WO2005015370A1 - Method and system for detecting unauthorised use of a communication network - Google Patents
Method and system for detecting unauthorised use of a communication network Download PDFInfo
- Publication number
- WO2005015370A1 WO2005015370A1 PCT/IT2003/000505 IT0300505W WO2005015370A1 WO 2005015370 A1 WO2005015370 A1 WO 2005015370A1 IT 0300505 W IT0300505 W IT 0300505W WO 2005015370 A1 WO2005015370 A1 WO 2005015370A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- response
- data
- network
- signatures
- type
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Definitions
- the present invention refers to a method and a system for intrusion detection in a communication network, and in particular to an intrusion detection system based on pattern matching techniques.
- An Intrusion Detection System or IDS, is a system that is capable of detecting, on a network or a host computer, anomalous or dubious data that may be considered unauthorized and therefore potentially dangerous . Such a system captures and inspects all traffic and, based on the contents, is capable of generating an alarm.
- An intrusion detection system operating on a network is generally known as a Network Intrusion Detection System, or NIDS, while an intrusion detection system targeted for the protection of a single machine (e.g.
- Host, Server is known as Host Intrusion Detection System, or HIDS .
- HIDS Host Intrusion Detection System
- the same techniques used by NIDS systems for detecting anomalous activities are also used by some components of HIDS systems for controlling network activity directed to and from the Host computer.
- Background art A known solution for intrusion detection is the so- called protocol analysis technique. Protocol analysis takes advantage of the known structure of communications0 protocols for tracking all connections in a protected network. For each connection the system retraces the application level flow and simulates the behaviour of a possible victim. An alarm is generated when the system detects the execution of operations that somehow violate or stress the nature of the used protocol .
- An intrusion detection system based on the protocol analysis technique is illustrated for example in document US2003/0004688A1.
- Statistical analysis is another well-known technique used in intrusion detection systems. Such systems try to detect statistical anomalies, triggering an alarm when a deviation from statistical values is detected. Statistical values may include for example the number of connections simultaneously open, traffic activity to/from a particular computer, or the length in time of connections. While the computing power in such systems is not so critical, it is extremely elaborate to identify which parameters are really symptomatic for determining the status of the network and which kinds of variations are to be detected.
- An example of intrusion detection system based on statistical analysis is illustrated in document WO 02/45380.
- a further technique commonly used in intrusion detection systems is the pattern matching technique, which tries to detect the presence of an attack signature in a network packet .
- Each packet on the network is searched for various attack signatures (an attack signature is a string or a group of bytes) , comparing group of bytes taken from the packet in question with a plurality of known attack signatures.
- the pattern matching technique may become a performance bottleneck.
- the problem of streamlining pattern matching techniques is addressed for example in documents US 5,179,632 and US 5,495,409, which illustrate some methods, not expressly related to network intrusion detection systems, for increasing performances of pattern-matching systems.
- US 6,477,651 An improved intrusion detection system is disclosed in US 6,477,651, which illustrates a system having dynamically loaded signatures.
- the solution proposed simplifies the modification of the system to adapt to new network vulnerabilities, so that the system supports upgrades in a dynamic manner without shutting down the intrusion detection system.
- a further attempt to improve reliability of intrusion detection systems based on pattern matching techniques is illustrated in document US 6,499,107.
- the method disclosed comprises monitoring network data traffic and analysing such traffic for assessing network information; a plurality of analysis tasks are prioritised based upon the network information, the analysis tasks are performed on the monitored traffic in order to identify attacks upon the network.
- Each signature has therefore an associated priority value, such value is used by the system for regulating the actuation of the corresponding analysis task.
- Such systems identify as an attack any data replicating a known signature, either if it corresponds effectively to an attempt of attacking a vulnerable computer or a service, or if it is directed to a destination that does not exist or that is however not sensitive to that kind of attacks, or even in case the match is caused by legitimate data somehow similar to a known attack signature.
