that returns the web proxy to a standby mode or begins the webcontent analysis operation 408 on the next web page element in the web proxy. -
FIG. 9 illustrates the logical operations of theVPN analysis operation 410. The operational flow starts when a VPN connection request is received from the firewall module in a receivepacket operation 902. VPN connection requests received from the firewall module are stored in theVPN concentrator 328 until they are either deleted or passed to the VPN within the protectednetwork 352. - A VPN connection request received by the VPN concentrator is analyzed in an
authentication operation 904 which determines if the user identified as the author of the VPN connection request is a valid network user known to VPN. Thisoperation 904 may include checking the identified user against a database maintained by a local network directory service (such as a database maintained on a lightweight directory access protocol, or LDAP, server). - If the identified user is a valid network user, the VPN connection request is authenticated and the connection to the VPN within the protected network is completed in a connect to VPN operation 906, after which the operational flow then ends with an
end operation 922 as described below. After the initial connect request has been authenticated and a VPN connection open, all subsequent VPN traffic is still analyzed theSSI 312 the same way as regular, non-VPN communications (i.e., through the IDS module, the firewall module, etc.). - However, if user identified by the VPN connection request is not a valid network user, the VPN connection request “fails” the
authentication operation 904. Upon determination that a VPN connection request has failed the authentication operation, a generateevent data operation 908 is performed. The generateevent data operation 908 includes collecting certain information from the failed VPN connection request. This information includes at least the source of the VPN connection request and may include some or all of the event data described in Table 1 that is directly available from the packet. The event data may also identify the VPN concentrator as the module that failed the packet. - The generate
event data operation 908 may also include assigning a priority to the web page element. The priority may be dictated based on some analysis performed by the VPN concentrator or all VPN connection requests that are failed may be assigned the same priority. - After the event data is generated, an event data message is created and transmitted to the
SSI 312 in a transmitevent data operation 910. If a priority was assigned in the generateevent data operation 908, then the priority may be included with the other event data in the event data message. - Failure of a packet by the
authentication operation 904 also results in a delete VPN connectionrequest packet operation 912. In the embodiment shown inFIG. 9 , thedelete operation 912 occurs after the transmitevent data operation 910, although alternative embodiments are also contemplated. Thedelete operation 912 deletes the packet from thecomputer system 300, thereby preventing the packet from reaching its destination and freeing up resources for analysis of later received packets. In an embodiment, deleting the packet may include saving a copy of the packet to a deleted packet database for further analysis. - Upon completion of the above-described VPN analysis operations, the operational flow ends with an end operation 522 that returns the VPN concentrator to a standby mode or begins the
authentication operation 904 on the next VPN connection request in the VPN concentrator if a second VPN packet is pending. -
FIG. 10 illustrates the logical operations of the eventdata analysis operation 412. The operational flow starts when an event data message containing event data is received from a module in a receiveevent data operation 1002. - After receipt of the event data message, an
initial priority operation 1004 is performed to determine the event data includes an assigned priority. If the event data in the message includes a priority assigned by the module that transmitted the event data, then the initial priority of the event is the assigned priority. If there is no assigned priority, then theinitial priority operation 1004 assigns an initial priority to the event data. The assignment is made based on the information in the event data such as the module generating the event data, the reason for failure of the packet, or the type of packet. - For example, in an embodiment of the
initial priority operation 1004 all packets failed by the firewall module are assigned an initial priority of 2 and packets failed by the IDS module are assigned an initial priority of 1, 2 or 3 depending on the IDS rule or rules that the packet failed. The rule or rules may be identified in the event data or the IDS rulesanalysis operation 504 may be repeated on the event data by theSSI 312 to identify the rule or rules as part of the assignment. In the embodiment, all packets failed by the virus detection module or the VPN concentrator are assigned an initial priority of 4. - If the
initial priority operation 1004 determines that the event data has a priority of 1, then a generaterule operation 1008 is performed in which apriority 1 IDS rule is generated and transmitted to the IDS module for addition to the set of IDS rules maintained by the IDS. The generaterule operation 1008 is discussed in greater detail below. - However, if the if the
initial priority operation 1004 determines that the event data has an initial priority of 2 or 3, asearch operation 1012 searches the event database for an event record identifying the same packet source as that identified in the event data received in the receiveevent data operation 1002. If an event record is found with the same packet source, then anupgrade priority operation 1014 changes the priority of the event data topriority 1 and control transfers to the generatepriority 1rule operation 1008 previously discussed. However, if thesearch operation 1012 does not find an event record with the same source as that of the identified in the event data received in the receiveevent data operation 1002, then control transfers to the generaterule operation 1008 discussed below. - An embodiment of the
search operation 1012 may also include performing a Bayesian analysis on the results of the search to verify that an upgrade in priority is warranted given the level of security desired by the administrator of thecomputing system 300. Such an analysis may be focused on reducing the number of false positives or increasing the relative percentage of true positives depending on the security preferences. - If the
initial priority operation 1004 determines that event data does not have an initial priority of 1, 2 or 3, then avirus event operation 1016 determines if the event data message received in receiveoperation 1002 was generated by the virus detection module. If the event data message was not generated by the virus detection module, then control transfers to the saveevent data operation 1010. - If the event data message was generated by the virus detection module, then a virus
attack detection operation 1018 is performed. The virusattack detection operation 1018 searches the event database event records indicating infected e-mails were previously received from the same source as the event data received in receiveoperation 1002. In an embodiment, a virus attack is presumed if a predetermined number of e-mails from the same source failed the virus detection module within a predetermined period of time. The number of e-mails and period used may be predetermined by the administrator of thecomputing system 300. In an embodiment, a virus attack is presumed if three or more virus-containing e-mails are received from the same source within a one-minute period. TheSSI 312 makes the attack determination by searching the event database for records indicating receipt of the predetermined number of virus-containing e-mails within the period. If the virusattack detection operation 1018 finds that the virus attack criteria is not met, then operation flow transfers to the saveevent data operation 1010. - However, if the virus
attack detection operation 1018 determines that the virus attack criteria are met, the priority of the event data is upgraded to a priority of 3 in apriority level 3 upgrade operation 1020. After the priority is upgraded to 3, the operation flow is transferred to thesearch operation 1012 described above. - Turning now to the generate
rule operation 1008, the generaterule operation 1008 generates a rule for use by one or more modules in thecomputer system 300. For simplicity, the generaterule operation 1008 will be described in terms of generating an IDS rule that will be used by the IDS module in subsequent IDS analyses 402. However, the generaterule operation 1008 may also generate rules specifically for use by any of the other modules. The - Such rule generation could be based on the type of communication or on the an IDS rule consistent with the final priority assigned by the
SSI 312 to the event data received in an event data message. Thus, if the event data received is assigned a priority of 1, then the generaterule operation 1008 generates apriority 1 IDS rule. Similarly, if the event data received is assigned a priority of 2, then the generaterule operation 1008 generates apriority 2 IDS rule and if the event data received is assigned a priority of 3, then the generaterule operation 1008 generates apriority 3 IDS rule. - A
priority 1 IDS rule is a rule that causes the IDS module to delete all packets received from the source identified in the event data for some predetermined blocking period, such as 24 hours, from the receipt of the packet that caused the event data to be generated. Apriority 2 IDS rule is a rule that causes the IDS module to delete all packets received from the source identified in the event data for some predetermined blocking period less than that of thepriority 1 IDS rule, such as 4 hours, from the receipt of the packet generating the event data. Apriority 3 IDS rule is a rule that causes the IDS module to delete all packets received from the packet source identified in the event data for some predetermined period less than that of thepriority 2 IDS rule, such as 1 hour, from the receipt of the packet generating the event data. The IDS rule generated may identify the source, such as the source IP address, and an expiration date and time for the IDS rule calculated based on the appropriate blocking period. - The IDS rule generated by the generate
rule operation 1008 is added to the IDS rule database by a transmit newIDS rule operation 1022. The transmit newIDS rule operation 1022 may entail writing the new IDS rule directly to the IDS rule database or, if the IDS rule database is maintained by the IDS, may include transmitting the generated IDS rule to the IDS module for addition to the IDS rule database. Regardless of the implementation, the new IDS rule is ultimately added to the set of IDS rules used by the IDS module in the IDS rulesanalysis operation 504. Thus, based on the automated analysis of event data received from the monitoring modules, the new IDS rules are generated for the IDS module in real time as packets are received and evaluated by the monitoring modules. - Upon completion of the transmit
IDS rule operation 1022, a saveevent data operation 1010 is performed that saves the event data received in the receiveevent data operation 1002 into a new event record. Some or all of the event data provided in the event data message may be saved in the new record. In addition, the final priority assigned to the event data is also saved in the event record. The saveevent data operation 1010 may also cause to be saved a log of the actions taken by theSSI 312 in response to receipt of the event data, such as a log identifying the generation of an IDS rule and transmission of a notification message in response to a rule generation. - Upon completion of the save
event data operation 1010, the operational flow ends in anend operation 1024 which causes theSSI 312 to either repeat the eventdata analysis operation 412 on the next event data message pending analysis or enter a standby mode until the next event data message is received. In a multi-system implementation, the saveevent data operation 1010 may include transmitting the event data with its site-generated priority to the SSMI for additional analysis with the benefit of the event data received from other computing systems. - The operational flow described with reference to
FIG. 10 is one embodiment of an eventdata analysis operation 412 that receives event data from a plurality of monitoring modules and, based on an analysis of the event data in real time, automatically generates one or more rules for the monitoring modules. Although the embodiment inFIG. 10 only generated rules for the IDS module, the scope of application is not limited. Alternative embodiments are possible and contemplated that generate rules for the other monitoring modules and also for monitoring modules that are not described inFIG. 3 . - Turning now to a particular example of the operational flow of
FIG. 10 , consider event data received from a web content filter that failed a web page element being retrieved by a computing device in the protected network. In an embodiment, all web page content failure events are assigned a priority of 2 by the web content filter. The event data would be received by theSSI 312 in the receivedevent data operation 1002. Theinitial priority operation 1004 would identify the event data as having an event priority of 2 and thesearch operation 1012 would search thedatabase 310 for any other event records from the same IP address as the failed web page element. For the purposes of discussion, assume that thesearch 1012 found at least one other event record in theevent database 310 indicates the source of the failing communication was the same IP address as the failed web page element. Theupgrade priority operation 1014 changes the priority of the event data to a priority of 1 and apriority 1 rule is generated in the generaterule operation 1008. The transmitrule operation 1022 then transmits the new rule to the IDS blocking rule database. In the embodiment, this is achieved by either revising an expiration time of an existing IDS rule that blocks the web page element's source to 24 hours from the web page element's receipt or by adding a new rule to the rule database that blocks packets from the web page element's source for 24 hours from the time of receipt of the web page element. The event data including the newly assigned priority of 1 are then saved in the saveevent data operation 1010 and the SSI's 312 processing of that event ends. - The various embodiments described above are provided by way of illustration only and should not be construed to limit the invention. Those skilled in the art will readily recognize various modifications and changes that may be made to the present invention without following the example embodiments and applications illustrated and described herein, and without departing from the true spirit and scope of the present invention, which is set forth in the following claims.
