GB2362076A - Network intrusion detector which detects pre-attack probes or scans - Google Patents
Network intrusion detector which detects pre-attack probes or scans Download PDFInfo
- Publication number
- GB2362076A GB2362076A GB0010711A GB0010711A GB2362076A GB 2362076 A GB2362076 A GB 2362076A GB 0010711 A GB0010711 A GB 0010711A GB 0010711 A GB0010711 A GB 0010711A GB 2362076 A GB2362076 A GB 2362076A
- Authority
- GB
- United Kingdom
- Prior art keywords
- network
- address
- list
- addresses
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Social Psychology (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
A network intrusion detection system (IDS) employs a method which looks at network traffic data and determines for each address external to the monitored network the number of communications or attempted communications with an address allocated to the monitored network. If this number exceeds a threshold within a predetermined period of time this may be indicative of an attempt to probe or scan the network and therefore the external address is flagged as a potential security threat or source of attack. The system may also utilise a predetermined list of trusted external device addresses which the operator does not consider potential sources of attack and these addresses may be excluded from the method.
Description
2362076 DETECTION OF AN ATTACK SUCH AS A PRE-ATTACK ON A COMPUTER NETWORK
BACKGROUND OF THIE INVENTION
The present invention relates to a method and apparatus for detection of an attack such as a pre-attack on a computer network by an unauthorised user.
Security is important to the manager of a modern computer network, be it a LAN (Local Area Network) or a WAN (Wide Area Network). Networks are usually attached to the Internet. Therefore, there is a constant risk that some malicious person from outside of a network may attempt to obtain access to the network and use this access to disrupt normal network activity or gain access to private information. 15 Many network managers use 'firewds' (a device which filters traffic entering and leaving a computer network to protect it from malicious users) to protect their network from people outside the network. However, for many reasons firewalls are not suitable for all types of networks, since they may restrict the ability of legitimate 20 users to use the network and even where they are used, it is useful to have an additional level of security. We will describe a technique for detectin.,,, when someone from outside a network is attempting to access the network in an unauthorised way. The technique does not require a firewall in order to operate, and thus can be used as a complement to existing firewalls. For users who do not use firewalls, the method 25 described offers a way to try to detect unauthorised or malicious accesses to the network. All devices on a network are identified by an 'address' (eg an 1P address). When a device wants to send data to another device, it typically marks the data with the 30 destination address of the device it wants to communicate with and then puts this data onto the network, where is it forwarded to the correct device based on the destination address.
When a malicious person wishes to attack a network, it is usual for them to carry out what is referred to as a "pre-attack" on the network, that is to try to identify addresses which identify actual devices within the network. It would be useful to be able to deal with this problem.
Thus the arrangement of the invention allows the network to identify such a pre attack.
SUMMARY OF THE E1JVENTION
The present invention provides a method for detecting a potential attack on a computer network comprising:
determining, over a period of time, and for each device address outside the local network the number of communications or attempted communications with addresses within the local network, and where the number exceeds a predetermined number, identifying the external device address as a potential source of attack.
The present invention also provides a computer program on a computer readable 0 medium or embodied in a carrier wave comprising the following steps.
from network traffic data which includes the source and destination addresses of traffic on the network, make a list E of all the addresses in the data which are not allocated to the local network and which are not in a list X, choose a first address in list E.
count the number of data entries of the form (AB) where A is the address chosen from list E and B is any address allocated to the local network., if the number of such data entries is more than T, output address A, detern-fine if there any entries in list E left to process; if yes, move on to the next address in list E and repeat preceding three steps; if no, stop.
BRIEF DESCRIPTION OF THE DRAWINGS ly A preferred embodiment of the invention will, now be described by way of example only and with reference to the accompanying drawings in which:
Figure I is a diagrammatic view of a network incorporating a preferred embodiment of the invention, and Figure 2 is a flow chart of the steps of the preferred embodiment of the invention.
DESCRIPTION OF THE PREFERRED EMBODMENTS
A computer network will usually have a network manager who may set up, and control a computer- network. The network manager win normally have his own network supervisor's workstation or computer.
Refening to Figure I there is shown a network 10 comprising a plurality of devices in the form of a network supervisor's workstation or computer 11, other workstations 12B - E, hubs L')A, B)B, and switch 14. The network is a simple network and is set out for purposes of illustration only. Other configurations and arrangements, may be used.