- intrusion detection systems based on pattern matching techniques are inclined to generate too many false positives, i.e. false alarm warnings. False positives occur when a byte string in a packet matches a pattern signature, but the string is in fact not an attack at all.
- the Applicant has tackled the problem of reducing the number of false positives in an intrusion detection system based on pattern matching techniques .
- the Applicant observes that the number of false positives can be sometimes so large that the system itself becomes unserviceable, hiding authentic alarms among thousands of useless warnings.
- the Applicant is of the opinion that a conventional pattern matching intrusion detection system has no intelligence to determine the true meaning and the ultimate effect of a detected pattern, thus triggering an excessive number of false positives.
- Figure 1 is a block diagram of a first embodiment of a network environment including an intrusion detection system according to the present invention
- Figure 2 is a block diagram of a second embodiment of a network environment including an intrusion detection system according to the present invention
- Figure 3 is a block diagram of an intrusion detection system according to the present invention
- Figure 4 is a flow diagram of a response analysis process implemented in the system of Figure 3
- Figure 5 is a flow diagram of a probing process triggered by the response analysis process of Figure 4.
- a local area network 2 (LAN) , protected by a network intrusion detection system 6 (NIDS) , is connected to a public network, the Internet network 4, and therefore potentially accessible by an external attacker 8, or hacker.
- a plurality of workstations or servers 10 are connected to the local area network 2 for exchanging data and sharing resources, as well as for accessing the Internet network 4.
- a firewall 12 shown in Figure 1 with a broken line, can be used for limiting external access to resources in the local area network 2 and protecting such resources from unauthorised use .
- the intrusion detection system 6 is coupled to the local area network 2 so that it can detect and capture data being transmitted on the network.
- the intrusion detection system 6 comprises a sniffer 14 for capturing data on the network 2, a pattern matching engine 16 which receives data captured by the sniffer 14 and a response analysis engine 18 which is triggered by an event generated by the pattern matching engine 16.
- a sniffer is a program that monitors network traffic and can be used to capture data being transmitted on a network. Thanks to the sniffer 16, the intrusion detection system 6 is able to read any packet of data passed to the network, for determining the source and destination addresses of the packet and for analysing, as explained in detail hereinbelow, the data content.
- Figure 2 is illustrated a second embodiment of a network environment including an intrusion detection system realised according to the present invention.
- a Host Computer 20 such as a network or a web server, is connected to an Internet network 4, and is therefore accessible by any external computer, such as for example an external attacker 8.
- the Host Computer 20 comprises a host intrusion detection system 22 (HIDS) , whose operation is equivalent to that of the network intrusion detection system 6 of Figure 1.
- the intrusion detection system 22 comprises a sniffer 14 for capturing data on the network 2, a pattern matching engine 16 which receives data captured by the sniffer 14 and a response analysis engine 18 which is triggered by an event generated by the pattern matching engine 16.
- the system 22 in case of danger due to an external attack, intervenes directly on the Host computer 20, protecting its resources from unauthorised use.
- Both the embodiments shown in Figures 1 and 2 include an intrusion detection system, NIDS 6 or HIDS 22, which operates according to a common scheme shown in Figure 3.
- the sniffer present in the system 6 or 22 captures all data packets transiting in the network 2, e.g. the packet 30 shown in Figure 3.
- the captured packet 30 is passed to the pattern matching engine 16, which compares data in the packet with attack signatures, for generating an event when a match between captured data and an attack signature is found.
- the basic operating principles and criteria of the pattern matching engine 16 are held to be completely known to those of skill in the art (as witnessed e.g. by US 6,477,651 or US 6,499,107).
- a new task is started for analysing particular network traffic.
- the new task uses the sniffer 14 for capturing data packets that are generated in response to suspect data packets.
- the term "task” indicates not necessarily a new task or thread, but generally an execution flow running concurrently to the pattern matching engine .
