公开(公告)号：US07506373B2

公开(公告)日：2009-03-17

申请号：US10583588

申请日：2004-12-16

Applicant: Benjamin Morin ,  Hervé Debar ,  Elvis Tombini

Inventor： Benjamin Morin ,  Hervé Debar ,  Elvis Tombini

IPC: G08B23/00 ,  H04L9/00

CPC classification number: H04L41/0631 ,  G06Q20/0855 ,  H04L41/00 ,  H04L41/0604 ,  H04L41/16 ,  H04L63/1416

Abstract: A method of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).

Abstract translation: 一种自动分类用于产生整理报警的信息安全系统（1）的入侵检测传感器（11a，11b，11c）发出的警报的方法，每个警报由多个定性属性（a1，...，a）定义， 属于多个属性域（A1，...，An）。 属于每个属性域的属性被组织成层次结构。 对于由入侵检测传感器（11a，11b，11c）发出的每个警报，通过根据其每个属性和层次结构的所有级别对每个警报进行泛化来构建对该警报特定的网格。 每个特定网格被迭代地合并成一个格子。 通过选择同时最相关和最通用的警报来识别通用网格中的整理警报。 整理的警报被提供给警报管理系统（13）的输出单元（23）。

公开(公告)号：US07891002B2

公开(公告)日：2011-02-15

申请号：US10491851

申请日：2002-09-20

Applicant: Herve Debar ,  Dominique Assing ,  Benjamin Morin

Inventor： Herve Debar ,  Dominique Assing ,  Benjamin Morin

IPC: G06F12/14 ,  G06F21/00 ,  G08B23/00

CPC classification number: G06F21/563

Abstract: This invention concerns a method for processing computer system input data including at least one detection step for a specific word INSTR present among said data.In the method according to the invention, the specific word to be detected represents an instruction necessary for the execution of a program present among said data.Because it focuses detection on the means necessary for the execution of an attack program that thus reveal the presence of said program, the invention can be used to simply and effectively detect different types of attacks.

Abstract translation: 本发明涉及一种用于处理计算机系统输入数据的方法，该方法包括在所述数据中存在的特定字INSTR的至少一个检测步骤。 在根据本发明的方法中，要检测的特定字表示执行所述数据中存在的程序所需的指令。 因为它将检测集中在执行攻击程序所必需的手段，从而揭示所述程序的存在，所以本发明可以用于简单有效地检测不同类型的攻击。

公开(公告)号：US20080165000A1

公开(公告)日：2008-07-10

申请号：US11579901

申请日：2005-05-09

Applicant: Benjamin Morin ,  Herve Debar

Inventor： Benjamin Morin ,  Herve Debar

IPC: G08B13/00

CPC classification number: H04L67/125 ,  G06F21/552 ,  H04L63/1408

Abstract: The invention relates to a system and a method of suppressing false alarms among alarms issued by intrusion detection sensors (13a, 13b, 13c) of a protected information system (1) including entities (9, 11a, 11b) generating attacks associated with the alarms and an alarm management system (15), the method comprising the following steps: using a false alarm suppression module (23) to define qualitative relationships between the entities (9, 11a, 11b) and a set of profiles; using the false alarm suppression module (23) to define nominative relationships between the set of profiles and a set of names of attacks which that set of profiles is recognized as generating; and using the false alarm suppression module (23) to qualify a given alarm as a false alarm if the entity (9, 11a, 11b) implicated in the given alarm has a profile recognized as generating the attack associated with that given alarm.

Abstract translation: 本发明涉及一种抑制由保护信息系统（1）的入侵检测传感器（13a，13b，13c）发出的警报中的假警报的系统和方法，所述受保护信息系统包括实体（9,11a，11b） 与警报相关联的攻击和警报管理系统（15），该方法包括以下步骤：使用虚警告抑制模块（23）来定义实体（9,11a，11b）和一组 档案; 使用所述假警报抑制模块（23）来定义所述配置文件集合与所述配置文件集合被识别为生成的一组攻击名称之间的nominative关系; 并且如果涉及给定警报的实体（9,11a，11b）具有被识别为生成与所述给定警报相关联的攻击的简档，则使用所述假警报抑制模块（23）将给定的警报限定为假警报。

公开(公告)号：US20070118905A1

公开(公告)日：2007-05-24

申请号：US10583588

申请日：2004-12-16

Applicant: Benjamin Morin ,  Herve Debar ,  Elvis Tombini

Inventor： Benjamin Morin ,  Herve Debar ,  Elvis Tombini

IPC: G06F12/14 ,  G06F15/173 ,  G08B19/00

CPC classification number: H04L41/0631 ,  G06Q20/0855 ,  H04L41/00 ,  H04L41/0604 ,  H04L41/16 ,  H04L63/1416

Abstract: A of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).

Abstract translation: A，用于自动分类用于产生整理警报的信息安全系统（1）的入侵检测传感器（11a，11b，11c）发出的警报，每个警报由多个定性属性（1 < 属于多个属性域（A 1，...，An）的/ SUB>，...，a＆lt; SUB＆gt;）。 属于每个属性域的属性被组织成层次结构。 对于由入侵检测传感器（11a，11b，11c）发出的每个警报，通过根据其每个属性和层次结构的所有级别对每个警报进行泛化来构建对该警报特定的网格。 每个特定网格被迭代地合并成一个格子。 通过选择同时最相关和最通用的警报来识别通用网格中的整理警报。 整理的警报被提供给警报管理系统（13）的输出单元（23）。

公开(公告)号：US20050091528A1

公开(公告)日：2005-04-28

申请号：US10491851

申请日：2002-09-20

Applicant: Herve Debar ,  Dominique Assing ,  Benjamin Morin

Inventor： Herve Debar ,  Dominique Assing ,  Benjamin Morin

IPC: G06F1/00 ,  G06F21/56 ,  H04L9/00

CPC classification number: G06F21/563

Abstract: This invention concerns a method for processing computer system input data including at least one detection step for a specific word INSTR present among said data. In the method according to the invention, the specific word to be detected represents an instruction necessary for the execution of a program present among said data. Because it focuses detection the means necessary for the execution of an attack program that thus reveal the presence of said program, the invention can be used to simply and effectively detect different types of attacks.

