Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-03-12
2004-04-20
Morse, Gregory (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C717S126000, C717S168000, C717S171000, C717S172000, C717S173000, C717S174000, C717S178000, C709S223000, C709S224000, C709S225000, C709S226000, C709S229000, C713S152000, C713S152000, C713S156000
Reexamination Certificate
active
06725377
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to computer systems and computer networks. In particular, the present invention relates to a computer program product and method that modifies anti-intrusion software on a computer network.
BACKGROUND OF THE INVENTION
The subject matter of the present application is related to “Method and System for Providing Automated Updating and Upgrading of Antivirus Applications Using a Computer Network” (application number Ser. No. 09/001,611) filed Dec. 31, 1997, now issued under U.S. Pat. No.: 6,035,423), the contents of which are hereby incorporated by reference, assigned to the assignee of the present invention.
Intrusion attacks on computer networks are a major problems in today's networked computing environment. An intrusion attack occurs when an intruder either breaches a network or temporarily disables it. As far back as 1992, the Federal Bureau of Investigation had determined that computer crime is the most expensive form of commercial crime—with an average cost of $450,000 per theft. Estimates of the total dollar figure for computer theft are as high as $5 billion per year.
Intrusion attacks are generally given a name, typically reflecting the characteristics of the attack. For example, a “Ping of Death” intrusion attack occurs when an intruder sends abnormally large ping packets in an attempt to disable a remote system. A “ping” checks whether a remote host is active on a network by sending it packets. The remote host then echos back those packets to the user's machine. If the remote host does not echo back the packets, the remote host is considered down and the ping sender is so notified. If a large number of ping packets are sent to a remote host at one time, this can cause an abrupt failure of the core part of the operating system, potentially causing data to be lost due to improper system shutdown.
Another type of attack is called the “SYN Flood” attack. With this type of intrusion attack, an intruder attempts to establish a connection with a service; however, the client does not allow the connection to be completed. The service continues to send confirmations to the client in an attempt to complete the connection. The connection queues fill up, and service is denied to legitimate users.
A variety of programs have been developed to detect and intercept intrusion attacks on networks. By monitoring the traffic on a network, or the traffic at the gateway of a local area network, these “monitors” can alert a system administrator when a virus is detected. A monitor is typically implemented by an anti-intrusion software program on a server attached to the network. By server, what is meant is any type of computer on which the software program is loaded. This server, hereinafter referred to as an “anti-intrusion monitor server,” examines packets that pass on the network and looks for characteristics of known attacks. When an anti-intrusion monitor server detects characteristics of a known intrusion attack, a system administrator is typically notified.
Other actions, while not strictly attacks, indicate malicious intent and often precede an attack. Examples include information gathering probes and connection attempts. An anti-intrusion monitor server will also watch for this type of malicious activity, often a precursor to an attack.
In order to detect intrusion attacks, the anti-intrusion software of a monitor server typically includes an intrusion attack scanning engine with one or more files known as “attack signature files,” which contain information pertaining to known types of intrusion attacks. This information includes both the type of protocol the attack occurs in (e.g., Transmission Control Protocol/Internet Protocol [TCP/IP] or File Transfer Protocol [FTP]) and specific packet information which is indicative of an attack. Importantly, the anti-intrusion software is only able to detect those types of intrusion attacks for which it has a corresponding attack signature files. If a new type of intrusion attack is developed, the anti-intrusion monitor server will be unable to detect it.
By way of example, and not by way of limitation, a leading anti-intrusion attack program and its accompanying attack profiles will be described. It is emphasized that this example is presented only for clarity of presentation, and does not limit the scope or context of the preferred embodiments to certain software packages, software types, or operating system types. Indeed, the preferred embodiments are advantageously applied to many different types of anti-intrusion software programs on many different types of operating systems and computer configurations.
A leading anti-intrusion application, produced by Network Associates, is called CyberCop Network. CyberCop Network is a real-time intrusion detection system, performing round-the-clock surveillance of network traffic. Acting as a hi-tech burglar alarm, CyberCop Network helps protect a network from attacks—both internal and external—by sending out alerts when the security of the network is breached by unauthorized intruders. CyberCop Network is a software application offered in a variety of outlets and forms. It is accompanied by documentation, including the “CyberCop Network for Windows NT v2.0 User's Guide,” issued October 1998. The contents of these documents are hereby incorporated by reference into the present application.
In one form, CyberCop Network is adapted to run on one or several Windows NT-based servers connected to a network. For optimum security, each CyberCop Network server should be installed on a dedicated machine before any point of entry to the network or network segments. This would include at the same network segment as the web server, at the Ethernet interface just inside the firewall, or between the Internet router and the internal machines.
If CyberCop Network does run on multiple servers, all servers running CyberCop Network can be configured at a single monitor server running CyberCop Network Configuration Manager, a configuration tool. CyberCop Network Configuration Manager can remotely configure all networked servers running a local copy of CyberCop Network.
CyberCop Network Configuration Manager uses Windows' “drag-and-drop” feature to create and distribute monitoring profiles for attacks. A “profile” includes the following three attributes: 1) one or more attack signatures with detection thresholds; 2) one or more monitoring schedules; and 3) one or more attack notification methods. Profiles are distributed from the Configuration Manager to the networked servers directing them to perform remote monitoring functions using their local copies of CyberCop Network.
To create a monitoring profile, a user first chooses which networked server (or servers) the profile will operate on, and selects that server. The user then has the choice of which attack signature files to include in the profile. The “master attack list” includes approximately 180 known attacks, sorted into protocol attack groups by the protocol they occur in, e.g. TCP/IP, FTP, or WWW. Each attack signature file also includes a corresponding description of the attack that the user can read. The user can import the entire master attack list, an entire protocol attack group, or individual attack signatures that the user can pick and choose. Next, the user must set the threshold of detection sensitivity by specifying the number of times within a specified number of seconds/minutes that an attack must occur before an alert is generated. CyberCop Network will perform specific operations when an alert is generated, in accordance with the Alert Manager's settings as configured by the user, explained below. Detection sensitivity can be set for each individual attack signature or collectively for an entire attack group.
The user has the option of setting a monitoring schedule for each attack signature or group. The monitoring schedule allows the user to set the time period for each day of a week that CyberCop Network will monitor for the attack signature or group.
Hamaty Christopher J.
Jackson Jenise
Morse Gregory
Networks Associates Technology Inc.
Silicon Valley IP Group PC
LandOfFree
Method and system for updating anti-intrusion software does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for updating anti-intrusion software, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for updating anti-intrusion software will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3218102