Claims (16)
1. A method of automatically generating rules for an intrusion detection module comprising:
analyzing a data packet received from a communication network by the intrusion detection module using a set of rules, the data packet containing a source IP address;
in response to the packet failing the analyzing operation,
searching an event database for events associated with the source IP address of the packet,
if the event database contains an event record associated with the source IP address of the packet,
generating a new rule to block subsequent packets from the source IP address of the packet for a predetermined period of time; and
adding the new rule to the set of rules used by the intrusion detection module.
2. The method of claim 1 , wherein the event database is maintained by an integrated security system separate from the intrusion detection module.
3. The method of claim 1 further comprising:
generating, by the intrusion detection module, event data based on the data packet, the event data including the IP address of the packet, and
transmitting the event data to the integrated security system.
4. The method of claim 1 further comprising:
storing at least some of the event data in a new event record in the event database.
5. The method of claim 1 , wherein at least some event records in the event database are based on event data received from the intrusion detection module.
6. The method of claim 1 , wherein the event record associated with the source IP address of the packet was created from event data received from a firewall module.
7. The method of claim 1 , wherein the event record associated with the source IP address of the packet was created from event data received from a virus detection module.
8. The method of claim 1 , wherein the event record associated with the source IP address of the packet was created from event data received from a VPN authentication module.
9. The method of claim 1 , the event record associated with the source IP address of the packet was created from event data received from a monitor module other than the intrusion detection module.
10. A method of screening packets received from a communication network comprising:
receiving a packet associated with one of an e-mail message, a VPN connection, and a web page response, the packet having a source;
performing an intrusion detection analysis on the packet using a set of intrusion detection rules;
if the packet passes the intrusion detection analysis, performing a firewall analysis on the packet using a set of firewall rules;
if the packet passes the firewall analysis, determining if the packet is associated with an e-mail message, a VPN connection or a web page response;
if the packet is associated with an e-mail message, performing a virus analysis on the packet using a set of virus definitions;
if the packet is associated with a VPN connection, performing an authentication analysis on the packet using a set of authentication criteria; and
if the packet fails any of the intrusion detection analysis, the firewall analysis, the virus analysis, or the authentication analysis, automatically generating a new intrusion detection rule to delete any subsequent packets received from the same source as the packet.
11. The method of claim 10 , further comprising:
if the packet fails any of the intrusion detection analysis, the firewall analysis, the virus analysis, or the authentication analysis, deleting the packet.
12. The method of claim 10 , wherein automatically generating a new intrusion detection rule comprises:
generating event data based on the packet; and
storing at least some of the event data in a new event record associated with the packet in an event database having a plurality of event records associated with previously received packets.
13. The method of claim 10 , wherein automatically generating a new intrusion detection rule further comprises:
automatically generating a new intrusion detection rule if one or more of the plurality of event records are associated with previously received packets from the source.
14. The method of claim 12 , wherein the event data comprises a priority associated with the packet and automatically generating further comprises:
assigning an initial priority to the event data; and
automatically increasing a priority associated with the packet if one or more of the plurality of event records are associated with previously received packets from the source and the priority is less than a highest priority.
15. The method of claim 14 , further comprising:
storing the priority assigned to the event data with the event data.
16. A computing system for receiving communication packets from a communication network and transmitting the communication packets to a protected network, the computing system comprising:
an intrusion detection module that compares a communication packet to a set of rules and, based on the comparison, either transmits the communication packet to a firewall or deletes the communication packet and transmits event data based on the deleted communication packet to an event database;
an event database that stores an event record based on the event data received from the intrusion detection module and maintains a plurality of event records based on previously received event data; and
an integrated security system that analyzes the event data and the plurality of event records and, based on the results of the analysis, automatically generates at least one rule to the intrusion detection module.
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/042,493 US20050193429A1 (en) | 2004-01-23 | 2005-01-24 | Integrated data traffic monitoring system |
PCT/US2005/008438 WO2006080930A1 (en) | 2005-01-24 | 2005-03-15 | Integrated data traffic monitoring system |
US12/592,580 US8832833B2 (en) | 2004-01-23 | 2009-11-27 | Integrated data traffic monitoring system |
US14/480,299 US10326777B2 (en) | 2004-01-23 | 2014-09-08 | Integrated data traffic monitoring system |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US53896004P | 2004-01-23 | 2004-01-23 | |
US76893104A | 2004-01-29 | 2004-01-29 | |
US11/042,493 US20050193429A1 (en) | 2004-01-23 | 2005-01-24 | Integrated data traffic monitoring system |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US76893104A Continuation | 2004-01-23 | 2004-01-29 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/592,580 Continuation US8832833B2 (en) | 2004-01-23 | 2009-11-27 | Integrated data traffic monitoring system |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050193429A1 true US20050193429A1 (en) | 2005-09-01 |
Family
ID=35336629
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/042,493 Abandoned US20050193429A1 (en) | 2004-01-23 | 2005-01-24 | Integrated data traffic monitoring system |
US12/592,580 Active 2025-07-24 US8832833B2 (en) | 2004-01-23 | 2009-11-27 | Integrated data traffic monitoring system |
US14/480,299 Active 2026-08-08 US10326777B2 (en) | 2004-01-23 | 2014-09-08 | Integrated data traffic monitoring system |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/592,580 Active 2025-07-24 US8832833B2 (en) | 2004-01-23 | 2009-11-27 | Integrated data traffic monitoring system |
US14/480,299 Active 2026-08-08 US10326777B2 (en) | 2004-01-23 | 2014-09-08 | Integrated data traffic monitoring system |
Country Status (2)
Country | Link |
---|---|
US (3) | US20050193429A1 (en) |
WO (1) | WO2006080930A1 (en) |
Cited By (104)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040052664A1 (en) * | 2001-01-05 | 2004-03-18 | Atsuji Saito | High-pressure fuel feed pump |
US20040143764A1 (en) * | 2003-01-13 | 2004-07-22 | Kartik Kaleedhass | System and method of preventing the transmission of known and unknown electronic content to and from servers or workstations connected to a common network |
US20040199595A1 (en) * | 2003-01-16 | 2004-10-07 | Scott Banister | Electronic message delivery using a virtual gateway approach |
US20050193076A1 (en) * | 2004-02-17 | 2005-09-01 | Andrew Flury | Collecting, aggregating, and managing information relating to electronic messages |
US20050283837A1 (en) * | 2004-06-16 | 2005-12-22 | Michael Olivier | Method and apparatus for managing computer virus outbreaks |
US20060023709A1 (en) * | 2004-08-02 | 2006-02-02 | Hall Michael L | Inline intrusion detection using a single physical port |
US20060064565A1 (en) * | 2004-09-18 | 2006-03-23 | Banks Andrew David J | Data processing in a distributed computing system |
US20060064484A1 (en) * | 2004-09-23 | 2006-03-23 | Derek Fawcus | Method and apparatus for controlling data to be routed in a data communications network |
US20060161983A1 (en) * | 2005-01-20 | 2006-07-20 | Cothrell Scott A | Inline intrusion detection |
US20060195701A1 (en) * | 2005-02-11 | 2006-08-31 | Critical Path, Inc., A California Corporation | In-process protection for digital content communication systems |