- the response packets are selected by performing an analysis of the source IP address (the address of the supposed attacked computer) , or by analysing both the source and the destination IP addresses of packets (address of supposed attacked and attacker computers) . Alternatively the selection of packets may be performed by analysing transport level information in the same packets (TCP/UDP ports) .
- the system is able to send data packets towards both the attacker or the attacked computer, by means of the same sniffer 14.
- Such packets stimulate an answer in the destination computer, and such answer is analysed by the system, e.g. by means of pattern matching techniques, for determining an alarm status.
- the packets captured by the above mentioned new task i.e. the packets that are generated in response to suspect data packets, are passed to the response analysis engine 18 which compares such data with a collection of response signatures, and for analysing the result of such comparison for generating an alarm.
- the response signatures whose structure is equivalent to the structure of the attack signatures, are collected in a database and are arranged in two categories.
- Type A response signatures identify a suspect, or illicit, traffic
- type B response signatures identify non-suspect, or legitimate, traffic.
- the response signatures, as well as the attack signatures can be generated manually, thanks to the experience of systems engineers, or, in some cases, automatically, following some simple rules. Such rules determine the form of the response signatures, as a function of the typology of the considered attack and of the attacked protocol/application.
- a particular set of response signatures is assigned to each attack signature (or to a group of attack signatures) , so that the response signatures used by the response analysis engine 18 depends on the kind of the potential attack revealed.
- the following examples illustrate how a set of response signatures can be generated for a particular attack. The possible attacks must be classified in uniform categories, e.g.
- DoS Density of Service
- buffer overflow In case of a buffer overflow attack, the generated response signature is a type B signature, and recognizes the regular answers of the attacked protocol during normal operation.
- the response signature In case of a buffer overflow directed to a POP3 Server the response signature is in the form "+OK" or "-ERR", and recognizes a situation in which the suspected attack was not successful .
- the generated response signature is a type A signature, and recognizes answers indicating a successful attack.
- FIG. 4 illustrates in detail the operation of the response analysis engine 18.
- the process starts in block 40 when a suspected packet has been individuated by the pattern matching engine 16.
- the activity is logged in a log file, block 42, for subsequent statistical analysis of data.
- the system captures a packet coming from the address of the attacked computer and/or directed to the attacker 8, block 44.
- the data in the packet is matched with the response signatures corresponding to the attack signature (or signatures) matched. If a matched signature identifies an illicit traffic, type A signature, condition verified in block 46, an alarm is generated in block 54 and the process of the response analysis engine ends, block 62. If the analysis process captures a packet coming from the attacked computer and directed to the attacker indicating that a new network connection has been established, different from the connection that caused the analysis process, condition verified in block 48, an alarm is generated in block 56 and the process of the response analysis engine ends, block 62. This condition indicates that the attack has been successful and the attacker, having taken control of the victim (attacked computer) , has generated a new connection.
- variable num_j?os_match representing the number of response packets already analysed, is incremented in block 58 (function Incr (num_pos_match) ) .
- the variable num_j?os_match is compared with a predetermined number of requested signature match (req (signatures) ) , so that the process can proceed for a predetermined number of packets, jumping back to block 44, or terminating in block 62.
- the value of the variable req (signature) can be set at will, e.g.
- the iteration of the response analysis process in case of type B signature match, is performed in order to recognise those situations in which, after a successful attack, the response traffic from the server is temporarily licit, before becoming illicit.
- the process illustrated in Figure 4 terminates in block 62 if the timeout 64, activated at the beginning, is not lapsed. On the contrary, at the expire of the timeout 64, a probing task 52 is started, whose operation is illustrated in detail in Figure 5.
- the probing task 52 allows the system to decide whether or not an alarm must be generated, in case the response analysis process did not collect enough information for taking that decision.
- the probing task starting in block 70, verifies initially if any traffic from the supposed attacked computer has been detected during the response signatures analysis process, block 72.
- conditional block 74 wherein the nature of the response signatures that have been previously used is analysed.
- arrow 75 in the flow diagram of figure 5, the probing task 52 ends without generating any alarm, end block 82.
- signatures indicating illicit traffic type A
- both kind of signatures legitimate and illicit
- the latter situation indicates that the response data packets have been compared exclusively with signatures indicating legitimate traffic (type B) , such unsuccessful matching condition indicating a potentially danger situation. If no traffic has been detected between attacked computer and attacker during the response signatures analysis process, arrow 73, a probe of the attacked computer (or application/protocol) is performed in block 76.
- the probe of block 76 is an attempt to perform a connection to the suspected attacked computer/application/protocol. In case the attempted connection fails, it can be inferred that the attack was oriented to a non-existent target, arrow 79, and the probe task ends without generating any alarm, block 82.
- arrow 81 if the suspected attacked computer/application/protocol is active, it can be inferred that the attack was successful and, before terminating the task in block 82, an alarm is generated in block 80.
- the system is furthermore able to execute contemporaneously more then one response analysis engines, in a multi-tasking environment, in order to monitor more then one computer/application/protocol at the same time ' on the same network.
- the different processes can run simultaneously on the same intrusion detection system, involving different entities or network nodes .
Abstract
Description
Claims
Priority Applications (9)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA2533853A CA2533853C (en) | 2003-08-11 | 2003-08-11 | Method and system for detecting unauthorised use of a communication network |
PCT/IT2003/000505 WO2005015370A1 (en) | 2003-08-11 | 2003-08-11 | Method and system for detecting unauthorised use of a communication network |
AU2003279517A AU2003279517A1 (en) | 2003-08-11 | 2003-08-11 | Method and system for detecting unauthorised use of a communication network |
AT03772624T ATE400016T1 (en) | 2003-08-11 | 2003-08-11 | METHOD AND SYSTEM FOR DETECTING UNAUTHORIZED USE OF A COMMUNICATIONS NETWORK |
EP03772624A EP1654608B1 (en) | 2003-08-11 | 2003-08-11 | Method and system for detecting unauthorised use of a communication network |
ES03772624T ES2309364T3 (en) | 2003-08-11 | 2003-08-11 | PROCEDURE AND SYSTEM FOR DETECTION OF AN UNAUTHORIZED USE OF A COMMUNICATIONS NETWORK. |
DE60321972T DE60321972D1 (en) | 2003-08-11 | 2003-08-11 | METHOD AND SYSTEM FOR DETECTING UNAUTHORIZED USE OF A COMMUNICATION NETWORK |
BRPI0318459-5A BR0318459A (en) | 2003-08-11 | 2003-08-11 | intrusion detection system and method for detecting unauthorized use of a communication network |
US10/567,752 US8006302B2 (en) | 2003-08-11 | 2003-08-11 | Method and system for detecting unauthorized use of a communication network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IT2003/000505 WO2005015370A1 (en) | 2003-08-11 | 2003-08-11 | Method and system for detecting unauthorised use of a communication network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005015370A1 true WO2005015370A1 (en) | 2005-02-17 |
Family
ID=34131154
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IT2003/000505 WO2005015370A1 (en) | 2003-08-11 | 2003-08-11 | Method and system for detecting unauthorised use of a communication network |
Country Status (9)
Country | Link |
---|---|
US (1) | US8006302B2 (en) |
EP (1) | EP1654608B1 (en) |
AT (1) | ATE400016T1 (en) |
AU (1) | AU2003279517A1 (en) |
BR (1) | BR0318459A (en) |
CA (1) | CA2533853C (en) |
DE (1) | DE60321972D1 (en) |
ES (1) | ES2309364T3 (en) |
WO (1) | WO2005015370A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006100613A1 (en) | 2005-03-24 | 2006-09-28 | International Business Machines Corporation | Network attack detection |
