公开(公告)号：WO2003067847A2

公开(公告)日：2003-08-14

申请号：PCT/US2003/002185

申请日：2003-01-24

Applicant: INTEL CORPORATION

Inventor： YADAV, Satyendra

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/02 ,  H04L63/0218 ,  H04L63/0227 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/20

Abstract: Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion.

Abstract translation: 可以检测到入侵前提（包括使用对阻塞的网络请求的制造响应的检测），并且可以通过对由防火墙阻止的分组进行入侵分析来选择特定的网络通信源来进行更大的检查。 集成入侵检测系统使用通过调用的应用程序信息和网络策略动态控制的终端节点防火墙。 系统可以使用各种警报级别来触发更高的监视状态，发送到安全操作中心的警报和/或记录网络活动以供稍后的法庭分析。 系统可以监视网络流量以阻止违反网络策略的流量，监视阻止的流量以检测入侵前奏，并且在检测到入侵前奏时监视来自潜在入侵者的流量。 该系统还可以跟踪使用网络策略的应用程序的行为，以识别异常应用程序行为，并监视来自异常行为的应用程序的流量以识别入侵。

公开(公告)号：WO2004095801A1

公开(公告)日：2004-11-04

申请号：PCT/US2004/003893

申请日：2004-02-09

Applicant: INTEL CORPORATION

Inventor： LI, Hong ,  SAHITA, Ravi ,  YADAV, Satyendra

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F21/55 ,  H04L41/0816 ,  H04L41/085 ,  H04L41/0856 ,  H04L41/0893 ,  H04L63/1441

Abstract: Methods, machines, and systems manage security policies of heterogeneous infrastructure and computing devices of a network. Security policy repository houses security policies that are pushed over the network by a policy decision point PDP to appropriate security-enabled devices (policy enforcement points (PEPs)) for enforcement. Using a closed feedback loop, a policy feedback point (PFP) collects and processes data from intrusions, alerts, violations, and other abnormal behaviors from a variety of PEPs or logs produced from PEPs. This data is sent as feedback to the policy repository. The PDP detects the data and analyzes it to determine if policy updates (which can be dynamic and automatic) need to be adaptively made and dynamically pushed to PEPs. The PDP can also send console messages or alerts to consoles or administrators.

Abstract translation: 方法，机器和系统管理网络的异构基础设施和计算设备的安全策略。 安全策略库包含通过策略决策点PDP推送到网络的安全策略，以将适用于安全性的设备（策略执行点（PEP））用于执行。 使用封闭的反馈回路，策略反馈点（PFP）收集并处理来自PEP产生的各种PEP或日志的入侵，警报，违规和其他异常行为的数据。 该数据作为反馈发送到策略库。 PDP检测数据并对其进行分析，以确定策略更新（可以动态和自动）是否需要自适应地进行动态推送到PEP。 PDP还可以向控制台或管理员发送控制台消息或警报。

公开(公告)号：WO2005039147A1

公开(公告)日：2005-04-28

申请号：PCT/US2004/030379

申请日：2004-09-15

Applicant: INTEL CORPORATION ,  YADAV, Satyendra

Inventor： YADAV, Satyendra ,  KIME, Gregory

IPC: H04L29/06

CPC classification number: H04W24/00 ,  H04L63/1425 ,  H04W12/12 ,  H04W64/00 ,  H04W88/08

Abstract: A method, apparatus and system for detection of and reaction to rogue access points is generally presented. In this regard, a security agent is introduced to compare at least a subset of information received from a wired network device with information previously stored to determine if a rogue access point is present.

Abstract translation: 通常提出了用于检测和反应流氓接入点的方法，装置和系统。 在这方面，引入安全代理以将从有线网络设备接收的信息的至少一个子集与先前存储的信息进行比较，以确定是否存在流氓接入点。

公开(公告)号：WO2003067847A3

公开(公告)日：2003-08-14

申请号：PCT/US2003/002185

申请日：2003-01-24

Applicant: INTEL CORPORATION

Inventor： YADAV, Satyendra

IPC: H04L29/06

Abstract: Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion.