Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2001-11-30
2003-04-08
Wright, Norman M. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S227000, C709S224000
Reexamination Certificate
active
06546493
ABSTRACT:
RELATED APPLICATION(S)
The present application is related to a co-pending application entitled “SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR IMPROVING COMPUTER NETWORK INTRUSION DETECTION BY RISK PRIORITIZATION” which was filed coincidently herewith by the same inventor(s) under Ser. No. 10/011,165, and which is incorporated herein by reference.
FIELD OF THE INVENTION
The present invention relates to intrusion detection scanning methods, and more particularly to improving intrusion detection scanning performance.
BACKGROUND OF THE INVENTION
Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capacities in order to cause denial of service, and so forth.
A variety of intrusion detection programs have been developed to detect and protect against threats to network security. As is known in the art, a common method of detecting these threats is to use a scanning engine to scan for known attacks against networked computers. These attacks can be identified by their unique “attack signature” which generally consists of a string of binary or text data. Upon the detection of an attack signature by the scanning engine, protective measures can be taken, including: sending alerts; intercepting harmful traffic; or disconnecting users who launch attacks.
Such intrusion detection programs are often positioned on a network to monitor traffic between a plurality of network devices. In use, a network administrator may set a sensitivity of an intrusion detection program which dictates a degree of certainty required before an event is determined to be a threat. In other words, by setting the intrusion detection program sensitivity low, fewer benign events will be misidentified as attacks, but the amount of actual attacks that go undetected may increase. On the other hand, by setting the intrusion detection program sensitivity high, more potential attacks will detected, but the amount of work required to differentiate between the misidentified events and actual attacks increases.
There is thus a need for a technique to decrease the workload of a network administrator by reducing the number of potential attacks which must be ascertained as actual attacks, while preventing any actual attacks from going undetected.
DISCLOSURE OF THE INVENTION
A system, method and computer program product are provided for scanning a source of suspicious network communications. Initially, network communications are monitored for violations of policies. Then, it is determined whether the network communications violate at least one of the policies. Further, a source of the network communications that violate at least one of the policies is identified. Upon it being determined that the network communications violate at least one of the policies, the source of the network communications is automatically scanned.
In one embodiment, it may also be determined whether the network communications exploit at least one of a plurality of known vulnerabilities. Further, a remedying event may be executed if it is determined that the network communications exploit at least one of the known vulnerabilities.
In another embodiment, the policies may be user-defined. Further, the policies may be defined to detect potential attacks in the network communications.
In still another embodiment, the scan may include a risk assessment scan for identifying vulnerabilities at the source. A remedying event may be initiated based on the risk assessment scan. As an option, a database of known vulnerabilities may then be updated based on the risk assessment scan. Such database of known vulnerabilities may then be utilized for determining whether the network communications exploit at least one of a plurality of the known vulnerabilities, and executing a remedying event if it is determined that the network communications exploit at least one of the known vulnerabilities, as set forth hereinabove.
As an option, the present embodiment may be carried utilizing an intrusion detection tool in combination with a risk assessment scanning tool. In the alternative, the various operations may be executed utilizing a single module.
By this design, a intrusion detection tool may monitor the network communications with a low sensitivity when determining whether such network communications exploit a plurality of known vulnerabilities. While, in the prior art, this would mean that actual attacks may go undetected, the present embodiment prevents this by scanning any source of policy-violating, anomalous behavior using a risk assessment scanning tool. To this end, by adding an additional level of abstraction, any potential attacks may be ruled out using a risk assessment scan without an increase in network administrator workload.
REFERENCES:
patent: 5864683 (1999-01-01), Boebert et al.
patent: 5960170 (1999-09-01), Chen et al.
patent: 6185689 (2001-02-01), Todd, Sr. et al.
patent: 6301668 (2001-10-01), Gleichauf et al.
patent: 6324647 (2001-11-01), Bowman-Amuah
patent: 6415321 (2002-07-01), Gleichauf et al.
patent: 00/36503 (2000-06-01), None
Magdych James S.
McDonald John R.
Rahmanovic Tarik
Tellier Brock E.
Hamaty Christopher J.
Networks Associates Technology Inc.
Silicon Valley IP Group, LLC
Wright Norman M.
Zilka Kevin J.
LandOfFree
System, method and computer program product for risk... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System, method and computer program product for risk..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System, method and computer program product for risk... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3075060