US8042182B2 (en) | 2004-03-30 | 2011-10-18 | Telecom Italia S.P.A. | Method and system for network intrusion detection, related network and computer program product |
EP3122016A1 (en) * | 2015-07-22 | 2017-01-25 | Siemens Aktiengesellschaft | Automation network and method of surveillance for security of the transmission of data packets |
Families Citing this family (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8352400B2 (en) | 1991-12-23 | 2013-01-08 | Hoffberg Steven M | Adaptive pattern recognition based controller apparatus and method and human-factored interface therefore |
US8574074B2 (en) | 2005-09-30 | 2013-11-05 | Sony Computer Entertainment America Llc | Advertising impression determination |
US7966078B2 (en) | 1999-02-01 | 2011-06-21 | Steven Hoffberg | Network media appliance system and method |
WO2007130681A2 (en) | 2006-05-05 | 2007-11-15 | Sony Computer Entertainment America Inc. | Advertisement rotation |
US8751310B2 (en) | 2005-09-30 | 2014-06-10 | Sony Computer Entertainment America Llc | Monitoring advertisement impressions |
ATE400016T1 (en) * | 2003-08-11 | 2008-07-15 | Telecom Italia Spa | METHOD AND SYSTEM FOR DETECTING UNAUTHORIZED USE OF A COMMUNICATIONS NETWORK |
US7503071B1 (en) * | 2003-10-01 | 2009-03-10 | Symantec Corporation | Network traffic identification by waveform analysis |
US7966658B2 (en) * | 2004-04-08 | 2011-06-21 | The Regents Of The University Of California | Detecting public network attacks using signatures and fast content analysis |
US7660999B2 (en) * | 2004-06-22 | 2010-02-09 | Microsoft Corporation | MIME handling security enforcement |
US8763157B2 (en) | 2004-08-23 | 2014-06-24 | Sony Computer Entertainment America Llc | Statutory license restricted digital media playback on portable devices |
US7936682B2 (en) * | 2004-11-09 | 2011-05-03 | Cisco Technology, Inc. | Detecting malicious attacks using network behavior and header analysis |
US8010685B2 (en) * | 2004-11-09 | 2011-08-30 | Cisco Technology, Inc. | Method and apparatus for content classification |
GB2422507A (en) * | 2005-01-21 | 2006-07-26 | 3Com Corp | An intrusion detection system using a plurality of finite state machines |
US8626584B2 (en) | 2005-09-30 | 2014-01-07 | Sony Computer Entertainment America Llc | Population of an advertisement reference list |
US8676900B2 (en) | 2005-10-25 | 2014-03-18 | Sony Computer Entertainment America Llc | Asynchronous advertising placement based on metadata |
US10657538B2 (en) | 2005-10-25 | 2020-05-19 | Sony Interactive Entertainment LLC | Resolution of advertising rules |
US20070118425A1 (en) | 2005-10-25 | 2007-05-24 | Podbridge, Inc. | User device agent for asynchronous advertising in time and space shifted media network |
US11004089B2 (en) | 2005-10-25 | 2021-05-11 | Sony Interactive Entertainment LLC | Associating media content files with advertisements |
US8510596B1 (en) * | 2006-02-09 | 2013-08-13 | Virsec Systems, Inc. | System and methods for run time detection and correction of memory corruption |
US8429746B2 (en) * | 2006-05-22 | 2013-04-23 | Neuraliq, Inc. | Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems |
US20140373144A9 (en) | 2006-05-22 | 2014-12-18 | Alen Capalik | System and method for analyzing unauthorized intrusion into a computer network |
US8209738B2 (en) * | 2007-05-31 | 2012-06-26 | The Board Of Trustees Of The University Of Illinois | Analysis of distributed policy rule-sets for compliance with global policy |
US8769558B2 (en) | 2008-02-12 | 2014-07-01 | Sony Computer Entertainment America Llc | Discovery and analytics for episodic downloaded media |
US8763090B2 (en) | 2009-08-11 | 2014-06-24 | Sony Computer Entertainment America Llc | Management of ancillary content delivery and presentation |