The devices are connected together by means of links 16A - H which may be hard wired and utilise any desired protocol, and link 16F which is a wireless link.
The network supervisor's workstation includes, in addition to a visual display unit 18, a central processing unit or signal processor 19, a selector which may be in the form of a mouse 22, a program store 21 which may comprise, for example, a CD drive, a floppy disk drive or a zip drive, and a memory 17 for storing a prograin which may have been loaded from the program store 21 or downloaded for example via Internet from a website.
In a preferred arrangement, the computer I I may, on command from the selector 22, process signals from the memory 17 by the signal processor 19 and provide on the visual display unit 18 a network map showing each of the devices and the links therebetween. In the examples shown, the network is simple but of course in many instances the network will be considerably more complex and it may be necessary to arrange that the visual display unit 18 only shows a simplified version or only part of the network at any one time.
In order to initialise a computer network, a network manager (or the installer) needs to assign addresses to all the devices on the network. Typically, the manager of a computer network will receive an allocation of possible addresses for devices- The manager may assign any of these addresses to the devices that are actually attached to the network at his discretion. It is usual to have many more allocated addresses than devices on the network and typically only a small fraction of the allocated addresses are actually used by devices on the network.
In order to access devices on a network, the malicious user needs to find out the addresses of the devices on the network that can be illicitly accessed. Since network managers usually try to protect their devices against malicious users, a malicious user may only be able to gain access to a small number of the devices on the network, or possibly no devices at all.
In order to find out the addresses of devices that can be illicitly accessed, a user will typically perform a pre-attack probe'. Since the range of addresses allocated to a particular network are public knowledge, a 'pre-attack probe' involves using a program to test in turn every address within the range of addresses aflocated to the network. For every address allocated to the network, the pre-attack program assumes that there is a device assigned to that address, and attempts to contact the device at the address to determine if the device is susceptible to illicit access. If there is a device allocated to that address, then the device will respond to the 'pre- attack probe' and the malicious user can then attempt to access this device for his own illicit purposes. If there is no device allocated to the address, then there will be no response to the 'pre attack probe'.
4 Since every device on the network must be using one of the allocated addresses, if allowed to continue access, in time the 'pre-attack probe' is certain to discover all the devices that are susceptible to illicit access.
So called 'Pre-attack probes' are a common precursor to other types of illicit network access. We will now describe a way to detect malicious users by detecting 'pre attack probes' using information collected from the network.
As is well known, the network manager will normally have installed on his workstation a program that enables him to understand the technical operation of the network. Some of the devices within the network will be "managed" devices, that is devices which include a so called "agent" which collects and stores data relating to the operation of that device and the traffic passing through, to, or from it. The network manager's computer, using the relevant software, interrogates the agent of each device using a known protocol, such as SNMP (Simple Network Management Protocol).
A typical way of arranging this is to use a device called a RMION or RMON2 (Remote Monitoring Specification) probe for collecting data about the activity of devices on the network. Such a device uses the SNMP to transfer RMON or RMON2 information to the network management computer. The RMON2 standard is defined in EETF RFC2021. The network manager's computer includes a store (memory) in which the traffic information is stored for a period of time (day, week, month). This historical information may be stored as a database.
This traffic information may be provided to the network manager in any convenient form such as a table or graphic on his VDU (Visual Display Unit).
In accordance with the preferred of the arrangement, to detect 'preattack probes' on a particular network (which we will call the local network), data is required which records the pattern of traffic on the network over a selected time interval. This data must record every pair of addresses A and B where a device using address A has attempted to communicate with a device using address B during the time period. A highly suitable source of data would be the RMON2 probe (in RMON2 either the alMatrix or nlMatrix tables could provide this information).
The data must include every communication between an address outside the local network and an address within the local network. Ideally, the data would also include attempts to communicate with addresses which are allocated to the local network but which have no device associated with them. This data is most sensibly collected by monitoring traffic flowing between the local network and the outside world.
The data is collected by a network management computer over the course of a few minutes or hours and then the following analysis is performed on the data by means of an algorithm (program), and the network manager alerted by the application if a 'pre attack probe' is detected. This would often mean that the network manager would be informed of the 'pre-attack probe' before the malicious user had a chance to do anything bad. This process is repeated continuously to provide constant monitoring for 'pre-attack probes.' The preferred method of the invention is carried out under the control of the network manager's work station or computer and in particular by means of a program controlling the process of that computer or elsewhere in the system.
