Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-05-06
2002-06-18
Beausoleil, Robert (Department: 2184)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06408391
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates generally to intrusion detection systems for computer systems, and more particularly, relates to intrusion detection systems having dynamic response capabilities for suppressing and automatically taking countermeasures against suspected and actual intruders and misusers.
BACKGROUND OF THE INVENTION
development of the computer and its astonishingly rapid improvement have ushered in the Information Age that affects almost all aspects of commerce and society. Just like the physical infrastructures that support the American economy, there is a highly developed computer infrastructure that supports the American and worldwide economy.
Besides traditional physical threats to United States security, the security of the United States is also dependent on protecting the computer infrastructure that supports American government and industry. The computer infrastructure is open to attack by hackers and others, who could potentially wreak havoc.
The President of the United States has recognized the existence of these infrastructures and has created the President's Commission on Critical Infrastructure Protection. This Commission was constituted to determine which industries are critical and whether these industries were vulnerable to cyber attack. The Commission issued a report and deemed transportation, oil and gas production and storage, water supply, emergency services, government services, banking and finance, electrical power and telecommunications to be critical infrastructures which rely on the computer infrastructure.
A personal computer and a modem access to the Internet are all the tools that a computer hacker needs to conduct a cyber attack on a computer system. The rapid growth of a computer-literate population ensures that millions of people possess the skills necessary to consider a cyber attack. The computer literate population includes recreational hackers who attempt to gain unauthorized electronic access to information and communication systems. These computer hackers are often motivated only by personal fascination with hacking as an interesting game. Criminals, and perhaps organized crime, might also attempt personal financial gain through manipulation of financial or credit accounts or stealing services. Industrial espionage can also be the reason for a cyber attack on a competitor's computer system. Terrorists may attempt to use the computer infrastructure. Other countries may use the computer infrastructure for national intelligence purpose. Finally, there is the prospect of information warfare, which is a broad, orchestrated attempt to disrupt a United States military operation or significant economic activity.
A typical secure computer network has an interface for receiving and transmitting data between the secure network and computers outside the secure network. A plurality of network devices are typically behind the firewall. The interface may be a modem or an Internet Protocol (IP) router. Data received by the modem is sent to a firewall which is a network security device that only allows data packets from a trusted computer to be routed to specific addresses within the secure computer network. Although the typical firewall is adequate to prevent outsiders from accessing a secure network, hackers and others can often breach a firewall. This can occur by cyber attack where the firewall becomes overwhelmed with requests and errors are made permitting access to an unauthorized user. As can be appreciated, new ways of overcoming the security devices are developed everyday. An entry by an unauthorized computer into the secured network, past the firewall, from outside the secure network is called an intrusion. This is one type of unauthorized operation on the secure computer network.
Another type of unauthorized operation is called a misuse. A misuse is an unauthorized access by a computer within the secure network. In a misuse situation, there is no breach of the firewall. Instead, a misuse occurs from inside the secure computer network. A misuse can be detected when an authorized user performs an unauthorized, or perhaps, infrequent operation which may raise the suspicion that the authorized user's computer is being misused. For example, an unauthorized user could obtain the password of an authorized user and logon to the secured network from the authorized computer user's computer and perform operations not typically performed by the authorized user. Another example might be where a terrorist puts a gun to the head of an authorized user and directs the authorized user to perform unauthorized or unusual operations.
There are systems available for determining a breach of computer security which can broadly be termed intrusion detection systems. Existing intrusion detection systems can detect intrusions and misuses. The existing security systems determine when computer misuse or intrusion occurs. Computer misuse detection is the process of detecting and reporting uses of processing systems and networks that would be deemed inappropriate or unauthorized if known to responsible parties. An intrusion is an entry to a processing system or network by an unauthorized outsider.
These existing computer security systems have audit capabilities which are passive. These systems collect audit information from network devices and format those audits for review. Most of the existing computer security systems known to the inventors do not take steps to stop the misuse or intrusion after it is detected. Those that do take active steps are limited to logging a user off the network, stopping communications with that computer halting operations or other forms of notification such as a message to the security officer. Manual countermeasures are necessary. Once a hacker or intruder enters a critical system computer, even if detected, the hacker may do considerable harm before an operator of the system can react and initiate an appropriate, manual countermeasure, to stop the misuse or intrusion or to positively identify the hacker. Thus, a need exists for a system which can automatically take defensive steps to stop a misuse or intrusion after it is detected. A further need exists for a system which can take offensive steps, either automatically or with human intervention, to learn more information about an intruder and perhaps disable the intruder.
SUMMARY OF THE INVENTION
It is, therefore, an object of the present invention to substantially overcome the above-identified problems and substantially fulfill the above-identified needs.
A further object is to automatically take countermeasures against an intruder or misuser.
Another object is to automatically take offensive steps against an intruder by sending an agent to the intruder's computer system.
An additional object is to automatically take defensive steps to halt further intrusion or misuse.
These and other objects of the present invention are achieved by a method and apparatus for receiving information that an intrusion or misuse has occurred and taking countermeasures on a computer network. The computer network includes a plurality of network devices such as computers, hosts, servers and terminals, all coupled to a network communications media for monitoring the network for intrusion and misuse. Although a security device such as a firewall is typically in place to prevent intruders from accessing the computer network, hackers can often gain entry to the computer network. Also, although internal users have passwords and the like, misuse of the computer network occurs from computers within the network because misusers obtain the necessary passwords, etc. A security computer is coupled to the network communications media and includes software for deploying software agents on each of the network devices, and monitoring and controlling the deployed agents. Each agent is a computer software module which is capable of being transported from one computer to another under instruction from the security computer. The security computer receives information from age
Huff Julie Lynn
Jackson Sheila Ann
Shelanskey Tracy Glenn
Beausoleil Robert
Bonzo Bryce P.
Lowe Hauptman & Gilman & Berner LLP
PRC Inc.
LandOfFree
Dynamic system defense for information warfare does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Dynamic system defense for information warfare, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Dynamic system defense for information warfare will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2970982