US8789189B2 (en) | 2010-06-24 | 2014-07-22 | NeurallQ, Inc. | System and method for sampling forensic data of unauthorized activities using executability states |
US9106697B2 (en) | 2010-06-24 | 2015-08-11 | NeurallQ, Inc. | System and method for identifying unauthorized activities on a computer system using a data structure model |
US9043912B2 (en) * | 2013-03-15 | 2015-05-26 | Mehdi Mahvi | Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets |
EP3044719B1 (en) | 2013-09-12 | 2019-08-28 | Virsec Systems Inc. | Automated runtime detection of malware |
KR101732889B1 (en) * | 2013-11-04 | 2017-05-08 | 한국전자통신연구원 | Apparatus and method for guaranteeing safe execution of a shell command in an embedded system |
US9584492B2 (en) * | 2014-06-23 | 2017-02-28 | Vmware, Inc. | Cryptographic proxy service |
US10354074B2 (en) | 2014-06-24 | 2019-07-16 | Virsec Systems, Inc. | System and methods for automated detection of input and output validation and resource management vulnerability |
AU2015279920B2 (en) | 2014-06-24 | 2018-03-29 | Virsec Systems, Inc. | Automated root cause analysis of single or N-TIERED applications |
US10075467B2 (en) * | 2014-11-26 | 2018-09-11 | Verisign, Inc. | Systems, devices, and methods for improved network security |
CA2973367A1 (en) | 2015-01-07 | 2016-07-14 | Countertack Inc. | System and method for monitoring a computer system using machine interpretable code |
RU2601148C1 (en) * | 2015-06-30 | 2016-10-27 | Закрытое акционерное общество "Лаборатория Касперского" | System and method for detecting anomalies when connecting devices |
KR102419574B1 (en) | 2016-06-16 | 2022-07-11 | 버섹 시스템즈, 인코포레이션 | Systems and methods for correcting memory corruption in computer applications |
AU2018298640B2 (en) * | 2017-07-12 | 2021-01-07 | Nippon Telegraph And Telephone Corporation | Determination device, determination method, and determination program |
US10592372B2 (en) * | 2017-07-18 | 2020-03-17 | Vmware, Inc. | Confidence-controlled sampling methods and systems to analyze high-frequency monitoring data and event messages of a distributed computing system |
US10826919B2 (en) * | 2018-10-29 | 2020-11-03 | Acronis International Gmbh | Methods and cloud-based systems for protecting devices from malwares |
US11126713B2 (en) * | 2019-04-08 | 2021-09-21 | Microsoft Technology Licensing, Llc | Detecting directory reconnaissance in a directory service |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020105910A1 (en) * | 2000-08-29 | 2002-08-08 | Maher Robert Daniel | Content processor |
EP1330095A1 (en) * | 2002-01-18 | 2003-07-23 | Stonesoft Corporation | Monitoring of data flow for enhancing network security |
US20030149888A1 (en) * | 2002-02-01 | 2003-08-07 | Satyendra Yadav | Integrated network intrusion detection |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2536567B2 (en) | 1987-12-17 | 1996-09-18 | 株式会社日立製作所 | High-speed processing method of bidirectional inference |
JP2994926B2 (en) | 1993-10-29 | 1999-12-27 | 松下電器産業株式会社 | Method for creating finite state machine, method for creating pattern matching machine, method for transforming them, and method for driving |
US6499107B1 (en) | 1998-12-29 | 2002-12-24 | Cisco Technology, Inc. | Method and system for adaptive network security using intelligent packet analysis |
US6477651B1 (en) | 1999-01-08 | 2002-11-05 | Cisco Technology, Inc. | Intrusion detection system and method having dynamically loaded signatures |
WO2002045380A2 (en) | 2000-11-30 | 2002-06-06 | Lancope, Inc. | Flow-based detection of network intrusions |
US7301899B2 (en) * | 2001-01-31 | 2007-11-27 | Comverse Ltd. | Prevention of bandwidth congestion in a denial of service or other internet-based attack |
US7246376B2 (en) * | 2001-05-03 | 2007-07-17 | Nortel Networks Limited | Method and apparatus for security management in a networked environment |