US20060280121A1 (en) * | 2005-06-13 | 2006-12-14 | Fujitsu Limited | Frame-transfer control device, DoS-attack preventing device, and DoS-attack preventing system |
US20060288418A1 (en) * | 2005-06-15 | 2006-12-21 | Tzu-Jian Yang | Computer-implemented method with real-time response mechanism for detecting viruses in data transfer on a stream basis |
WO2007039357A1 (en) * | 2005-09-30 | 2007-04-12 | Nokia Siemens Networks Gmbh & Co. Kg | Network access remote front-end processor for a communication network and method for operating a communications system |
EP1775910A1 (en) * | 2005-10-17 | 2007-04-18 | Alcatel Lucent | Application layer ingress filtering |
US20070209075A1 (en) * | 2006-03-04 | 2007-09-06 | Coffman Thayne R | Enabling network intrusion detection by representing network activity in graphical form utilizing distributed data sensors to detect and transmit activity data |
US20070220256A1 (en) * | 2006-03-20 | 2007-09-20 | Toru Yasui | Electronic mechanical device |
US20070237129A1 (en) * | 2006-04-06 | 2007-10-11 | Dennis Sych | Method and system for automatic intruder blocking on an Internet Protocol based network |
US20080127295A1 (en) * | 2006-11-28 | 2008-05-29 | Cisco Technology, Inc | Messaging security device |
US20080126088A1 (en) * | 2006-09-21 | 2008-05-29 | Commtouch Software Ltd | Device, method and system for detecting unwanted conversational media session |
US20080209558A1 (en) * | 2007-02-22 | 2008-08-28 | Aladdin Knowledge Systems | Self-defensive protected software with suspended latent license enforcement |
US20080295153A1 (en) * | 2007-05-24 | 2008-11-27 | Zhidan Cheng | System and method for detection and communication of computer infection status in a networked environment |
EP2005353A2 (en) * | 2006-03-14 | 2008-12-24 | Detica Limited | A method and apparatus for providing network security |
WO2009007707A1 (en) * | 2007-07-10 | 2009-01-15 | Messagelabs Limited | Message processing |
US20090044272A1 (en) * | 2007-08-07 | 2009-02-12 | Microsoft Corporation | Resource-reordered remediation of malware threats |
US20090064334A1 (en) * | 2007-08-30 | 2009-03-05 | International Business Machines Corporation | Adaptive Autonomic Threat Detection and Quarantine |
US20090126005A1 (en) * | 2007-11-08 | 2009-05-14 | Min Sik Kim | Method, apparatus and system for managing malicious-code spreading sites using firewall |
US7562389B1 (en) * | 2004-07-30 | 2009-07-14 | Cisco Technology, Inc. | Method and system for network security |
US20090222877A1 (en) * | 2008-02-28 | 2009-09-03 | David Diehl | Unified network threat management with rule classification |
US7606214B1 (en) * | 2006-09-14 | 2009-10-20 | Trend Micro Incorporated | Anti-spam implementations in a router at the network layer |
US20090265777A1 (en) * | 2008-04-21 | 2009-10-22 | Zytron Corp. | Collaborative and proactive defense of networks and information systems |
US20090274053A1 (en) * | 2008-05-05 | 2009-11-05 | Eaton Corporation | Methods, Devices and Computer Program Products For Capturing Events Associated Network Anomalies |
WO2009134900A2 (en) * | 2008-04-30 | 2009-11-05 | Viasat, Inc. | Trusted network interface |
US20100011433A1 (en) * | 2008-07-14 | 2010-01-14 | Tufin Software Technologies Ltd. | Method of configuring a security gateway and system thereof |
US20100064353A1 (en) * | 2008-09-09 | 2010-03-11 | Facetime Communications, Inc. | User Mapping Mechanisms |
US20100064042A1 (en) * | 2008-09-09 | 2010-03-11 | Facetime Communications, Inc. | Hash-Based Resource Matching |
WO2010036701A1 (en) * | 2008-09-23 | 2010-04-01 | Savvis, Inc. | Threat management system and method |
US20100085883A1 (en) * | 2008-10-02 | 2010-04-08 | Facetime Communications, Inc. | Application detection architecture and techniques |
US20100125663A1 (en) * | 2008-11-17 | 2010-05-20 | Donovan John J | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
US20100169975A1 (en) * | 2008-11-17 | 2010-07-01 | Dnsstuff Llc | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
US7756930B2 (en) | 2004-05-28 | 2010-07-13 | Ironport Systems, Inc. | Techniques for determining the reputation of a message sender |
US7849142B2 (en) | 2004-05-29 | 2010-12-07 | Ironport Systems, Inc. | Managing connections, messages, and directory harvest attacks at a server |
US7870200B2 (en) | 2004-05-29 | 2011-01-11 | Ironport Systems, Inc. | Monitoring the flow of messages received at a server |
US7870610B1 (en) * | 2007-03-16 | 2011-01-11 | The Board Of Directors Of The Leland Stanford Junior University | Detection of malicious programs |
US7873695B2 (en) | 2004-05-29 | 2011-01-18 | Ironport Systems, Inc. | Managing connections and messages at a server by associating different actions for both different senders and different recipients |
US20110055924A1 (en) * | 2009-09-02 | 2011-03-03 | Q1 Labs Inc. | Graph structures for event matching |
US20110067107A1 (en) * | 2009-09-17 | 2011-03-17 | Sun Microsystems, Inc. | Integrated intrusion deflection, detection and introspection |
US7937761B1 (en) * | 2004-12-17 | 2011-05-03 | Symantec Corporation | Differential threat detection processing |
US20110238587A1 (en) * | 2008-09-23 | 2011-09-29 | Savvis, Inc. | Policy management system and method |
US20110288971A1 (en) * | 2007-06-22 | 2011-11-24 | Morega Systems Inc. | Distributed digital rights management node module and methods for use therewith |
US20120005542A1 (en) * | 2010-07-01 | 2012-01-05 | LogRhythm Inc. | Log collection, structuring and processing |
US20120002680A1 (en) * | 2010-06-30 | 2012-01-05 | Ygdal Naouri | Interruption, at least in part, of frame transmission |
US20120054823A1 (en) * | 2010-08-24 | 2012-03-01 | Electronics And Telecommunications Research Institute | Automated control method and apparatus of ddos attack prevention policy using the status of cpu and memory |
US20120192246A1 (en) * | 2010-11-24 | 2012-07-26 | Tufin Software Technologies Ltd. | Method and system for mapping between connectivity requests and a security rule set |
JP2012231232A (en) * | 2011-04-25 | 2012-11-22 | Hitachi Ltd | Communication system and device |
US20130091584A1 (en) * | 2011-10-05 | 2013-04-11 | Mcafee, Inc. | Distributed System and Method for Tracking and Blocking Malicious Internet Hosts |
US8463730B1 (en) | 2008-10-24 | 2013-06-11 | Vmware, Inc. | Rapid evaluation of numerically large complex rules governing network and application transactions |
US20130176865A1 (en) * | 2012-01-05 | 2013-07-11 | International Business Machines Corporation | Counteracting Spam in Voice Over Internet Protocol Telephony Systems |
US8621065B1 (en) * | 2008-10-23 | 2013-12-31 | Amazon Technologies, Inc. | Dynamic blocking of suspicious electronic submissions |
FR2995427A1 (en) * | 2012-09-12 | 2014-03-14 | Tibsys | Device for monitoring frames to be placed at interconnection of home local area network and internet in residential area, has input unit inputting alert state when signature or scenario and/or inconsistency are detected by detecting unit |
US20140156720A1 (en) * | 2012-12-03 | 2014-06-05 | Aruba Networks, Inc. | Control plane protection for various tables using storm prevention entries |
US8813215B2 (en) | 2005-11-22 | 2014-08-19 | Fortinet, Inc. | Policy-based content filtering |
EP2843878A1 (en) * | 2013-08-30 | 2015-03-04 | Eco-Hive Limited | A monitoring arrangement |
US20150067816A1 (en) * | 2013-08-28 | 2015-03-05 | Cellco Partnership D/B/A Verizon Wireless | Automated security gateway |
US20150229661A1 (en) * | 2011-11-07 | 2015-08-13 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
US9141786B2 (en) | 1996-11-08 | 2015-09-22 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US9219755B2 (en) | 1996-11-08 | 2015-12-22 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US9240996B1 (en) * | 2013-03-28 | 2016-01-19 | Emc Corporation | Method and system for risk-adaptive access control of an application action |
US9253155B2 (en) | 2006-01-13 | 2016-02-02 | Fortinet, Inc. | Computerized system and method for advanced network content processing |
CN105659245A (en) * | 2013-11-06 | 2016-06-08 | 迈克菲公司 | Context-aware network forensics |
US20160269427A1 (en) * | 2012-02-01 | 2016-09-15 | Brightpoint Security, Inc. | Scalable Network Security Detection And Prevention Platform |
US20160330113A1 (en) * | 2011-12-21 | 2016-11-10 | Nec Corporation | Communication system, node, control device, communication method, and program |
US20160373447A1 (en) * | 2013-07-05 | 2016-12-22 | Nippon Telegraph And Telephone Corporation | Unauthorized access detecting system and unauthorized access detecting method |
US9559800B1 (en) | 2008-10-24 | 2017-01-31 | Vmware, Inc. | Dynamic packet filtering |
US20170063930A1 (en) * | 2015-08-24 | 2017-03-02 | Empow Cyber Security Ltd. | Generation of cyber-attacks investigation policies |
CN106506556A (en) * | 2016-12-29 | 2017-03-15 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow abnormal detecting method and device |
US9680846B2 (en) | 2012-02-01 | 2017-06-13 | Servicenow, Inc. | Techniques for sharing network security event information |
US9710644B2 (en) | 2012-02-01 | 2017-07-18 | Servicenow, Inc. | Techniques for sharing network security event information |
US20170237733A1 (en) * | 2016-02-16 | 2017-08-17 | Fujitsu Limited | Apparatus and method to control transfer apparatuses depending on a type of an unauthorized communication occurring in a network |
US9930011B1 (en) * | 2012-11-30 | 2018-03-27 | United Services Automobile Association (Usaa) | Private network request forwarding |
US10015176B2 (en) | 2013-07-15 | 2018-07-03 | Cyberseal Ltd. | Network protection |
CN108762905A (en) * | 2018-05-24 | 2018-11-06 | 苏州乐麟无线信息科技有限公司 | A kind for the treatment of method and apparatus of multitask event |
US10130512B2 (en) | 2013-09-19 | 2018-11-20 | Natus Medical Incorporated | Headgear for observation of eye movements |
US10230742B2 (en) * | 2015-01-30 | 2019-03-12 | Anomali Incorporated | Space and time efficient threat detection |
US10333960B2 (en) | 2017-05-03 | 2019-06-25 | Servicenow, Inc. | Aggregating network security data for export |
US10348687B2 (en) * | 2015-12-18 | 2019-07-09 | Worcester Polytechnic Institute | Method and apparatus for using software defined networking and network function virtualization to secure residential networks |
US10552603B2 (en) | 2000-05-17 | 2020-02-04 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US10666620B1 (en) | 2012-11-30 | 2020-05-26 | United Services Automobile Association (Usaa) | Private network request forwarding |
US10686805B2 (en) | 2015-12-11 | 2020-06-16 | Servicenow, Inc. | Computer network threat assessment |
US10762192B2 (en) * | 2018-08-22 | 2020-09-01 | Paypal, Inc. | Cleartext password detection using machine learning |
US10893060B2 (en) * | 2019-04-05 | 2021-01-12 | Material Security Inc. | Defanging malicious electronic files based on trusted user reporting |
US11057428B1 (en) * | 2019-03-28 | 2021-07-06 | Rapid7, Inc. | Honeytoken tracker |
US20210397697A1 (en) * | 2020-06-23 | 2021-12-23 | Acronis International Gmbh | Systems and methods for detecting stored passwords vulnerable to compromise |
US11233816B2 (en) * | 2019-02-15 | 2022-01-25 | Verizon Patent And Licensing Inc. | User-determined network traffic filtering |
CN114124450A (en) * | 2021-10-15 | 2022-03-01 | 广东电网有限责任公司广州供电局 | Network security system and method for remote storage battery capacity checking |
US20220124183A1 (en) * | 2015-01-29 | 2022-04-21 | Splunk Inc. | Facilitating custom content extraction rule configuration for remote capture agents |
CN114510402A (en) * | 2022-04-19 | 2022-05-17 | 深圳市信润富联数字科技有限公司 | System application level performance monitoring system and method |
US11368474B2 (en) * | 2018-01-23 | 2022-06-21 | Rapid7, Inc. | Detecting anomalous internet behavior |
US20220224672A1 (en) * | 2019-07-12 | 2022-07-14 | Hitachi Astemo, Ltd. | Gateway device |
US11575703B2 (en) | 2017-05-05 | 2023-02-07 | Servicenow, Inc. | Network security threat intelligence sharing |
US20230095306A1 (en) * | 2020-10-27 | 2023-03-30 | Centripetal Networks, Inc. | Methods and Systems for Efficient Adaptive Logging of Cyber Threat Incidents |
US20230140706A1 (en) * | 2021-11-01 | 2023-05-04 | Recorded Future, Inc. | Pipelined Malware Infrastructure Identification |
US11677758B2 (en) * | 2020-03-04 | 2023-06-13 | Cisco Technology, Inc. | Minimizing data flow between computing infrastructures for email security |
US11743285B2 (en) * | 2016-09-26 | 2023-08-29 | Splunk Inc. | Correlating forensic and non-forensic data in an information technology environment |
US11750663B2 (en) | 2016-09-26 | 2023-09-05 | Splunk Inc. | Threat identification-based collection of forensic data from endpoint devices |
Families Citing this family (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8418241B2 (en) | 2006-11-14 | 2013-04-09 | Broadcom Corporation | Method and system for traffic engineering in secured networks |
DE602008004491D1 (en) | 2008-07-04 | 2011-02-24 | Alcatel Lucent | Method and system for a communication network against intruders |
US20100256823A1 (en) * | 2009-04-04 | 2010-10-07 | Cisco Technology, Inc. | Mechanism for On-Demand Environmental Services Based on Network Activity |
US9529689B2 (en) * | 2009-11-30 | 2016-12-27 | Red Hat, Inc. | Monitoring cloud computing environments |
US9065799B2 (en) * | 2011-04-15 | 2015-06-23 | Lockheed Martin Corporation | Method and apparatus for cyber security |
US9270642B2 (en) * | 2011-10-13 | 2016-02-23 | Rosemount Inc. | Process installation network intrusion detection and prevention |
US20140258526A1 (en) * | 2011-10-24 | 2014-09-11 | Schneider Electric Industries Sas | Systems and methods of remote communication |
US9055090B2 (en) * | 2012-06-12 | 2015-06-09 | Verizon Patent And Licensing Inc. | Network based device security and controls |
US8775672B2 (en) * | 2012-06-13 | 2014-07-08 | Hulu, LLC | Architecture for simulation of network conditions for video delivery |
US9565213B2 (en) | 2012-10-22 | 2017-02-07 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US9419963B2 (en) * | 2013-07-02 | 2016-08-16 | Open Text S.A. | System and method for controlling access |
KR101502490B1 (en) * | 2013-10-18 | 2015-03-13 | 주식회사 케이티 | Subscibe terminal and security farm node for monitoring network traffic |
CN103916399B (en) * | 2014-04-15 | 2018-09-25 | 浪潮电子信息产业股份有限公司 | A kind of computer information safe system of defense |
FR3026586A1 (en) * | 2014-09-30 | 2016-04-01 | Orange | METHOD FOR ACCESSING DATA RELATING TO AT LEAST ONE OPERATION IMPLEMENTED BY A DEVICE FORMING A NODE OF A NETWORK |
US10693904B2 (en) * | 2015-03-18 | 2020-06-23 | Certis Cisco Security Pte Ltd | System and method for information security threat disruption via a border gateway |
EP3317797B1 (en) | 2015-07-02 | 2021-08-25 | Reliaquest Holdings, LLC | Threat intelligence system and method |
DE102016107647B4 (en) | 2016-03-08 | 2018-08-30 | Viktor Mraz | Method and storage medium for securing / monitoring a network |
CA2968710A1 (en) * | 2016-05-31 | 2017-11-30 | Valarie Ann Findlay | Security threat information gathering and incident reporting systems and methods |
GB2566657B8 (en) | 2016-06-30 | 2022-04-13 | Sophos Ltd | Proactive network security using a health heartbeat |
US10212023B2 (en) * | 2016-10-05 | 2019-02-19 | Vmware, Inc. | Methods and systems to identify and respond to low-priority event messages |
US9692784B1 (en) * | 2016-10-25 | 2017-06-27 | Fortress Cyber Security, LLC | Security appliance |
CN107181769A (en) * | 2017-07-28 | 2017-09-19 | 山东超越数控电子有限公司 | A kind of network intrusion prevention system and method |
US11494395B2 (en) | 2017-07-31 | 2022-11-08 | Splunk Inc. | Creating dashboards for viewing data in a data storage system based on natural language requests |
US11240207B2 (en) | 2017-08-11 | 2022-02-01 | L3 Technologies, Inc. | Network isolation |
US11601467B2 (en) | 2017-08-24 | 2023-03-07 | L3 Technologies, Inc. | Service provider advanced threat protection |
US11552987B2 (en) * | 2017-09-28 | 2023-01-10 | L3 Technologies, Inc. | Systems and methods for command and control protection |
US11336619B2 (en) | 2017-09-28 | 2022-05-17 | L3 Technologies, Inc. | Host process and memory separation |
US11223601B2 (en) | 2017-09-28 | 2022-01-11 | L3 Technologies, Inc. | Network isolation for collaboration software |
US11374906B2 (en) | 2017-09-28 | 2022-06-28 | L3 Technologies, Inc. | Data exfiltration system and methods |
US11550898B2 (en) | 2017-10-23 | 2023-01-10 | L3 Technologies, Inc. | Browser application implementing sandbox based internet isolation |
US10841281B2 (en) * | 2018-03-26 | 2020-11-17 | Kuo Chiang | Methods for preventing or detecting computer attacks in a cloud-based environment and apparatuses using the same |
US10862864B2 (en) | 2018-04-04 | 2020-12-08 | Sophos Limited | Network device with transparent heartbeat processing |
US10972431B2 (en) | 2018-04-04 | 2021-04-06 | Sophos Limited | Device management based on groups of network adapters |
US11271950B2 (en) | 2018-04-04 | 2022-03-08 | Sophos Limited | Securing endpoints in a heterogenous enterprise network |
US11616758B2 (en) | 2018-04-04 | 2023-03-28 | Sophos Limited | Network device for securing endpoints in a heterogeneous enterprise network |
US11140195B2 (en) * | 2018-04-04 | 2021-10-05 | Sophos Limited | Secure endpoint in a heterogenous enterprise network |
US11075931B1 (en) * | 2018-12-31 | 2021-07-27 | Stealthbits Technologies Llc | Systems and methods for detecting malicious network activity |
US11444919B2 (en) | 2019-05-20 | 2022-09-13 | Woodward, Inc. | Mission critical security zone |
FR3104761A1 (en) * | 2019-12-12 | 2021-06-18 | Orange | Method for monitoring data passing through user equipment |
RU2743974C1 (en) | 2019-12-19 | 2021-03-01 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | System and method for scanning security of elements of network architecture |
US11736496B2 (en) * | 2020-02-17 | 2023-08-22 | Avanan, Inc. | Responsive actions to suspicious e-mail, as inferred from negative user assessment, by third party security systems without modification of existing e-mail clients |
