公开(公告)号：US08127353B2

公开(公告)日：2012-02-28

申请号：US12149196

申请日：2008-04-29

申请人： Brian Rittermann

发明人： Brian Rittermann

IPC分类号： G06F11/00

CPC分类号： H04L63/1416 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1433

摘要： A computer system, device, computer software, and/or method performed by a computer system, is provided for determining a user name likely to be associated with an attack, a configuration, or a vulnerability. First data is obtained which associates user names with individual IP addresses onto which the user names were logged in. Second data is obtained which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations or vulnerabilities exist. The user names from the first data are associated with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in. An individual user name is indicated as being associated with attacks which occurred while the individual user name was logged in or with configurations or vulnerabilities for an IP address onto which the user logs in.

摘要翻译： 提供了由计算机系统执行的计算机系统，设备，计算机软件和/或方法，用于确定可能与攻击，配置或漏洞相关联的用户名。 获得第一个数据，将用户名与用户名所登录的单个IP地址相关联。获得第二个数据，将攻击，配置或漏洞与发生攻击的各个IP地址或存在的配置或漏洞相关联 。 基于在登录期间具有相同IP地址的来自第一数据的用户名与来自第二数据的攻击，配置或漏洞相关联。 单个用户名被指示为与单个用户名登录时发生的攻击相关联，或者与用户登录的IP地址的配置或漏洞相关联。

公开(公告)号：US07716742B1

公开(公告)日：2010-05-11

申请号：US10843353

申请日：2004-05-12

申请人： Martin Roesch ,  William Andrew Vogel, III ,  Matt Watchinski

发明人： Martin Roesch ,  William Andrew Vogel, III ,  Matt Watchinski

IPC分类号： G06F12/14

CPC分类号： H04L67/125 ,  H04L63/1433

摘要： A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.

摘要翻译： 在网络上发送的分组被读取和解码。 通过分析解码的分组来识别网络设备及其操作系统。 如果从解码的分组识别出多于一个的操作系统，则操作系统通过比较分配给所识别的操作系统的置信度来选择。 从解码的分组或被读取，解码和分析的后续分组识别在网络设备上运行的服务。 通过读取，解码和分析多个分组来确定网络的网络拓扑。 通过读取，解码和分析多个分组来确定两个网络设备之间的流。 脆弱性分配给通过读取，解码和分析数据包识别的操作系统和服务。 在通过读取，解码和分析数据包识别的操作系统和服务上实施网络配置策略。

公开(公告)号：US07701945B2

公开(公告)日：2010-04-20

申请号：US11501776

申请日：2006-08-10

申请人： Martin Frederick Roesch ,  Judy Hollis Novak ,  Steven Sturges

发明人： Martin Frederick Roesch ,  Judy Hollis Novak ,  Steven Sturges

IPC分类号： H04L12/28

CPC分类号： H04L63/1408 ,  H04L63/1466 ,  H04L63/20 ,  H04L69/16 ,  H04L69/166

摘要： A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.

摘要翻译： 在入侵检测/预防系统中执行的方法，用于分析通信网络中的传输中的段的系统或设备。 传输包括相同传输控制协议（TCP）会话中的段。 监视传输中的分段。 传输中的段中的数据按照段重组策略指示的顺序被重新组合，段重组策略指示至少是全面重叠的段的特定顺序。

公开(公告)号：US07496962B2

公开(公告)日：2009-02-24

申请号：US10951796

申请日：2004-09-29

申请人： Daniel J. Roelker ,  Marc A. Norton

发明人： Daniel J. Roelker ,  Marc A. Norton

IPC分类号： G06F11/00

CPC分类号： H04L63/0227 ,  H04L63/1408

摘要： A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.

摘要翻译： 用于入侵检测系统（IDS）的超文本传输​​协议（HTTP）检查引擎包括HTTP策略选择组件，请求通用资源标识符（URI）发现组件和URI归一化模块。 HTTP策略选择组件使用数据包标识HTTP入侵检测策略。 请求URI发现组件定位数据包中的URI。 URI归一化模块解码URI内的模糊处理。 在另一个实施例中，在网络上发送的分组被截取。 数据包被解析。 识别分组的因特网协议（IP）地址。 确定网络设备的HTTP入侵检测策略。 URI位于数据包中。 将来自入侵检测系统规则的模式与定位的URI进行比较。 在另一个实施例中，IDS包括分组获取系统，网络和传输重组模块，HTTP检查引擎，检测引擎和日志记录系统。

公开(公告)号：US20080037587A1

公开(公告)日：2008-02-14

申请号：US11501776

申请日：2006-08-10

申请人： Martin Frederick Roesch ,  Judy Hollis Novak ,  Steven Sturges

发明人： Martin Frederick Roesch ,  Judy Hollis Novak ,  Steven Sturges

IPC分类号： H04J3/24

CPC分类号： H04L63/1408 ,  H04L63/1466 ,  H04L63/20 ,  H04L69/16 ,  H04L69/166

摘要： A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.

