Probabilistic alert correlation

Data processing: financial – business practice – management – or co – Automated electrical financial or business practice or... – Electronic shopping

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C705S050000, C705S051000, C705S052000, C705S053000, C705S054000, C705S055000, C705S056000, C705S057000, C705S058000, C705S059000, C709S223000, C709S224000, C709S225000, C709S226000

Reexamination Certificate

active

07917393

ABSTRACT:
This invention uses probabilistic correlation techniques to increase sensitivity, reduce false alarms, and improve alert report quality in intrusion detection systems. In one preferred embodiment, an intrusion detection system includes at least two sensors to monitor different aspects of a computer network, such as a sensor that monitors network traffic and a sensor that discovers and monitors available network resources. The sensors are correlated in that the belief state of one sensor is used to update or modify the belief state of another sensor. In another embodiment of this invention, probabilistic correlation techniques are used to organize alerts generated by different sensors in an intrusion detection system. By comparing features of each new alert with features of previous alerts, rejecting a match if a feature fails to meet or exceed a minimum similarity value, and adjusting the comparison by an expectation that certain feature values will or will not match, the alerts can be grouped in an intelligent manner.

REFERENCES:
patent: 4667317 (1987-05-01), Baggen
patent: 4672609 (1987-06-01), Humphrey et al.
patent: 4773028 (1988-09-01), Tallman
patent: 5210704 (1993-05-01), Husseiny
patent: 5440498 (1995-08-01), Timm
patent: 5440723 (1995-08-01), Arnold et al.
patent: 5475365 (1995-12-01), Hoseit et al.
patent: 5517429 (1996-05-01), Harrison
patent: 5539659 (1996-07-01), McKee et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5568471 (1996-10-01), Hershey et al.
patent: 5704017 (1997-12-01), Heckerman et al.
patent: 5706210 (1998-01-01), Kumano et al.
patent: 5737319 (1998-04-01), Croslin et al.
patent: 5748098 (1998-05-01), Grace
patent: 5790799 (1998-08-01), Mogul
patent: 5878420 (1999-03-01), De la Salle
patent: 5919258 (1999-07-01), Kayashima et al.
patent: 5922051 (1999-07-01), Sidey
patent: 5940591 (1999-08-01), Boyle et al.
patent: 5974237 (1999-10-01), Shurmer et al.
patent: 5974457 (1999-10-01), Waclawshy et al.
patent: 5991881 (1999-11-01), Conklin et al.
patent: 6009467 (1999-12-01), Ratcliff et al.
patent: 6052709 (2000-04-01), Paul
patent: 6067582 (2000-05-01), Smith et al.
patent: 6070244 (2000-05-01), Orchier et al.
patent: 6092194 (2000-07-01), Touboul
patent: 6119236 (2000-09-01), Shipley
patent: 6128640 (2000-10-01), Kleinman
patent: 6144961 (2000-11-01), De la Salle
patent: 6192392 (2001-02-01), Ginter
patent: 6263441 (2001-07-01), Cromer et al.
patent: 6269456 (2001-07-01), Hodges et al.
patent: 6275942 (2001-08-01), Bernhard et al.
patent: 6279113 (2001-08-01), Vaidya
patent: 6298445 (2001-10-01), Shostack et al.
patent: 6311274 (2001-10-01), Day
patent: 6321338 (2001-11-01), Porras et al.
patent: 6324656 (2001-11-01), Gleichauf et al.
patent: 6353385 (2002-03-01), Molini et al.
patent: 6370648 (2002-04-01), Diep
patent: 6396845 (2002-05-01), Sugita
patent: 6405318 (2002-06-01), Rowland
patent: 6408391 (2002-06-01), Huff et al.
patent: 6442694 (2002-08-01), Bergman et al.
patent: 6453346 (2002-09-01), Garg et al.
patent: 6460141 (2002-10-01), Olden
patent: 6477651 (2002-11-01), Teal
patent: 6484315 (2002-11-01), Ziese
patent: 6499107 (2002-12-01), Gleichauf et al.
patent: 6502082 (2002-12-01), Toyama et al.
patent: 6519703 (2003-02-01), Joyce
patent: 6529954 (2003-03-01), Cookmeyer et al.
patent: 6532543 (2003-03-01), Smith et al.
patent: 6535227 (2003-03-01), Fox et al.
patent: 6546493 (2003-04-01), Magdych et al.
patent: 6553378 (2003-04-01), Eschelbeck
patent: 6560611 (2003-05-01), Nine et al.
patent: 6584455 (2003-06-01), Hekmatpour
patent: 6681331 (2004-01-01), Munson et al.
patent: 6690274 (2004-02-01), Bristol
patent: 6701459 (2004-03-01), Ramanathan et al.
patent: 6704874 (2004-03-01), Porras et al.
patent: 6707795 (2004-03-01), Noorhosseini et al.
patent: 6725377 (2004-04-01), Kouznetsov
patent: 6732167 (2004-05-01), Swartz et al.
patent: 6751738 (2004-06-01), Wesinger et al.