The program for controlling the operation of the invention may be provided on a computer readable medium, such as a CD, or a floppy disk, or a zip drive disk carrying the program or its equivalent, or may be provided on a computer or computer memory carrying the website of, for example, the supplier of the network products.
The program may be downloaded from which ever appropriate source and used to control the processor to carry out the steps of the invention as described.
For the purpose of explanation it is assumed that the traffic data is presented as a list E of address pairs of the form (A,B). An entry in the list E of (AB) indicates that a device with address A communicated or attempted to communicate with a device with address B during the time interval which the data corresponds to. (There may, 6 however, be no device with address B). Although the precise representation of addresses in the list is not important, devices will usually be represented by IP address, since this is the form in which RMON2 data is presented. If an RMON probe is used it normally provides the traffic data in the form of an 'nlMatrix' table of data.
The n1Matrix table records information about all conversations between devices, and stores them, using absolute counters, in a table which is ordered by network-layer protocol (e.g. 'IP') and source and destination addresses (i.e. 1P addresses). An agent would record an entry in this table for every conversation which it has 'seen'.
Typically, a row in the stored table would look like this:
Protocol 1 Source Address 1 Destination Address 11 Packets Bytes LP 1 123.45.67.89 1 98.76.54.32 -j 50000 The 'packets' and 'bytes' columns represent how many packets and how many bytes have been seen en route, travelling from the source address to the destination address.
The precise details of the table are given in the [RMON2 RK].
The following is a simple example of how this RMON2 data could be used to form data into a list, which would be in a suitable form for the algorithm:
1. Create an empty list L.
2. A program would read the entire n1Matrix table from a number of RMON2 agents.
3 3. The program would wait for a predetermined period of time (e- g. 10 minutes).
4. The program would read the entire n1Matrix tables from the same agents again.
5. If the 'packets' count has changed on any row between step 1 and step 3, then an entry is added to list L containing (source address, destination address).
6. Remove duplicate entries firom list L.
Thus list L contains a series of entries (AB) which represent traffic flowing from A to B, as required by the algorithm.
7 There are a variety of other, more sophisticated techniques which could be used for generating data in the required form from RMON2 data. For example, the algorithm could use data that has been collected and stored in a historical database.
The algorithm assumes that it is possible to determine if an address is allocated to the local network. There are multiple ways to achieve this, including allowing the network manager to indicate which addresses are allocated to the network and/or discovering addresses of local devices using some automatic process referred to briefly above.
In essence, the algorithm provides a method for determining a pre-attack on the computer network comprising determining, over a period of time, and for each device address outside the local network the number of communications or attempted corrununications with devices within the local network, and where the number exceeds a predetermined number (T), providing an indication that the external device address is a potential source of pre-attack. This is the process at its simplest.
However, other uses of the network may result in traffic patterns that resemble the traffic pattern of a 'pre-attack probe'. For this reason, the algorithm below provides a list of trusted devices, called list X. This list is intended to contain a list of devices which the network manager does not believe will ever be the source of a 4pre-attack probe' (for example, addresses in another network of the same company). The algorithm will never indicate that any trusted device from this list has performed a pre-attack probe' and so the likelihood of a false alarm is reduced.
The algorithm assumes the existence of a numerical threshold value T. T is the maximum number of devices on the local network that a legitimate device outside of the local network might access in the time period of data collected. The actual value used for T is based upon the length of time over which the data was collected and the size of the local network. Too low a value of T will make the algorithm produce 'false alarms', while too high a value may mean that genuine 'pre-attack probes' are not detected. A value of T might be 10 - 100, typically 50.
8 The output of the algorithm is a list of addresses of devices that appear to have attempted a 'pre-attack probe' during the time interval of the data collected.
The program may include an algorithm of the form set out in the Figure.
Thus the program may include the following steps:
program step 101, from network traffic data which includes the source and destination addresses of traffic on the network, make a list E of all the (source) addresses in the data which are not allocated to the local network and which are not in list X; program step 102, start with first address in list E (call it address A); program step 103), count the number of data entries of the form (AB) where A is the address chosen from fist E and B is any address allocated to the local network; if the number of such data entries is more than T, in program step 104, output address A, are there any entries in list E left to process?-, if no, stop; if yes, at program step 105 move on to the next address in list E (call it address A) and return to program step 103.