US11363062B1 (en) * | 2021-03-31 | 2022-06-14 | Peakstar Technologies Inc. | System and method for decentralized internet traffic filtering policy reporting |
RU2769075C1 (en) * | 2021-06-10 | 2022-03-28 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | System and method for active detection of malicious network resources |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6363489B1 (en) * | 1999-11-29 | 2002-03-26 | Forescout Technologies Inc. | Method for automatic intrusion detection and deflection in a network |
US20020078202A1 (en) * | 2000-12-15 | 2002-06-20 | Tadanao Ando | IP network system having unauthorized intrusion safeguard function |
US20020188864A1 (en) * | 2001-06-06 | 2002-12-12 | Jackson Gary Manuel | Intrusion prevention system |
US6701440B1 (en) * | 2000-01-06 | 2004-03-02 | Networks Associates Technology, Inc. | Method and system for protecting a computer using a remote e-mail scanning device |
US20040255167A1 (en) * | 2003-04-28 | 2004-12-16 | Knight James Michael | Method and system for remote network security management |
US20050005017A1 (en) * | 2003-07-03 | 2005-01-06 | Arbor Networks, Inc. | Method and system for reducing scope of self-propagating attack code in network |
US20050177868A1 (en) * | 2003-07-11 | 2005-08-11 | Computer Associates Think, Inc. | Method and system for protecting against computer viruses |
US20050251570A1 (en) * | 2002-04-18 | 2005-11-10 | John Heasman | Intrusion detection system |
US20060031938A1 (en) * | 2002-10-22 | 2006-02-09 | Unho Choi | Integrated emergency response system in information infrastructure and operating method therefor |
US7213265B2 (en) * | 2000-11-15 | 2007-05-01 | Lockheed Martin Corporation | Real time active network compartmentalization |
US7263561B1 (en) * | 2001-08-24 | 2007-08-28 | Mcafee, Inc. | Systems and methods for making electronic files that have been converted to a safe format available for viewing by an intended recipient |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6256775B1 (en) * | 1997-12-11 | 2001-07-03 | International Business Machines Corporation | Facilities for detailed software performance analysis in a multithreaded processor |
US6192518B1 (en) * | 1998-01-22 | 2001-02-20 | Mis Only, Inc. | Method for distributing software over network links via electronic mail |
US6405250B1 (en) * | 1999-01-25 | 2002-06-11 | Lucent Technologies Inc. | Network management system based on passive monitoring and proactive management for formulation behavior state transition models |
US6678827B1 (en) * | 1999-05-06 | 2004-01-13 | Watchguard Technologies, Inc. | Managing multiple network security devices from a manager device |
TW453072B (en) * | 1999-08-18 | 2001-09-01 | Alma Baba Technical Res Lab Co | System for montoring network for cracker attacic |
US6526413B2 (en) * | 1999-09-28 | 2003-02-25 | Microsoft Corporation | Architecture for a hierarchical folder structure in hand-held computers |
US7159237B2 (en) * | 2000-03-16 | 2007-01-02 | Counterpane Internet Security, Inc. | Method and system for dynamic network intrusion monitoring, detection and response |
US6993022B1 (en) * | 2000-07-06 | 2006-01-31 | Sony Corporation | Method of and apparatus for directly mapping communications through a router between nodes on different buses within a network of buses |
US20020133586A1 (en) * | 2001-01-16 | 2002-09-19 | Carter Shanklin | Method and device for monitoring data traffic and preventing unauthorized access to a network |
US20020107953A1 (en) * | 2001-01-16 | 2002-08-08 | Mark Ontiveros | Method and device for monitoring data traffic and preventing unauthorized access to a network |
US7426730B2 (en) * | 2001-04-19 | 2008-09-16 | Wre-Hol Llc | Method and system for generalized and adaptive transaction processing between uniform information services and applications |
US6944660B2 (en) * | 2001-05-04 | 2005-09-13 | Hewlett-Packard Development Company, L.P. | System and method for monitoring browser event activities |
US6816890B2 (en) * | 2001-05-28 | 2004-11-09 | Hitachi, Ltd. | Gateway apparatus with LAC function |
WO2003077074A2 (en) * | 2002-03-08 | 2003-09-18 | Snapp Robert F | A method for preventing improper correction of a database during an updating process |
US6952779B1 (en) * | 2002-10-01 | 2005-10-04 | Gideon Cohen | System and method for risk detection and analysis in a computer network |
US7483972B2 (en) * | 2003-01-08 | 2009-01-27 | Cisco Technology, Inc. | Network security monitoring system |
US7681235B2 (en) * | 2003-05-19 | 2010-03-16 | Radware Ltd. | Dynamic network protection |
-
2005
- 2005-01-24 US US11/042,493 patent/US20050193429A1/en not_active Abandoned
- 2005-03-15 WO PCT/US2005/008438 patent/WO2006080930A1/en active Application Filing
-
2009
- 2009-11-27 US US12/592,580 patent/US8832833B2/en active Active
-
2014
- 2014-09-08 US US14/480,299 patent/US10326777B2/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6363489B1 (en) * | 1999-11-29 | 2002-03-26 | Forescout Technologies Inc. | Method for automatic intrusion detection and deflection in a network |
US6701440B1 (en) * | 2000-01-06 | 2004-03-02 | Networks Associates Technology, Inc. | Method and system for protecting a computer using a remote e-mail scanning device |
US7213265B2 (en) * | 2000-11-15 | 2007-05-01 | Lockheed Martin Corporation | Real time active network compartmentalization |
US20020078202A1 (en) * | 2000-12-15 | 2002-06-20 | Tadanao Ando | IP network system having unauthorized intrusion safeguard function |
US20020188864A1 (en) * | 2001-06-06 | 2002-12-12 | Jackson Gary Manuel | Intrusion prevention system |
US7263561B1 (en) * | 2001-08-24 | 2007-08-28 | Mcafee, Inc. | Systems and methods for making electronic files that have been converted to a safe format available for viewing by an intended recipient |
US20050251570A1 (en) * | 2002-04-18 | 2005-11-10 | John Heasman | Intrusion detection system |
US20060031938A1 (en) * | 2002-10-22 | 2006-02-09 | Unho Choi | Integrated emergency response system in information infrastructure and operating method therefor |
US20040255167A1 (en) * | 2003-04-28 | 2004-12-16 | Knight James Michael | Method and system for remote network security management |
US20050005017A1 (en) * | 2003-07-03 | 2005-01-06 | Arbor Networks, Inc. | Method and system for reducing scope of self-propagating attack code in network |
US20050177868A1 (en) * | 2003-07-11 | 2005-08-11 | Computer Associates Think, Inc. | Method and system for protecting against computer viruses |
Cited By (204)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9141786B2 (en) | 1996-11-08 | 2015-09-22 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US9444844B2 (en) | 1996-11-08 | 2016-09-13 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US9219755B2 (en) | 1996-11-08 | 2015-12-22 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US9189621B2 (en) | 1996-11-08 | 2015-11-17 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US10552603B2 (en) | 2000-05-17 | 2020-02-04 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US20040052664A1 (en) * | 2001-01-05 | 2004-03-18 | Atsuji Saito | High-pressure fuel feed pump |
US20040143764A1 (en) * | 2003-01-13 | 2004-07-22 | Kartik Kaleedhass | System and method of preventing the transmission of known and unknown electronic content to and from servers or workstations connected to a common network |
US8799644B2 (en) * | 2003-01-13 | 2014-08-05 | Karsof Systems Llc | System and method of preventing the transmission of known and unknown electronic content to and from servers or workstations connected to a common network |
US7219131B2 (en) | 2003-01-16 | 2007-05-15 | Ironport Systems, Inc. | Electronic message delivery using an alternate source approach |
US20040199595A1 (en) * | 2003-01-16 | 2004-10-07 | Scott Banister | Electronic message delivery using a virtual gateway approach |
US20050193076A1 (en) * | 2004-02-17 | 2005-09-01 | Andrew Flury | Collecting, aggregating, and managing information relating to electronic messages |
US7653695B2 (en) | 2004-02-17 | 2010-01-26 | Ironport Systems, Inc. | Collecting, aggregating, and managing information relating to electronic messages |
US7756930B2 (en) | 2004-05-28 | 2010-07-13 | Ironport Systems, Inc. | Techniques for determining the reputation of a message sender |
US7849142B2 (en) | 2004-05-29 | 2010-12-07 | Ironport Systems, Inc. | Managing connections, messages, and directory harvest attacks at a server |
US7873695B2 (en) | 2004-05-29 | 2011-01-18 | Ironport Systems, Inc. | Managing connections and messages at a server by associating different actions for both different senders and different recipients |
US7870200B2 (en) | 2004-05-29 | 2011-01-11 | Ironport Systems, Inc. | Monitoring the flow of messages received at a server |
US20050283837A1 (en) * | 2004-06-16 | 2005-12-22 | Michael Olivier | Method and apparatus for managing computer virus outbreaks |