patent: 6826697 (2004-11-01), Moran
patent: 6839850 (2005-01-01), Campbell et al.
patent: 6947726 (2005-09-01), Rockwell
patent: 6950947 (2005-09-01), Purtell et al.
patent: 6971028 (2005-11-01), Lyle et al.
patent: 7051369 (2006-05-01), Baba
patent: 7096495 (2006-08-01), Warrier et al.
patent: 7096502 (2006-08-01), Fox et al.
patent: 2002/0019870 (2002-02-01), Chirashnya et al.
patent: 2002/0032717 (2002-03-01), Malan et al.
patent: 2002/0032793 (2002-03-01), Malan et al.
patent: 2002/0032880 (2002-03-01), Poletto et al.
patent: 2002/0035698 (2002-03-01), Malan et al.
patent: 2002/0138753 (2002-09-01), Munson
patent: 2002/0144156 (2002-10-01), Copeland, III
patent: 2002/0194495 (2002-12-01), Gladsone et al.
patent: 2003/0037136 (2003-02-01), Labovitz et al.
patent: 2003/0070084 (2003-04-01), Satomaa et al.
patent: 2003/0145226 (2003-07-01), Bruton, III et al.
patent: 2003/0172166 (2003-09-01), Judge et al.
patent: 2005/0038881 (2005-02-01), Ben-Itzhak
patent: 2005/0246776 (2005-11-01), Chawro et al.
patent: 99/13427 (1999-03-01), None
patent: 99/57626 (1999-11-01), None
patent: WO 99/57625 (1999-11-01), None
patent: 00/10278 (2000-02-01), None
patent: 00/25214 (2000-05-01), None
patent: 00/25527 (2000-05-01), None
patent: WO 00/25527 (2000-05-01), None
patent: 00/34867 (2000-06-01), None
patent: 02/101516 (2002-12-01), None
patent: WO 02/101516 (2002-12-01), None
patent: WO 03/077071 (2003-09-01), None
Hartley, B., “Intrusion Detection Systems: What You Need to Know,” Business Security Advisor Magazine, Doc # 05257, allegedly dated Sep. 1998, http://advisor.com/doc/05257, 7 pages, printed Jun. 10, 2003.
Hurwicz, M., “Cracker Tracking: Tighter Security with Intrusion Detection,” BYTE.com, allegedly dated May 1998, http://www.byte.com/art/9805/sec20/art1.htm, 8 pages, printed Jun. 10, 2003.
“Networkers, Intrusion Detection and Scanning with Active Audit,” Session 1305, © 1998Cisco Systems, http://www.cisco.com
etworkers
w99—pres/1305.pdf, 0893-04F9—c3.scr, printed Jun. 10, 2003.
Paller, A., “About the SHADOW Intrusion Detection System” Linux Weekly News, allegedly dated Sep. 1998, http://lwn.net/1998/0910/shadow.html, 38 pages, printed Jun. 10, 2003.
Cisco Secure Intrusion Detection System, Release 2.1.1, NetRanger User's Guide, Version 2.1.1, © 1998, Cisco Systems, Inc., allegedly released on Apr. 1998, http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids3/index.htm, printed Jun. 10, 2003, 334 pages.
Cisco Secure Intrusion Detection System 2.1.1 Release Notes, Table of Contents, Release Notes for NetRanger 2.1.1, © 1992-2002, Cisco Systems, Inc., , allegedly posted Sep. 28, 2002, 29 pages, http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids3
r11new.htm, printed Jun. 10, 2003.
R. Power, et al., “CSI Intrusion Detection System Resource”, allegedly dated Jul. 1998, http://216.239.57.100/search?q=cache:gvTCojxD6nMJ:www.gocsi.com/ques.htm+site:www.gocsi.com+ques&hl=en&ie=UTF-8, printed Jun. 16, 2003.
Boyen, et al., “Tractable Inference for Complex Stochastic Processes,” Proceedings of the 14thAnnual Conference on Uncertainty in Artificial Intelligence (UAI-98), p. 33-42, Madison, WI, Jul. 24-26, 1998.
Copeland, J., “Observing Network Traffic—Techniques to Sort Out the Good, the Bad, and the Ugly,” http://www.csc.gatech.edu/˜copeland/8843/slides/Analyst-011027.ppt, allegedly 2001.
Debar, et al., “Towards a Taxonomy of Intrusion-Detection Systems,” Computer Networks 31 (1999), 805-822.
Debar et al., “A Neural Network Component for an Intrusion Detection System,” © 1992 IEEE.
Denning et al, “Prototype IDES: A Real-Time Intrusion-Detection Expert System,” SRI Project ECU 7508, SRI International, Menlo Park, California, Aug. 1987.
Denning et al., “Requirements and Model for IDES—A Real-Time Intrusion-Detection Expert System,” SRI Project 6169, SRI International, Menlo Park, CA, Aug. 1985.
Denning, “An Intrusion-Detection Model,” SRI International, Menlo Park, CA Technical Report CSL-149, Nov. 1985.
Dowell, “

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Probabilistic alert correlation does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Probabilistic alert correlation, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Probabilistic alert correlation will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-2763925

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.