Abstract translation: 本发明涉及一种用于处理计算机系统输入数据的方法，该方法包括在所述数据中存在的特定字INSTR的至少一个检测步骤。 在根据本发明的方法中，要检测的特定字表示执行所述数据中存在的程序所需的指令。 因为它集中检测执行攻击程序所必需的手段，从而揭示出所述程序的存在，本发明可以用于简单有效地检测不同类型的攻击。

公开(公告)号：US20070150579A1

公开(公告)日：2007-06-28

申请号：US10583586

申请日：2004-12-16

Applicant: Benjamin Morin ,  Herve Debar

Inventor： Benjamin Morin ,  Herve Debar

IPC: G06F15/173 ,  G06F12/14 ,  G08B29/00

CPC classification number: H04L63/1425 ,  H04L43/12

Abstract: A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.

Abstract translation: 一种管理由包括警报管理系统（13）的信息安全系统（1）的入侵检测传感器（11a，11b，11c）发出的警报的方法，每个警报由警报标识符和警报内容定义。 由入侵检测传感器（11a，11b，11c）发出的每个警报与包括属于属性域的值属性的连接的描述相关联。 属于每个属性域的有价值属性被组织成定义所述有价值属性之间的泛化关系的分类结构，所述多个属性域由此形成多个分类结构。 基于所述警报的有价值属性来形成每个所述警报的描述，所述值由所述分类结构引起的值集合以形成完整的警报。 完整的警报存储在逻辑文件系统（21）中，以使其能够被查阅。

公开(公告)号：US07810157B2

公开(公告)日：2010-10-05

申请号：US10583586

申请日：2004-12-16

Applicant: Benjamin Morin ,  Hervé Debar

Inventor： Benjamin Morin ,  Hervé Debar

IPC: G06F11/00 ,  G08B23/00 ,  H04L29/06 ,  G06F11/30 ,  G06F15/177

CPC classification number: H04L63/1425 ,  H04L43/12

Abstract: A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.

Abstract translation: 一种管理由包括警报管理系统（13）的信息安全系统（1）的入侵检测传感器（11a，11b，11c）发出的警报的方法，每个警报由警报标识符和警报内容定义。 由入侵检测传感器（11a，11b，11c）发出的每个警报与包括属于属性域的值属性的连接的描述相关联。 属于每个属性域的有价值属性被组织成定义所述有价值属性之间的泛化关系的分类结构，所述多个属性域由此形成多个分类结构。 基于所述警报的有价值属性来形成每个所述警报的描述，所述值由所述分类结构引起的值集合以形成完整的警报。 完整的警报存储在逻辑文件系统（21）中，以使其能够被查阅。

公开(公告)号：US20090012900A1

公开(公告)日：2009-01-08

申请号：US11885682

申请日：2006-03-02

Applicant: Benjamin Morin ,  Sebastien Canard ,  Fabrice Clerc

Inventor： Benjamin Morin ,  Sebastien Canard ,  Fabrice Clerc

IPC: H04L9/00

CPC classification number: G06Q20/12 ,  G06Q20/20 ,  G06Q20/341 ,  G06Q20/382 ,  G06Q20/3823 ,  G06Q20/389 ,  G06Q20/4093 ,  G07F7/1008

Abstract: A portable device, a terminal, a system, and a method of storing data relating to transactions by terminals (1) of merchants in portable loyalty devices (3) of customers of at least one group comprising at least one merchant, said transaction being stored by the terminal (1) of said merchant in the portable device (3) by executing the following steps in any order: storing a first record corresponding to said transaction encrypted with an encryption key (C1) of the customer; and storing a second record corresponding to said transaction encrypted with a key (M1) associated with said group to which said merchant belongs.

Abstract translation: 一种便携式设备，终端，系统和方法，用于存储与包括至少一个商家的至少一个组的客户的便携式忠诚度设备（3）中的商家的终端（1）有关的交易的数据，所述交易被存储 通过以任何顺序执行以下步骤，通过所述便携式设备（3）中的所述商家的终端（1）来存储与用户的加密密钥（C1）加密的所述事务相对应的第一记录; 以及存储与所述商家所属的与所述组相关联的密钥（M1）加密的所述事务对应的第二记录。

公开(公告)号：US20070300302A1

公开(公告)日：2007-12-27

申请号：US11791729

申请日：2005-11-24

Applicant: Benjamin Morin ,  Jouni Viinikka

Inventor： Benjamin Morin ,  Jouni Viinikka

IPC: G06F11/30

CPC classification number: G08B29/22

Abstract: A method of suppressing false alarms produced in a monitored information system (1). The alarms are classified automatically by means of a false alarm suppression module (17) into two categories consisting of false alarms and true alarms depending on particular criteria based on progressive training of said module (17) based on the expertise of a human operator (23) responsible for initial manual classification of alarms.

Abstract translation: 一种抑制在监视信息系统（1）中产生的假警报的方法。 根据人类操作人员的专业知识（23），根据基于所述模块（17）的逐步训练的特定标准，通过假警报抑制模块（17）将报警自动分类为包括虚假警报和真实警报的两个类别 ）负责报警的初始手动分类。