Firewall system and method via feedback from broad-scope monitoring for intrusion detection
Abstract
A broad-scope intrusion detection system analyzes traffic coming into multiple hosts or other customers' computers or sites. This provides additional data for analysis as compared to systems that just analyze the traffic coming into one customer's site. Additional detection schemes can be used to recognize patterns that would otherwise be difficult or impossible to recognize with just a single customer detector. Standard signature detection methods can be used. Additionally, new signatures can be used based on broad-scope analysis goals. An anomaly is detected in the computer system, and then it is determined which devices or devices are anticipated to be affected by the anomaly in the future. These anticipated devices are then alerted to the potential for the future anomaly. The anomaly can be an intrusion or an intrusion attempt or reconnaissance activity.
Claims
exact text as granted — not AI-modified1 - 22 . (canceled)
23 . A method of alerting a device in a networked computer system to an anomaly, comprising:
determining that the device is anticipated to be affected by an anomaly by using network-based intrusion detection techniques comprising analyzing data entering into a plurality of hosts, servers, and computer sites in the networked computer system and by using pattern correlations across the plurality of hosts, servers, and computer sites; and sending an alert to the device that the anomaly is anticipated at the device.
24 . The method of claim 23 , further comprising adjusting a firewall of the device that is anticipated to be affected by the anomaly.
25 . The method of claim 23 , wherein the anomaly comprises one of an intrusion and an intrusion attempt.
26 . The method of claim 23 , wherein determining that the device is anticipated to be affected by the anomaly comprises analyzing a plurality of data packets with respect to predetermined patterns.
27 . The method of claim 26 , wherein analyzing the data packets comprises analyzing data packets that have been received by at least two devices in the networked computer system.
28 . The method of claim 23 , wherein determining that the device is anticipated to be affected by the anomaly comprises recognition of an intrusion and further comprising generating an automated response to the intrusion.
29 . A method of anticipating a device in a networked computer system is to be affected by an anomaly, comprising:
detecting an anomaly at a first device in the computer system using network-based intrusion detection techniques comprising analyzing data entering into a plurality of hosts, servers, and computer sites in the networked computer system; and determining a device that is anticipated to be affected by the anomaly by using pattern correlations across the plurality of hosts, servers, and computer sites.
30 . The method of claim 29 , wherein networked computer system comprises a plurality of devices, and the plurality of devices are polled in a predetermined sequential order, the first device being polled prior to detecting the anomaly, and the device anticipated to be affected by the anomaly is a device that has not been polled.
31 . The method of claim 29 , further comprising transmitting an anomaly warning from the first device to a central analysis engine, responsive to detecting the anomaly at the first device, the anomaly warning comprising a unique device identifier.
32 . The method of claim 29 , wherein the anomaly comprises one of an intrusion and an intrusion attempt.
33 . The method of claim 29 , wherein detecting the anomaly comprises analyzing a plurality of data packets with respect to predetermined patterns.
34 . The method of claim 33 , wherein analyzing the data packets comprises analyzing data packets that have been received by at least two devices in the networked computer system.
35 . The method of claim 29 , further comprising controlling the device that is anticipated to be affected by the anomaly.
36 . A computer-readable medium having computer-executable components comprising a data collection and processing center monitoring data communicated to a network, and detecting an anomaly in the network using network-based intrusion detection techniques comprising analyzing data entering into a plurality of hosts, servers, and computer sites in the networked computer system.
37 . The computer-readable medium of claim 36 , wherein the data collection and processing center determines which of a plurality of devices that are connected to the network are anticipated to be affected by the anomaly by using pattern correlations across the plurality of hosts, servers, and computer sites, and alerting the devices.
38 . The computer-readable medium of claim 36 , wherein the data collection and processing center further determines which of a plurality of devices that are connected to the network have been affected by the anomaly and alerts the devices.
39 . The computer-readable medium of claim 36 , wherein the data collection and processing center further adjusts a firewall of each of a plurality of devices that is connected to the network that is anticipated to be affected by the anomaly responsive to the detection of the anomaly.
40 . The computer-readable medium of claim 36 , wherein the anomaly comprises one of an intrusion, an intrusion attempt, and reconnaissance activity.
41 . The computer-readable medium of claim 36 , wherein the data collection and processing center detects the anomaly by analyzing a plurality of data packets with respect to predetermined patterns.
42 . The data collection and processing of claim 41 , wherein the data collection and processing center analyzes data packets that have been received by at least two devices that are connected to the network.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.