US7748038B2 (en) | 2004-06-16 | 2010-06-29 | Ironport Systems, Inc. | Method and apparatus for managing computer virus outbreaks |
US7562389B1 (en) * | 2004-07-30 | 2009-07-14 | Cisco Technology, Inc. | Method and system for network security |
US7555774B2 (en) * | 2004-08-02 | 2009-06-30 | Cisco Technology, Inc. | Inline intrusion detection using a single physical port |
US20060023709A1 (en) * | 2004-08-02 | 2006-02-02 | Hall Michael L | Inline intrusion detection using a single physical port |
US20060064565A1 (en) * | 2004-09-18 | 2006-03-23 | Banks Andrew David J | Data processing in a distributed computing system |
US20060064484A1 (en) * | 2004-09-23 | 2006-03-23 | Derek Fawcus | Method and apparatus for controlling data to be routed in a data communications network |
US7577737B2 (en) * | 2004-09-23 | 2009-08-18 | Cisco Technology, Inc. | Method and apparatus for controlling data to be routed in a data communications network |
US7937761B1 (en) * | 2004-12-17 | 2011-05-03 | Symantec Corporation | Differential threat detection processing |
US7725938B2 (en) | 2005-01-20 | 2010-05-25 | Cisco Technology, Inc. | Inline intrusion detection |
US9009830B2 (en) | 2005-01-20 | 2015-04-14 | Cisco Technology, Inc. | Inline intrusion detection |
US20060161983A1 (en) * | 2005-01-20 | 2006-07-20 | Cothrell Scott A | Inline intrusion detection |
US20060195912A1 (en) * | 2005-02-11 | 2006-08-31 | Critical Path, Inc., A California Corporation | Selectively communicating digital content |
US20060195701A1 (en) * | 2005-02-11 | 2006-08-31 | Critical Path, Inc., A California Corporation | In-process protection for digital content communication systems |
US20060280121A1 (en) * | 2005-06-13 | 2006-12-14 | Fujitsu Limited | Frame-transfer control device, DoS-attack preventing device, and DoS-attack preventing system |
US20060288418A1 (en) * | 2005-06-15 | 2006-12-21 | Tzu-Jian Yang | Computer-implemented method with real-time response mechanism for detecting viruses in data transfer on a stream basis |
US20090222904A1 (en) * | 2005-09-30 | 2009-09-03 | Nokia Siemens Networks Gmbh & Co.Kg | Network access node computer for a communication network, communication system and method for operating a communication system |
WO2007039357A1 (en) * | 2005-09-30 | 2007-04-12 | Nokia Siemens Networks Gmbh & Co. Kg | Network access remote front-end processor for a communication network and method for operating a communications system |
DE102005046935B4 (en) * | 2005-09-30 | 2009-07-23 | Nokia Siemens Networks Gmbh & Co.Kg | Network access node computer to a communication network, communication system and method for assigning a protection device |
EP1775910A1 (en) * | 2005-10-17 | 2007-04-18 | Alcatel Lucent | Application layer ingress filtering |
US9762540B2 (en) * | 2005-11-22 | 2017-09-12 | Fortinet, Inc. | Policy based content filtering |
US20150312220A1 (en) * | 2005-11-22 | 2015-10-29 | Fortinet, Inc. | Policy-based content filtering |
US20140351918A1 (en) * | 2005-11-22 | 2014-11-27 | Fortinet, Inc. | Policy-based content filtering |
US8813215B2 (en) | 2005-11-22 | 2014-08-19 | Fortinet, Inc. | Policy-based content filtering |
US9729508B2 (en) * | 2005-11-22 | 2017-08-08 | Fortinet, Inc. | Policy-based content filtering |
US10084750B2 (en) * | 2005-11-22 | 2018-09-25 | Fortinet, Inc. | Policy-based content filtering |
US9253155B2 (en) | 2006-01-13 | 2016-02-02 | Fortinet, Inc. | Computerized system and method for advanced network content processing |
US8266697B2 (en) * | 2006-03-04 | 2012-09-11 | 21St Century Technologies, Inc. | Enabling network intrusion detection by representing network activity in graphical form utilizing distributed data sensors to detect and transmit activity data |
US20070209075A1 (en) * | 2006-03-04 | 2007-09-06 | Coffman Thayne R | Enabling network intrusion detection by representing network activity in graphical form utilizing distributed data sensors to detect and transmit activity data |
EP2005353A2 (en) * | 2006-03-14 | 2008-12-24 | Detica Limited | A method and apparatus for providing network security |
US20070220256A1 (en) * | 2006-03-20 | 2007-09-20 | Toru Yasui | Electronic mechanical device |
US20070237129A1 (en) * | 2006-04-06 | 2007-10-11 | Dennis Sych | Method and system for automatic intruder blocking on an Internet Protocol based network |
US7606214B1 (en) * | 2006-09-14 | 2009-10-20 | Trend Micro Incorporated | Anti-spam implementations in a router at the network layer |
US7991919B2 (en) | 2006-09-21 | 2011-08-02 | Commtouch Software Ltd. | Device, method and system for detecting unwanted conversational media session |
US20110054888A1 (en) * | 2006-09-21 | 2011-03-03 | Commtouch Software Ltd. | Device, method and system for detecting unwanted conversational media session |
US20080126088A1 (en) * | 2006-09-21 | 2008-05-29 | Commtouch Software Ltd | Device, method and system for detecting unwanted conversational media session |
US8190737B2 (en) | 2006-09-21 | 2012-05-29 | Commtouch Software Ltd. | Device, method and system for detecting unwanted conversational media session |
US7849186B2 (en) | 2006-09-21 | 2010-12-07 | Commtouch Software Ltd. | Device, method and system for detecting unwanted conversational media session |
US8195795B2 (en) | 2006-09-21 | 2012-06-05 | Commtouch Software Ltd. | Device, method and system for detecting unwanted conversational media session |
US20110046949A1 (en) * | 2006-09-21 | 2011-02-24 | Commtouch Software Ltd. | Device, method and system for detecting unwanted conversational media session |
US20110047269A1 (en) * | 2006-09-21 | 2011-02-24 | Commtouch Software Ltd. | Device, method and system for detecting unwanted conversational media session |
US20080127295A1 (en) * | 2006-11-28 | 2008-05-29 | Cisco Technology, Inc | Messaging security device |
US8484733B2 (en) * | 2006-11-28 | 2013-07-09 | Cisco Technology, Inc. | Messaging security device |
US9077739B2 (en) | 2006-11-28 | 2015-07-07 | Cisco Technology, Inc. | Messaging security device |
US20080209558A1 (en) * | 2007-02-22 | 2008-08-28 | Aladdin Knowledge Systems | Self-defensive protected software with suspended latent license enforcement |
US7870610B1 (en) * | 2007-03-16 | 2011-01-11 | The Board Of Directors Of The Leland Stanford Junior University | Detection of malicious programs |
US20080295153A1 (en) * | 2007-05-24 | 2008-11-27 | Zhidan Cheng | System and method for detection and communication of computer infection status in a networked environment |
US20110288971A1 (en) * | 2007-06-22 | 2011-11-24 | Morega Systems Inc. | Distributed digital rights management node module and methods for use therewith |
US20090019121A1 (en) * | 2007-07-10 | 2009-01-15 | Messagelabs Limited | Message processing |
WO2009007707A1 (en) * | 2007-07-10 | 2009-01-15 | Messagelabs Limited | Message processing |
US20090044272A1 (en) * | 2007-08-07 | 2009-02-12 | Microsoft Corporation | Resource-reordered remediation of malware threats |
US8087061B2 (en) * | 2007-08-07 | 2011-12-27 | Microsoft Corporation | Resource-reordered remediation of malware threats |
US20090064334A1 (en) * | 2007-08-30 | 2009-03-05 | International Business Machines Corporation | Adaptive Autonomic Threat Detection and Quarantine |
US20090126005A1 (en) * | 2007-11-08 | 2009-05-14 | Min Sik Kim | Method, apparatus and system for managing malicious-code spreading sites using firewall |
US8561129B2 (en) * | 2008-02-28 | 2013-10-15 | Mcafee, Inc | Unified network threat management with rule classification |
US20090222877A1 (en) * | 2008-02-28 | 2009-09-03 | David Diehl | Unified network threat management with rule classification |
US20090265777A1 (en) * | 2008-04-21 | 2009-10-22 | Zytron Corp. | Collaborative and proactive defense of networks and information systems |
WO2009132047A2 (en) * | 2008-04-21 | 2009-10-29 | Zytron Corp. | Collaborative and proactive defense of networks and information systems |
WO2009132047A3 (en) * | 2008-04-21 | 2009-12-30 | Zytron Corp. | Collaborative and proactive defense of networks and information systems |
US8627060B2 (en) | 2008-04-30 | 2014-01-07 | Viasat, Inc. | Trusted network interface |
WO2009134900A3 (en) * | 2008-04-30 | 2010-02-18 | Viasat, Inc. | Trusted network interface |
WO2009134900A2 (en) * | 2008-04-30 | 2009-11-05 | Viasat, Inc. | Trusted network interface |
US20090300353A1 (en) * | 2008-04-30 | 2009-12-03 | Viasat, Inc. | Trusted network interface |
US20090274053A1 (en) * | 2008-05-05 | 2009-11-05 | Eaton Corporation | Methods, Devices and Computer Program Products For Capturing Events Associated Network Anomalies |
US8279768B2 (en) * | 2008-05-05 | 2012-10-02 | Eaton Corporation | Methods, devices and computer program products for capturing events associated network anomalies |
US20100011433A1 (en) * | 2008-07-14 | 2010-01-14 | Tufin Software Technologies Ltd. | Method of configuring a security gateway and system thereof |
US8490171B2 (en) * | 2008-07-14 | 2013-07-16 | Tufin Software Technologies Ltd. | Method of configuring a security gateway and system thereof |