The address or addresses outputted at step 104 will be passed to the network manager's computer and highlighted as the address(es) of a potential malicious person attempting to gain access to the computer and using a pre-attack technique.
The preferred method of the invention is carried out under the control of the network manager's work station or computer and in particular by means of a program controlling the process of that computer or elsewhere in the system.
The program for controlling the operation of the invention may be provided on a 1 computer readable medium, such as a CD, or a floppy disk, or a zip drive disk carrying the program or its equivalent, or may be provided on a computer or computer memory carrying the website of, for example, the supplier of the network products.
9 The program may be downloaded ftom which ever appropriate source and used to control the processor to carry out the steps of the invention as described.
Note that the operation of the invention is not affected by the presence or absence of a firewall.
It should be noted that the arrangement described uses historical data. In other words, traffic data is collected over a period of time and is then analysed subsequently. In this way patterns and relationships that build up over a course of time can be readily identified. If one were to try to carry out the same process in real time, and to maintain the data for a short period of time, it can be difficult to establish patterns of use. Thus, for example, the pre-attack program might access a succession of addresses in the local network over the course of a period of time which may range from minutes through to an hour or two and by using historical data the relevant information can be readily accessed and analysed and becomes apparent.
We have described the method in terms of detecting an attack such as a pre-attack. However the same technique can be used to determine other forms of pattern of usage.
The invention is not restricted to the details of the foregoing example.
Claims (11)
1. A method for detecting a potential attack on a computer network comprising:
determining, over a period of time, and for each device address outside the local network, the number of communications or attempted communications with addresses within the local network, and where the number exceeds a predetermined number, identifying the external device address as a potential source of attack.
2. A method a claimed in claim 1 in which external device addresses on a predetern-fined fist are not indicated as potential sources of attack.
3. A method as claimed in claim 1 in which only some of the addresses within the local area network are connected to devices.
4. A method as claimed in claim 1 including the steps of from network traffic data which includes the source and destination addresses of traffic on the network, making a list of all of the addresses of said devices outside the local area network, and, starting with the first address in the fist, counting the number of data entries which include A and B and which represent network traffic passing between a source 20 address A chosen from the list and a destination address B allocated to the local network, and, if the number of such data entries is more than a predetermined number T, indicate that the address is a potential source of attack, and returning to the fist and processing the next address in the list until all of the addresses in the fist have been processed. 25
5. A method as claimed in claim 4 in which the network traffic data is historical.
6. A method as claimed in claim 5 in which the network traffic data is collected by an RMON probe. 30 1
7. A method as claimed in claim 1 including excluding from access to the local area network the or each external device address identified as a potential source of attack.
8. A computer program on a computer readable medium for carrying out the method of claim 1.
9. A computer program on a computer readable medium comprising the following steps:
fi-om network traffic data which includes the source and destination addresses of traffic on the network, make a list E of all the source addresses in the data which are not allocated to the local network and which are not in a list X.
choose a first address in list E; count the number of data entries which include A and B and which represent network traffic passing between a source address A chosen from list E and a destination address B allocated to the local network; if the number of such data entries is more than T, output address A, determine if there any entries in list E left to process; if yes, move on to the next address in fist E and repeat preceding three steps; if no, stop.
10. A computer program embodied in a carrier wave for carrying out the method of claim 1.
11. A computer program embodied in a carrier wave comprising the following steps:
make a list E of all the addresses in the data which are not allocated to the local network and which are not in a list X; choose a first address in list E; count the number of data entries of the form (AB) where A is the address chosen from list E and B is any address allocated to the local network; if the number of such data entries is more than T, output address A; 12 if the number of such data entries is less than T, determine if there any entries in list E left to process; if yes, move on to the next address in list E and repeat preceding four steps; if no, stop. 5 1 1
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0010711A GB2362076B (en) | 2000-05-03 | 2000-05-03 | Detection of an attack such as a pre-attack on a computer network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0010711A GB2362076B (en) | 2000-05-03 | 2000-05-03 | Detection of an attack such as a pre-attack on a computer network |
Publications (3)
| Publication Number | Publication Date |
|---|---|
| GB0010711D0 GB0010711D0 (en) | 2000-06-28 |
| GB2362076A true GB2362076A (en) | 2001-11-07 |
| GB2362076B GB2362076B (en) | 2002-08-14 |
Family
ID=9890914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB0010711A Expired - Fee Related GB2362076B (en) | 2000-05-03 | 2000-05-03 | Detection of an attack such as a pre-attack on a computer network |
Country Status (1)
| Country | Link |
|---|---|
| GB (1) | GB2362076B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2394382A (en) * | 2002-10-19 | 2004-04-21 | Hewlett Packard Co | Monitoring the propagation of viruses through an Information Technology network |
| GB2401281A (en) * | 2003-04-29 | 2004-11-03 | Hewlett Packard Development Co | Propagation of viruses through an information technology network |
| WO2004042524A3 (en) * | 2002-10-31 | 2004-11-18 | Secnap Network Security Llc | Ids with analyzer to determine intrusion characteristics |
| WO2004107707A1 (en) * | 2003-05-30 | 2004-12-09 | International Business Machines Corporation | Network attack signature generation |
| WO2005114952A1 (en) * | 2004-05-20 | 2005-12-01 | Computer Associates Think, Inc. | Intrusion detection with automatic signature generation |
| US7373665B2 (en) | 2003-04-29 | 2008-05-13 | Hewlett-Packard Developement Company, L.P. | Propagation of viruses through an information technology network |
| US7469418B1 (en) | 2002-10-01 | 2008-12-23 | Mirage Networks, Inc. | Deterring network incursion |
| CN100448203C (en) * | 2005-06-24 | 2008-12-31 | 国际商业机器公司 | Systems and methods for identifying and preventing malicious intrusions |
| US7506360B1 (en) | 2002-10-01 | 2009-03-17 | Mirage Networks, Inc. | Tracking communication for determining device states |
| US7796515B2 (en) | 2003-04-29 | 2010-09-14 | Hewlett-Packard Development Company, L.P. | Propagation of viruses through an information technology network |
| US8042180B2 (en) | 2004-05-21 | 2011-10-18 | Computer Associates Think, Inc. | Intrusion detection based on amount of network traffic |
| US8407792B2 (en) | 2004-05-19 | 2013-03-26 | Ca, Inc. | Systems and methods for computer security |
| US8819285B1 (en) | 2002-10-01 | 2014-08-26 | Trustwave Holdings, Inc. | System and method for managing network communications |
| US9197602B2 (en) | 2002-06-07 | 2015-11-24 | Hewlett-Packard Development Company, L.P. | Propagation of viruses through an information technology network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5621889A (en) * | 1993-06-09 | 1997-04-15 | Alcatel Alsthom Compagnie Generale D'electricite | Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility |
| US5991881A (en) * | 1996-11-08 | 1999-11-23 | Harris Corporation | Network surveillance system |
| WO2000054458A1 (en) * | 1999-03-12 | 2000-09-14 | Psionic Software, Inc. | Intrusion detection system |
-
2000
- 2000-05-03 GB GB0010711A patent/GB2362076B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5621889A (en) * | 1993-06-09 | 1997-04-15 | Alcatel Alsthom Compagnie Generale D'electricite | Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility |
| US5991881A (en) * | 1996-11-08 | 1999-11-23 | Harris Corporation | Network surveillance system |
| WO2000054458A1 (en) * | 1999-03-12 | 2000-09-14 | Psionic Software, Inc. | Intrusion detection system |
Non-Patent Citations (3)
| Title |
|---|
| http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/tech/ ntran_tc.htm * |
| http://www.iss.net/customer_care/resource_center/product_litReal SecureTM Signatures, June 2000 * |
| http://www.ticm.com/kb/faq/idsfaq.html FAQ: Network Intrusion Detection Systems * |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9197602B2 (en) | 2002-06-07 | 2015-11-24 | Hewlett-Packard Development Company, L.P. | Propagation of viruses through an information technology network |
| US7469418B1 (en) | 2002-10-01 | 2008-12-23 | Mirage Networks, Inc. | Deterring network incursion |
| US9667589B2 (en) | 2002-10-01 | 2017-05-30 | Trustwave Holdings, Inc. | Logical / physical address state lifecycle management |
| US8819285B1 (en) | 2002-10-01 | 2014-08-26 | Trustwave Holdings, Inc. | System and method for managing network communications |
| US8260961B1 (en) | 2002-10-01 | 2012-09-04 | Trustwave Holdings, Inc. | Logical / physical address state lifecycle management |
| US7506360B1 (en) | 2002-10-01 | 2009-03-17 | Mirage Networks, Inc. | Tracking communication for determining device states |
| US8046624B2 (en) | 2002-10-19 | 2011-10-25 | Hewlett-Packard Development Company, L.P. | Propagation of viruses through an information technology network |
| GB2394382A (en) * | 2002-10-19 | 2004-04-21 | Hewlett Packard Co | Monitoring the propagation of viruses through an Information Technology network |
| US7603711B2 (en) | 2002-10-31 | 2009-10-13 | Secnap Networks Security, LLC | Intrusion detection system |
| WO2004042524A3 (en) * | 2002-10-31 | 2004-11-18 | Secnap Network Security Llc | Ids with analyzer to determine intrusion characteristics |
| US7796515B2 (en) | 2003-04-29 | 2010-09-14 | Hewlett-Packard Development Company, L.P. | Propagation of viruses through an information technology network |
| GB2401281B (en) * | 2003-04-29 | 2006-02-08 | Hewlett Packard Development Co | Propagation of viruses through an information technology network |
| US7437758B2 (en) | 2003-04-29 | 2008-10-14 | Hewlett-Packard Development Company, L.P. | Propagation of viruses through an information technology network |
| US7373665B2 (en) | 2003-04-29 | 2008-05-13 | Hewlett-Packard Developement Company, L.P. | Propagation of viruses through an information technology network |
| GB2401281A (en) * | 2003-04-29 | 2004-11-03 | Hewlett Packard Development Co | Propagation of viruses through an information technology network |
| WO2004107707A1 (en) * | 2003-05-30 | 2004-12-09 | International Business Machines Corporation | Network attack signature generation |
| US8407792B2 (en) | 2004-05-19 | 2013-03-26 | Ca, Inc. | Systems and methods for computer security |
| US7761919B2 (en) | 2004-05-20 | 2010-07-20 | Computer Associates Think, Inc. | Intrusion detection with automatic signature generation |
| WO2005114952A1 (en) * | 2004-05-20 | 2005-12-01 | Computer Associates Think, Inc. | Intrusion detection with automatic signature generation |
| US8042180B2 (en) | 2004-05-21 | 2011-10-18 | Computer Associates Think, Inc. | Intrusion detection based on amount of network traffic |
| CN100448203C (en) * | 2005-06-24 | 2008-12-31 | 国际商业机器公司 | Systems and methods for identifying and preventing malicious intrusions |
Also Published As
| Publication number | Publication date |
|---|---|
| GB2362076B (en) | 2002-08-14 |
| GB0010711D0 (en) | 2000-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6772349B1 (en) | Detection of an attack such as a pre-attack on a computer network | |
| CA2417817C (en) | System and method of detecting events | |
| US6775657B1 (en) | Multilayered intrusion detection system and method | |
| EP1319285B1 (en) | Monitoring network activity | |
| US8224761B1 (en) | System and method for interactive correlation rule design in a network security system | |
| KR100800370B1 (en) | Attack signature generation method, signature generation application application method, computer readable recording medium and attack signature generation device | |
| US7051369B1 (en) | System for monitoring network for cracker attack | |
| CN111800395A (en) | Threat information defense method and system | |
| US11956208B2 (en) | Graphical representation of security threats in a network | |
| CN114598525A (en) | A method and device for automatically blocking IP against network attacks | |
| US20030188190A1 (en) | System and method of intrusion detection employing broad-scope monitoring | |
| GB2362076A (en) | Network intrusion detector which detects pre-attack probes or scans | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN112787992A (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
| JP6442051B2 (en) | How to detect attacks on computer networks | |
| JPH06282527A (en) | Network control system | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| JP2016143320A (en) | Log monitoring method, log monitoring apparatus, log monitoring system, and log monitoring program | |
| CN110049015B (en) | Network Security Situational Awareness System | |
| White et al. | Cooperating security managers: Distributed intrusion detection systems | |
| JP2001057554A (en) | Cracker monitor system | |
| CN108076041A (en) | A kind of DNS flow rate testing methods and DNS flow quantity detecting systems | |
| CN106789982B (en) | Safety protection method and system applied to industrial control system | |
| KR100432168B1 (en) | Multiple Intrusion Detection Objects in Security Gateway System for Network Intrusion Detection | |
| CN109743339A (en) | The network security monitoring method and device of electric power plant stand, computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PCNP | Patent ceased through non-payment of renewal fee |
Effective date: 20060503 |