US7234168B2 (en) | 2001-06-13 | 2007-06-19 | Mcafee, Inc. | Hierarchy-based method and apparatus for detecting attacks on a computer system |
US20030101353A1 (en) * | 2001-10-31 | 2003-05-29 | Tarquini Richard Paul | Method, computer-readable medium, and node for detecting exploits based on an inbound signature of the exploit and an outbound signature in response thereto |
US7257630B2 (en) * | 2002-01-15 | 2007-08-14 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
WO2003084181A1 (en) * | 2002-03-29 | 2003-10-09 | Cisco Technology, Inc. | Method and system for reducing the false alarm rate of network intrusion detection systems |
US7437760B2 (en) * | 2002-10-10 | 2008-10-14 | International Business Machines Corporation | Antiviral network system |
KR100456634B1 (en) * | 2002-10-31 | 2004-11-10 | 한국전자통신연구원 | Alert transmission apparatus and method for policy-based intrusion detection & response |
US6898632B2 (en) * | 2003-03-31 | 2005-05-24 | Finisar Corporation | Network security tap for use with intrusion detection system |
US7681235B2 (en) * | 2003-05-19 | 2010-03-16 | Radware Ltd. | Dynamic network protection |
US8220052B2 (en) * | 2003-06-10 | 2012-07-10 | International Business Machines Corporation | Application based intrusion detection |
ATE400016T1 (en) * | 2003-08-11 | 2008-07-15 | Telecom Italia Spa | METHOD AND SYSTEM FOR DETECTING UNAUTHORIZED USE OF A COMMUNICATIONS NETWORK |
WO2005099214A1 (en) * | 2004-03-30 | 2005-10-20 | Telecom Italia S.P.A. | Method and system for network intrusion detection, related network and computer program product |
US7624448B2 (en) * | 2006-03-04 | 2009-11-24 | 21St Century Technologies, Inc. | Intelligent intrusion detection system utilizing enhanced graph-matching of network activity with context data |
ATE515872T1 (en) * | 2006-03-27 | 2011-07-15 | Telecom Italia Spa | METHOD AND SYSTEM FOR IDENTIFYING MALICIOUS MESSAGES IN MOBILE COMMUNICATIONS NETWORKS, RELATED NETWORK AND COMPUTER PROGRAM PRODUCT THEREOF |
-
2003
- 2003-08-11 AT AT03772624T patent/ATE400016T1/en not_active IP Right Cessation
- 2003-08-11 BR BRPI0318459-5A patent/BR0318459A/en not_active IP Right Cessation
- 2003-08-11 WO PCT/IT2003/000505 patent/WO2005015370A1/en active IP Right Grant
- 2003-08-11 AU AU2003279517A patent/AU2003279517A1/en not_active Abandoned
- 2003-08-11 CA CA2533853A patent/CA2533853C/en not_active Expired - Lifetime
- 2003-08-11 EP EP03772624A patent/EP1654608B1/en not_active Expired - Lifetime
- 2003-08-11 DE DE60321972T patent/DE60321972D1/en not_active Expired - Lifetime
- 2003-08-11 ES ES03772624T patent/ES2309364T3/en not_active Expired - Lifetime
- 2003-08-11 US US10/567,752 patent/US8006302B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020105910A1 (en) * | 2000-08-29 | 2002-08-08 | Maher Robert Daniel | Content processor |
EP1330095A1 (en) * | 2002-01-18 | 2003-07-23 | Stonesoft Corporation | Monitoring of data flow for enhancing network security |
US20030149888A1 (en) * | 2002-02-01 | 2003-08-07 | Satyendra Yadav | Integrated network intrusion detection |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8042182B2 (en) | 2004-03-30 | 2011-10-18 | Telecom Italia S.P.A. | Method and system for network intrusion detection, related network and computer program product |
WO2006100613A1 (en) | 2005-03-24 | 2006-09-28 | International Business Machines Corporation | Network attack detection |
KR101090815B1 (en) * | 2005-03-24 | 2011-12-08 | 인터내셔널 비지네스 머신즈 코포레이션 | Network attack detection |
EP3122016A1 (en) * | 2015-07-22 | 2017-01-25 | Siemens Aktiengesellschaft | Automation network and method of surveillance for security of the transmission of data packets |
CN106375273A (en) * | 2015-07-22 | 2017-02-01 | 西门子公司 | Automation network and method of surveillance for security of the transmission of data packets |