US20100064353A1 (en) * | 2008-09-09 | 2010-03-11 | Facetime Communications, Inc. | User Mapping Mechanisms |
US8122129B2 (en) * | 2008-09-09 | 2012-02-21 | Actiance, Inc. | Hash-based resource matching |
US20100064042A1 (en) * | 2008-09-09 | 2010-03-11 | Facetime Communications, Inc. | Hash-Based Resource Matching |
WO2010036701A1 (en) * | 2008-09-23 | 2010-04-01 | Savvis, Inc. | Threat management system and method |
US20110239303A1 (en) * | 2008-09-23 | 2011-09-29 | Savvis, Inc. | Threat management system and method |
US20110238587A1 (en) * | 2008-09-23 | 2011-09-29 | Savvis, Inc. | Policy management system and method |
US8220056B2 (en) * | 2008-09-23 | 2012-07-10 | Savvis, Inc. | Threat management system and method |
US8484338B2 (en) | 2008-10-02 | 2013-07-09 | Actiance, Inc. | Application detection architecture and techniques |
US20100085883A1 (en) * | 2008-10-02 | 2010-04-08 | Facetime Communications, Inc. | Application detection architecture and techniques |
US8621065B1 (en) * | 2008-10-23 | 2013-12-31 | Amazon Technologies, Inc. | Dynamic blocking of suspicious electronic submissions |
US9237162B1 (en) | 2008-10-23 | 2016-01-12 | Amazon Technologies, Inc. | Dynamic blocking of suspicious electronic submissions |
US8463730B1 (en) | 2008-10-24 | 2013-06-11 | Vmware, Inc. | Rapid evaluation of numerically large complex rules governing network and application transactions |
US8688823B1 (en) | 2008-10-24 | 2014-04-01 | Vmware, Inc. | Association of network traffic to enterprise users in a terminal services environment |
US9559800B1 (en) | 2008-10-24 | 2017-01-31 | Vmware, Inc. | Dynamic packet filtering |
US20100169975A1 (en) * | 2008-11-17 | 2010-07-01 | Dnsstuff Llc | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
US8806632B2 (en) | 2008-11-17 | 2014-08-12 | Solarwinds Worldwide, Llc | Systems, methods, and devices for detecting security vulnerabilities in IP networks |
US20100125663A1 (en) * | 2008-11-17 | 2010-05-20 | Donovan John J | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
US20110055924A1 (en) * | 2009-09-02 | 2011-03-03 | Q1 Labs Inc. | Graph structures for event matching |
US9413598B2 (en) * | 2009-09-02 | 2016-08-09 | International Business Machines Corporation | Graph structures for event matching |
US8413241B2 (en) * | 2009-09-17 | 2013-04-02 | Oracle America, Inc. | Integrated intrusion deflection, detection and introspection |
US20110067107A1 (en) * | 2009-09-17 | 2011-03-17 | Sun Microsystems, Inc. | Integrated intrusion deflection, detection and introspection |
US20120002680A1 (en) * | 2010-06-30 | 2012-01-05 | Ygdal Naouri | Interruption, at least in part, of frame transmission |
US8953631B2 (en) * | 2010-06-30 | 2015-02-10 | Intel Corporation | Interruption, at least in part, of frame transmission |
US10122575B2 (en) | 2010-07-01 | 2018-11-06 | LogRhythm Inc. | Log collection, structuring and processing |
US9384112B2 (en) * | 2010-07-01 | 2016-07-05 | Logrhythm, Inc. | Log collection, structuring and processing |
US20120005542A1 (en) * | 2010-07-01 | 2012-01-05 | LogRhythm Inc. | Log collection, structuring and processing |
US20120054823A1 (en) * | 2010-08-24 | 2012-03-01 | Electronics And Telecommunications Research Institute | Automated control method and apparatus of ddos attack prevention policy using the status of cpu and memory |
US20120192246A1 (en) * | 2010-11-24 | 2012-07-26 | Tufin Software Technologies Ltd. | Method and system for mapping between connectivity requests and a security rule set |
US20150074755A1 (en) * | 2010-11-24 | 2015-03-12 | Tufin Software Technologies Ltd. | Method and system for mapping between connectivity requests and a security rule set |
US9313175B2 (en) * | 2010-11-24 | 2016-04-12 | Tufin Software Technologes Ltd. | Method and system for mapping between connectivity requests and a security rule set |
US8914841B2 (en) * | 2010-11-24 | 2014-12-16 | Tufin Software Technologies Ltd. | Method and system for mapping between connectivity requests and a security rule set |
JP2012231232A (en) * | 2011-04-25 | 2012-11-22 | Hitachi Ltd | Communication system and device |
US8726385B2 (en) * | 2011-10-05 | 2014-05-13 | Mcafee, Inc. | Distributed system and method for tracking and blocking malicious internet hosts |
EP2764660A4 (en) * | 2011-10-05 | 2015-07-22 | Mcafee Inc | Distributed system and method for tracking and blocking malicious internet hosts |
US20130091584A1 (en) * | 2011-10-05 | 2013-04-11 | Mcafee, Inc. | Distributed System and Method for Tracking and Blocking Malicious Internet Hosts |
US10033697B2 (en) | 2011-10-05 | 2018-07-24 | Mcafee, Llc | Distributed system and method for tracking and blocking malicious internet hosts |
CN103858381A (en) * | 2011-10-05 | 2014-06-11 | 迈克菲股份有限公司 | Distributed system and method for tracking and blocking malicious internet hosts |
US9385991B2 (en) | 2011-10-05 | 2016-07-05 | Mcafee, Inc. | Distributed system and method for tracking and blocking malicious internet hosts |
US11089041B2 (en) | 2011-11-07 | 2021-08-10 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
US10542024B2 (en) * | 2011-11-07 | 2020-01-21 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
US20150229661A1 (en) * | 2011-11-07 | 2015-08-13 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
US9843488B2 (en) * | 2011-11-07 | 2017-12-12 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
US20180337836A1 (en) * | 2011-11-07 | 2018-11-22 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
US11805143B2 (en) | 2011-11-07 | 2023-10-31 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
US10171352B2 (en) * | 2011-12-21 | 2019-01-01 | Nec Corporation | Communication system, node, control device, communication method, and program |
US20160330113A1 (en) * | 2011-12-21 | 2016-11-10 | Nec Corporation | Communication system, node, control device, communication method, and program |
US8953471B2 (en) * | 2012-01-05 | 2015-02-10 | International Business Machines Corporation | Counteracting spam in voice over internet protocol telephony systems |
US20130176865A1 (en) * | 2012-01-05 | 2013-07-11 | International Business Machines Corporation | Counteracting Spam in Voice Over Internet Protocol Telephony Systems |
US10225288B2 (en) * | 2012-02-01 | 2019-03-05 | Servicenow, Inc. | Scalable network security detection and prevention platform |
US11222111B2 (en) | 2012-02-01 | 2022-01-11 | Servicenow, Inc. | Techniques for sharing network security event information |
US9680846B2 (en) | 2012-02-01 | 2017-06-13 | Servicenow, Inc. | Techniques for sharing network security event information |
US9710644B2 (en) | 2012-02-01 | 2017-07-18 | Servicenow, Inc. | Techniques for sharing network security event information |
US10032020B2 (en) | 2012-02-01 | 2018-07-24 | Servicenow, Inc. | Techniques for sharing network security event information |
US11388200B2 (en) * | 2012-02-01 | 2022-07-12 | Servicenow, Inc. | Scalable network security detection and prevention platform |
US9756082B1 (en) | 2012-02-01 | 2017-09-05 | Servicenow, Inc. | Scalable network security with fast response protocol |
US10628582B2 (en) | 2012-02-01 | 2020-04-21 | Servicenow, Inc. | Techniques for sharing network security event information |
US20160269427A1 (en) * | 2012-02-01 | 2016-09-15 | Brightpoint Security, Inc. | Scalable Network Security Detection And Prevention Platform |
US10412103B2 (en) * | 2012-02-01 | 2019-09-10 | Servicenow, Inc. | Techniques for sharing network security event information |
FR2995427A1 (en) * | 2012-09-12 | 2014-03-14 | Tibsys | Device for monitoring frames to be placed at interconnection of home local area network and internet in residential area, has input unit inputting alert state when signature or scenario and/or inconsistency are detected by detecting unit |
US10630645B1 (en) | 2012-11-30 | 2020-04-21 | United Services Automobile Association (Usaa) | Private network request forwarding |
US9930011B1 (en) * | 2012-11-30 | 2018-03-27 | United Services Automobile Association (Usaa) | Private network request forwarding |
US9930012B1 (en) | 2012-11-30 | 2018-03-27 | United Services Automobile Association (Usaa) | Private network request forwarding |
US10666620B1 (en) | 2012-11-30 | 2020-05-26 | United Services Automobile Association (Usaa) | Private network request forwarding |
US11368433B1 (en) | 2012-11-30 | 2022-06-21 | United Services Automobile Association (Usaa) | Private network request forwarding |
US11399010B1 (en) | 2012-11-30 | 2022-07-26 | United Services Automobile Association (Usaa) | Private network request forwarding |
US10263916B2 (en) | 2012-12-03 | 2019-04-16 | Hewlett Packard Enterprise Development Lp | System and method for message handling in a network device |
US9800503B2 (en) * | 2012-12-03 | 2017-10-24 | Aruba Networks, Inc. | Control plane protection for various tables using storm prevention entries |
US20140156720A1 (en) * | 2012-12-03 | 2014-06-05 | Aruba Networks, Inc. | Control plane protection for various tables using storm prevention entries |