摘要翻译： 在入侵检测/预防系统中执行的方法，用于分析通信网络中的传输中的段的系统或设备。 传输包括相同传输控制协议（TCP）会话中的段。 监视传输中的分段。 传输中的段中的数据按照段重组策略指示的顺序被重新组合，段重组策略指示至少是全面重叠的段的特定顺序。

公开(公告)号：US07305708B2

公开(公告)日：2007-12-04

申请号：US10793887

申请日：2004-03-08

申请人： Marc A. Norton ,  Daniel J. Roelker

发明人： Marc A. Norton ,  Daniel J. Roelker

IPC分类号： H04L9/00 ,  G08B23/00 ,  G06F15/18

CPC分类号： H04L63/0227 ,  H04L63/14

摘要： Performance of an intrusion detection system is enhanced with the addition of rule optimization, set-based rule inspection, and protocol flow analysis. During rule optimization, rule sets are created and selected in such a way that for every incoming packet only a single rule set has to be searched. Set-based rule inspection divides rules into content and non-content type rules. Only search patterns of content type rules are initially compared to a packet. Rules containing matched search patterns are validated with a parameterized search against the packet. Matches are recorded as events. Non-content rules are searched against a packet using a parameterized search. These matches are also recorded as an event. At least one event is selected per packet for logging. Protocol flow analysis determines the direction of flow of network traffic. Based on the direction of flow and the protocol, portions of packets can be eliminated from rule inspection.

摘要翻译： 通过增加规则优化，基于集合的规则检查和协议流分析，增强了入侵检测系统的性能。 在规则优化期间，创建和选择规则集，使得对于每个传入数据包，只能搜索单个规则集。 基于集合的规则检查将规则划分为内容和非内容类型规则。 最初仅将内容类型规则的搜索模式与数据包进行比较。 包含匹配搜索模式的规则通过针对分组的参数化搜索来验证。 比赛记录为事件。 使用参数化搜索针对分组搜索非内容规则。 这些比赛也被记录为一个事件。 每个数据包至少选择一个事件进行记录。 协议流分析确定网络流量的流向。 根据流程和协议的方向，可以从规则检查中消除数据包的部分。

公开(公告)号：US08677486B2

公开(公告)日：2014-03-18

申请号：US13086819

申请日：2011-04-14

申请人： Matthew Olney ,  Patrick Mullen ,  Lurene Grenier ,  Nigel Houghton ,  Ryan Pentney

发明人： Matthew Olney ,  Patrick Mullen ,  Lurene Grenier ,  Nigel Houghton ,  Ryan Pentney

IPC分类号： G06F21/00

CPC分类号： H04L63/0218 ,  G06F21/564 ,  H04L63/1408

摘要： A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file's file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file's indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file's indicator is “bad”.

摘要翻译： 系统包括处理器。 处理器被配置为接收包括数据块的网络流量。 该处理器将为该文件生成唯一的标识符（UID），该标识符包括与该文件对应的哈希值。 处理器将使用先前存储的UID来确定文件是否被表示为好还是坏。 处理器将调用与文件的文件类型相对应的文件类型的特定检测块，以执行完整的文件检查，以检测文件是好还是坏，并将检查结果与文件的UID一起存储，当 文件被确定为未列在先前存储的UID中。 当文件的指示符在先前存储的UID中为“好”或“坏”时，处理器不会调用文件类型特定的检测块。 当文件指示符为“坏”时，处理器将发出有关该错误文件的警报。

公开(公告)号：US08289882B2

公开(公告)日：2012-10-16

申请号：US12688400

申请日：2010-01-15

申请人： William Andrew Vogel, III ,  Dina L. Bruzek

发明人： William Andrew Vogel, III ,  Dina L. Bruzek

IPC分类号： H04L12/28 ,  G06F15/173 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04W4/00

CPC分类号： H04L63/1408 ,  H04L63/1433

摘要： The disclosed systems and methods provide a user interface for modifying host configuration data that has been automatically and passively determined and for adding or modifying other parameters associated with a host. A host data table can store various parameters descriptive of a host including the applicability of specific vulnerabilities. If it is determined that one or more hosts should not be identified as associated with a specific vulnerability, a graphical user interface can be used to modify the vulnerability parameter.

摘要翻译： 所公开的系统和方法提供用于修改已被自动和被动确定的主机配置数据并用于添加或修改与主机相关联的其他参数的用户界面。 主机数据表可以存储描述主机的各种参数，包括特定漏洞的适用性。 如果确定不应将一个或多个主机识别为与特定漏洞相关联，则可以使用图形用户界面来修改漏洞参数。

公开(公告)号：US20120233222A1

公开(公告)日：2012-09-13

申请号：US13046127

申请日：2011-03-11

申请人： Martin Frederick Roesch

发明人： Martin Frederick Roesch

IPC分类号： G06F15/173 ,  G06F17/30

CPC分类号： H04L63/1416 ,  G06F21/50 ,  H04L63/102 ,  H04L63/1408 ,  H04L63/1466

摘要： A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.

摘要翻译： 系统包括传感器和处理器。 传感器被配置为在网络上数据包运动时，以数据包的方式被动读取数据。 处理器与传感器协同工作。处理器被配置为从传感器接收读取的数据; 并且随着被动读取的数据包在网络中运动，它们都来自传感器的读取数据的文件和文件数据的实时映射配置文件。

公开(公告)号：US20110307600A1

公开(公告)日：2011-12-15

申请号：US12813859

申请日：2010-06-11

申请人： Jonathan Polley ,  William Andrew Vogel, III

发明人： Jonathan Polley ,  William Andrew Vogel, III

IPC分类号： G06F15/173

CPC分类号： G06F11/3006 ,  H04L41/0893 ,  H04L41/12

摘要： A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block.

摘要翻译： 系统包括处理器设备。 处理器设备被配置为检测包括网络中的主机和传感器的网络的物理拓扑。 处理器设备还被配置为生成用于将传感器分配给主机的网络块的传感器策略，其基于传感器到主机内的不同分区的物理接近度来平衡网络中的传感器的处理负载和精度 相同的网络块。