US10320747B2 (en) | 2015-07-22 | 2019-06-11 | Siemens Aktiengesellschaft | Automation network and method for monitoring the security of the transfer of data packets |
Also Published As
Publication number | Publication date |
---|---|
EP1654608B1 (en) | 2008-07-02 |
AU2003279517A1 (en) | 2005-02-25 |
CA2533853C (en) | 2013-01-08 |
ES2309364T3 (en) | 2008-12-16 |
US8006302B2 (en) | 2011-08-23 |
BR0318459A (en) | 2006-09-12 |
EP1654608A1 (en) | 2006-05-10 |
CA2533853A1 (en) | 2005-02-17 |
US20060242703A1 (en) | 2006-10-26 |
DE60321972D1 (en) | 2008-08-14 |
ATE400016T1 (en) | 2008-07-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2533853C (en) | Method and system for detecting unauthorised use of a communication network | |
US6499107B1 (en) | Method and system for adaptive network security using intelligent packet analysis | |
US6301668B1 (en) | Method and system for adaptive network security using network vulnerability assessment | |
US7197762B2 (en) | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits | |
US8042182B2 (en) | Method and system for network intrusion detection, related network and computer program product | |
US8266703B1 (en) | System, method and computer program product for improving computer network intrusion detection by risk prioritization | |
US20030084319A1 (en) | Node, method and computer readable medium for inserting an intrusion prevention system into a network stack | |
US20100251370A1 (en) | Network intrusion detection system | |
US20030204632A1 (en) | Network security system integration | |
US20030084322A1 (en) | System and method of an OS-integrated intrusion detection and anti-virus system | |
JP2006119754A (en) | Network-type virus activity detection program, processing method and system | |
US20030196123A1 (en) | Method and system for analyzing and addressing alarms from network intrusion detection systems | |
WO2013117148A1 (en) | Method and system for detecting behaviour of remotely intruding into computer | |
US20040030931A1 (en) | System and method for providing enhanced network security | |
JP2006243878A (en) | Unauthorized access detection system | |
US7836503B2 (en) | Node, method and computer readable medium for optimizing performance of signature rule matching in a network | |
US20030084344A1 (en) | Method and computer readable medium for suppressing execution of signature file directives during a network exploit | |
KR100769221B1 (en) | Confrontation system preparing for zeroday attack and confrontation method thereof | |
JP3652661B2 (en) | Method and apparatus for preventing denial of service attack and computer program therefor | |
JP4159814B2 (en) | Interactive network intrusion detection system and interactive intrusion detection program | |
Resmi et al. | Intrusion detection system techniques and tools: A survey | |
Park et al. | Identification of bot commands by run-time execution monitoring | |
EP1751651B1 (en) | Method and systems for computer security | |
JP2003186763A (en) | Detection and prevention method of breaking into computer system | |
von Eye et al. | Detecting stealthy backdoors and port knocking sequences through flow analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2003772624 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2533853 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006242703 Country of ref document: US Ref document number: 10567752 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 2003772624 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: PI0318459 Country of ref document: BR |
|
WWP | Wipo information: published in national office |
Ref document number: 10567752 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWG | Wipo information: grant in national office |
Ref document number: 2003772624 Country of ref document: EP |