US9992213B2 (en) * | 2013-03-28 | 2018-06-05 | Emc Corporation | Risk-adaptive access control of an application action based on threat detection data |
US9240996B1 (en) * | 2013-03-28 | 2016-01-19 | Emc Corporation | Method and system for risk-adaptive access control of an application action |
US20160088005A1 (en) * | 2013-03-28 | 2016-03-24 | Emc Corporation | Method and system for risk-adaptive access control of an application action |
US10142343B2 (en) * | 2013-07-05 | 2018-11-27 | Nippon Telegraph And Telephone Corporation | Unauthorized access detecting system and unauthorized access detecting method |
US20160373447A1 (en) * | 2013-07-05 | 2016-12-22 | Nippon Telegraph And Telephone Corporation | Unauthorized access detecting system and unauthorized access detecting method |
US10015176B2 (en) | 2013-07-15 | 2018-07-03 | Cyberseal Ltd. | Network protection |
US20150067816A1 (en) * | 2013-08-28 | 2015-03-05 | Cellco Partnership D/B/A Verizon Wireless | Automated security gateway |
US9548993B2 (en) * | 2013-08-28 | 2017-01-17 | Verizon Patent And Licensing Inc. | Automated security gateway |
US9596213B2 (en) | 2013-08-30 | 2017-03-14 | Eco Hive Limited | Monitoring arrangement |
EP2843878A1 (en) * | 2013-08-30 | 2015-03-04 | Eco-Hive Limited | A monitoring arrangement |
US10130512B2 (en) | 2013-09-19 | 2018-11-20 | Natus Medical Incorporated | Headgear for observation of eye movements |
EP3066608A4 (en) * | 2013-11-06 | 2017-04-12 | McAfee, Inc. | Context-aware network forensics |
KR101836016B1 (en) * | 2013-11-06 | 2018-03-07 | 맥아피, 엘엘씨 | Context-aware network forensics |
CN105659245A (en) * | 2013-11-06 | 2016-06-08 | 迈克菲公司 | Context-aware network forensics |
US20220124183A1 (en) * | 2015-01-29 | 2022-04-21 | Splunk Inc. | Facilitating custom content extraction rule configuration for remote capture agents |
US10230742B2 (en) * | 2015-01-30 | 2019-03-12 | Anomali Incorporated | Space and time efficient threat detection |
US10616248B2 (en) | 2015-01-30 | 2020-04-07 | Anomali Incorporated | Space and time efficient threat detection |
US10601853B2 (en) * | 2015-08-24 | 2020-03-24 | Empow Cyber Security Ltd. | Generation of cyber-attacks investigation policies |
US20170063930A1 (en) * | 2015-08-24 | 2017-03-02 | Empow Cyber Security Ltd. | Generation of cyber-attacks investigation policies |
US10193919B2 (en) | 2015-08-24 | 2019-01-29 | Empow Cyber Security, Ltd | Risk-chain generation of cyber-threats |
US10686805B2 (en) | 2015-12-11 | 2020-06-16 | Servicenow, Inc. | Computer network threat assessment |
US10348687B2 (en) * | 2015-12-18 | 2019-07-09 | Worcester Polytechnic Institute | Method and apparatus for using software defined networking and network function virtualization to secure residential networks |
US10560452B2 (en) * | 2016-02-16 | 2020-02-11 | Fujitsu Limited | Apparatus and method to control transfer apparatuses depending on a type of an unauthorized communication occurring in a network |
US20170237733A1 (en) * | 2016-02-16 | 2017-08-17 | Fujitsu Limited | Apparatus and method to control transfer apparatuses depending on a type of an unauthorized communication occurring in a network |
US11743285B2 (en) * | 2016-09-26 | 2023-08-29 | Splunk Inc. | Correlating forensic and non-forensic data in an information technology environment |
US11750663B2 (en) | 2016-09-26 | 2023-09-05 | Splunk Inc. | Threat identification-based collection of forensic data from endpoint devices |
US11451566B2 (en) | 2016-12-29 | 2022-09-20 | NSFOCUS Information Technology Co., Ltd. | Network traffic anomaly detection method and apparatus |
CN106506556A (en) * | 2016-12-29 | 2017-03-15 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow abnormal detecting method and device |
WO2018121157A1 (en) * | 2016-12-29 | 2018-07-05 | 北京神州绿盟信息安全科技股份有限公司 | Network traffic anomaly detection method and apparatus |
US10333960B2 (en) | 2017-05-03 | 2019-06-25 | Servicenow, Inc. | Aggregating network security data for export |
US11743278B2 (en) | 2017-05-03 | 2023-08-29 | Servicenow, Inc. | Aggregating network security data for export |
US11223640B2 (en) | 2017-05-03 | 2022-01-11 | Servicenow, Inc. | Aggregating network security data for export |
US11575703B2 (en) | 2017-05-05 | 2023-02-07 | Servicenow, Inc. | Network security threat intelligence sharing |
US20220286471A1 (en) * | 2018-01-23 | 2022-09-08 | Rapid7, Inc. | Honeypot Network with Dynamically Updated Alert Modules for Detecting Anomalous Connections |
US11368474B2 (en) * | 2018-01-23 | 2022-06-21 | Rapid7, Inc. | Detecting anomalous internet behavior |
US11595423B2 (en) * | 2018-01-23 | 2023-02-28 | Rapid7, Inc. | Honeypot network with dynamically updated alert modules for detecting anomalous connections |
CN108762905A (en) * | 2018-05-24 | 2018-11-06 | 苏州乐麟无线信息科技有限公司 | A kind for the treatment of method and apparatus of multitask event |
US10762192B2 (en) * | 2018-08-22 | 2020-09-01 | Paypal, Inc. | Cleartext password detection using machine learning |
US11711395B2 (en) | 2019-02-15 | 2023-07-25 | Verizon Patent And Licensing Inc. | User-determined network traffic filtering |
US11233816B2 (en) * | 2019-02-15 | 2022-01-25 | Verizon Patent And Licensing Inc. | User-determined network traffic filtering |
US11057428B1 (en) * | 2019-03-28 | 2021-07-06 | Rapid7, Inc. | Honeytoken tracker |
US11057429B1 (en) * | 2019-03-29 | 2021-07-06 | Rapid7, Inc. | Honeytoken tracker |
US10893060B2 (en) * | 2019-04-05 | 2021-01-12 | Material Security Inc. | Defanging malicious electronic files based on trusted user reporting |
US11856007B2 (en) | 2019-04-05 | 2023-12-26 | Material Security Inc. | Defanging malicious electronic files based on trusted user reporting |
US20220224672A1 (en) * | 2019-07-12 | 2022-07-14 | Hitachi Astemo, Ltd. | Gateway device |
US11677758B2 (en) * | 2020-03-04 | 2023-06-13 | Cisco Technology, Inc. | Minimizing data flow between computing infrastructures for email security |
US20210397697A1 (en) * | 2020-06-23 | 2021-12-23 | Acronis International Gmbh | Systems and methods for detecting stored passwords vulnerable to compromise |
US11651067B2 (en) * | 2020-06-23 | 2023-05-16 | Acronis International Gmbh | Systems and methods for detecting stored passwords vulnerable to compromise |
US11736440B2 (en) * | 2020-10-27 | 2023-08-22 | Centripetal Networks, Llc | Methods and systems for efficient adaptive logging of cyber threat incidents |
US20230095306A1 (en) * | 2020-10-27 | 2023-03-30 | Centripetal Networks, Inc. | Methods and Systems for Efficient Adaptive Logging of Cyber Threat Incidents |
CN114124450A (en) * | 2021-10-15 | 2022-03-01 | 广东电网有限责任公司广州供电局 | Network security system and method for remote storage battery capacity checking |
US20230140706A1 (en) * | 2021-11-01 | 2023-05-04 | Recorded Future, Inc. | Pipelined Malware Infrastructure Identification |
CN114510402A (en) * | 2022-04-19 | 2022-05-17 | 深圳市信润富联数字科技有限公司 | System application level performance monitoring system and method |
Also Published As
Publication number | Publication date |
---|---|
US8832833B2 (en) | 2014-09-09 |
WO2006080930A1 (en) | 2006-08-03 |
US10326777B2 (en) | 2019-06-18 |
US20140380456A1 (en) | 2014-12-25 |
US20100257598A1 (en) | 2010-10-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10326777B2 (en) | Integrated data traffic monitoring system | |
US8631495B2 (en) | Systems and methods for message threat management | |
US9185127B2 (en) | Network protection service | |
US9160755B2 (en) | Trusted communication network | |
US8108930B2 (en) | Secure self-organizing and self-provisioning anomalous event detection systems | |
US7007302B1 (en) | Efficient management and blocking of malicious code and hacking attempts in a network environment | |
EP1488316B1 (en) | Systems and methods for enhancing electronic communication security | |
US20070097976A1 (en) | Suspect traffic redirection | |
US20030110392A1 (en) | Detecting intrusions | |
US20070244974A1 (en) | Bounce Management in a Trusted Communication Network | |
US10135785B2 (en) | Network security system to intercept inline domain name system requests | |
US20060010209A1 (en) | Server for sending electronics messages | |
WO2007146690A2 (en) | Systems and methods for graphically displaying messaging traffic | |
US20200106742A1 (en) | Methods and Systems for Efficient Network Protection | |
JP2006319982A (en) | Worm-specifying and non-activating method and apparatus in communications network | |
US20060206615A1 (en) | Systems and methods for dynamic and risk-aware network security | |
JP2009515426A (en) | High reliability communication network | |
US7634809B1 (en) | Detecting unsanctioned network servers | |
US20110185166A1 (en) | Slider Control for Security Grouping and Enforcement | |
US20220239676A1 (en) | Cyber-safety threat detection system | |
EP1629623A1 (en) | Systems and methods for dynamic and risk-aware network security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |